6 Replies Latest reply: Jun 20, 2010 6:07 AM by 843810 RSS

    How are users associated to service principals?

    843810
      Hello,

      I am trying to implement Kerberos authentication on a Windows machine and have trouble understanding how users are mapped to service principals.
      I understand that the ktpass or Setspn tools are used to associate a service principal to an Active Directory account because a service that is being secured by Kerberos needs to be mapped to an Active Directory account(e.g. account X). So, when executing a command from either one that account X only is mapped to the service principal.

      Now, say user user1 having account Y tries to access the service corresponding to the above service principal.
      My question is how does Kerberos know that account Y is allowed to access the secured application? How can I associate account Y with the above principal?

      Thank you,
      Savvas.
        • 1. Re: How are users associated to service principals?
          843810
          You misunderstood the concept of Kerberos. Kerberos solely employs authentication. If a service is mapped, any user in your AD is allowed to authenticate against that service. You want to reject access to some services thus meaning you are looking for authorization. This is not Kerberos's task.
          • 2. Re: How are users associated to service principals?
            843810
            Hi Michael,

            Thanks for your reply.

            To my understanding authentication is the process by which a decision whether to grant a specific entity(user, application or anything else) access to a specific resource is made. Let's say for instance, user_1 is allowed to access the application at "forums.sun.com" but is not allowed access to the one at "oracle.sun.com". Afterwards, a secondary decision needs to be made regarding the specific pages the authenticated user can view. This is what I understand as authorization and this I believe is an application specific process.

            Because I've logged on to windows surely doesn't mean I'm authorized to access any application in the domain I've logged on right? So, there must be a way of specifying which account has the right to access what application.
            I am by no means an AD/Kerberos expert but if there isn't, something just doesn't look right.. :)

            Regards,
            Savvas.
            • 3. Re: How are users associated to service principals?
              843810
              Your understanding is absolutely correct but there is a point missing in your elaboration. Say you have your domain ORACLE.COM (always uppercase in krb) and you have an SPN set to http/forums.oracle.com@ORACLE.COM and user savvas@ORACLE.COM wants to authenticate against this service. What does Kerb do for you now? It does mutually guarantee that both server and client are authentic, thus meaning both are trustworthy. As soon as you map some service to an SPN any user in your domain or subdomain is able authenticate against this service. Merely passing valid credentials (authenticity).
              In terms of authentication all services are equal as all users are. Kerberos does not differ to whom it grants access.

              If you would like to restrict access to services in one domain, you have to employ authorization. You have to create 2 groups in your AD for those 2 services and put your users in a memberOf state of that groups.
              You have have to have a two step login:
              1. Authenticate thru Kerberos, the service would know who you are
              2. Authorize against a memberOf of your user in the AD and the service would know what you are able to access.

              The AD in a combined service of KDC, directory server and so on.

              Hopefully this made the point clear.
              • 4. Re: How are users associated to service principals?
                843810
                right..I think I see what you mean. So, it is true then that any user who has logged on to his/her windows account can access any application on the domain they've logged on to because they are authenticated against that domain?

                One thing that still confuses me though is why does that second phase in Kerberos authentication needs to be applied? What I mean is that from what I was able to read, at a very generic level, Kerberos employs a two-phase process:In the first phase the client authenticates itself through the "Authentication Service" of the "Key Distribution Centre" and receives back a Ticket Granting Ticket (TGT). But then, in the second phase the same client requests a "Service Ticket" from the "Ticket Granting Service" of the "Key Distribution Centre" by presenting the TGT acquired earlier. If any authenticated user is allowed to access any resource why is that second phase (specific to the service for which access is requested) necessary? wouldn't just the first authentication phase suffice?

                I appreciate your solution and it's something we also considered initially but we were hoping Kerberos would provide this process for us :)

                Thanks very much,
                Savvas.
                • 5. Re: How are users associated to service principals?
                  843810
                  savvas.andreas wrote:
                  right..I think I see what you mean. So, it is true then that any user who has logged on to his/her windows account can access any application on the domain they've logged on to because they are authenticated against that domain?
                  Yes, that is correct if no further action is taken.
                  One thing that still confuses me though is why does that second phase in Kerberos authentication needs to be applied? What I mean is that from what I was able to read, at a very generic level, Kerberos employs a two-phase process:In the first phase the client authenticates itself through the "Authentication Service" of the "Key Distribution Centre" and receives back a Ticket Granting Ticket (TGT). But then, in the second phase the same client requests a "Service Ticket" from the "Ticket Granting Service" of the "Key Distribution Centre" by presenting the TGT acquired earlier. If any authenticated user is allowed to access any resource why is that second phase (specific to the service for which access is requested) necessary? wouldn't just the first authentication phase suffice?

                  I appreciate your solution and it's something we also considered initially but we were hoping Kerberos would provide this process for us :)
                  No it wouldn't. After the first phase the client is only known to the KDC. No service is aware of any client. With the creation of a specific service ticket the service knows that the user is seriously trustworthy. Kerberos is based on a shared secret which means only the KDC knows that the client and user are real. The KDC acts as a trusted 3rd party. That's why all import authn goes thru it. Read this artice for further clarification: [http://simple.wikipedia.org/wiki/Kerberos_%28protocol%29]
                  • 6. Re: How are users associated to service principals?
                    843810
                    Ok Michael,

                    I now have a deeper insight on Kerberos authentication!

                    thanks very much for your time,
                    Savvas.