IIS+and+KerberosWord文件下载.docx
- 文档编号:19437945
- 上传时间:2023-01-06
- 格式:DOCX
- 页数:21
- 大小:430.76KB
IIS+and+KerberosWord文件下载.docx
《IIS+and+KerberosWord文件下载.docx》由会员分享,可在线阅读,更多相关《IIS+and+KerberosWord文件下载.docx(21页珍藏版)》请在冰豆网上搜索。
3.Ifyouwanttouse
<
identityimpersonate="
true"
/>
inweb.config
foryourASP.NETpages,youneedtodisablevalidateIntegratedModeConfigurationifyouareusingtheIntegratedModePipeline.Otherwiseyou'
llgeta500.24error.
YoucaneithersetvalidateIntegratedModeConfigurationtoFalseoryoucanruninClassicModePipeline
NewinIIS7-KernelModeAuthentication
WindowsServer2003SP1introduceskernelmodeSSL.WindowsServer2008takesthisonestepfurtherandintroduceskernelmodeauthentication.ThiscanbeutilisedbyIIS7.0applicationstoimproveperformance.ItalsohasimplicationsforKerberosauthenticationandmanagementofSPNs.
Considerthefollowingscenario:
EnsuringKerberosAuthNforApp1wouldn’tbepossibleinIIS6/5(earlierversionswerepre-Windows2000sodidn’tsupportKerberos).ThiswasbecauseSPNsarebasedonaFQDNandtheSPNforhttp/couldonlyberegisteredunderasingleaccount(andnotunderthetwodifferentaccountsthatAppPool1andAppPool2areusing).
InWindowsServer2008thereissupportforanewkernelmodeauthentication.Iamsupposingthatthisisimplementedinksecdd.sys,butitmaybeimplementedelsewhere.Whenusingkernelmodeauthentication,theserviceticketisdecryptedbytheserver(akamachineaccount),notbytheuseraccountthatthewebapppoolisrunningunder.
Becauseofthis,it’spossibleto:
∙RegistereverySPNforeachapplicationhostedwebserverunderthemachineaccountinActiveDirectory,regardlessoftheidentityofthewebapppoolthattheapplicationisbeinghostedin
∙RunmultiplewebapplicationshostedatthesameFQDNunderwebapppoolsthatare,inturn,runningundermultipleWindowsidentities.
Edit:
AnilfromtheIISProduct
Grouppointedoutanerrorinmyadvicebelow(it'
snotnecessarytoactuallydisableKernelModeAuthentication).
Ihaveupdatedthesectionbelow:
Thereisacaveat.Thisisbecausetheserviceticketdecryptiontakesplaceusingtheserver’sADmachineaccount.Ifyouareusingawebfarm,thentheKDCdoesn’tknowinadvancewhichindividualserverwillbeservicingtherequest.Inthatcase,it'
simpossibletodeterministicallyregistertheSPNunderasinglemachineaccount.Instead,youwillneedto:
∙DisablekernelmodeauthenticationConfigureIIStousethewebapplicationpool'
sidentityforKerberosserviceticketdecryption
∙Runthewebapppoolunderacommondomainuseraccount
∙BerestrictedtorunningallwebapplicationaccessibleatthatFQDNunderwebapppoolsthatareusingthesamedomainuseraccountabove
Ifyouareinthissituation,thenyoucandisablekernelmodeauthenticationenabletheuseofthewebapppool'
sidentityforKerberosserviceticketdecryptionbysettingthepropertyuseAppPoolCredentialstotrueforthewebapplicationorwebsiteinquestion.Anexamplewouldbe:
system.webServer>
<
security>
authentication>
windowsAuthenticationenabled="
useAppPoolCredentials="
/>
/authentication>
/security>
/system.webServer>
IISandKerberos.Part1-WhatisKerberosandhowdoesitwork?
I'
vecreatedalistofallthepartsinthisserieshere,whichwillbeupdatedasIaddmoreparts.
ConfiguringKerberosandDelegationisoneofthemorecommonproblemsIseeinthecommunitiesandevenwithinAvanade.SinceKerberosisn'
tasimpletopic,I'
mgoingtowriteaquickseriesexplaininghowKerberosworks,commonscenariosandproblemsandsometroubleshootingtips.
KerberosisanopenauthenticationprotocoldevelopedatMIT,andimplementedinWindows2000/2003ActiveDirectorydomains(amongstotherplaces).Authenticationistheprocessofprovingyouridentitytoaremotesystem.Youridentityiswhoyouare,andauthenticationistheprocessofprovingthat.Inmanysystemsyouridentityisyourusername,andyouuseasecretsharedbetweenyouandtheremotesystem(apassword)toprovethatyouridentity.
Theproblemwithsimplisticsharedsecretsystemsistwo-fold:
a)thereisascalabilityproblem.Ifeveryuserneedstomaintainasharedsecretwitheveryindividualserver(oreveryserviceoneveryserver!
)thenthatresultsinpoorpasswords.Userscannotbeexpectedtorememberdozens,hundredsorthousandsofuniquepasswordsandsoenduprepeatingthemregardlessofwhethertheserverisalowsecurityorhighsecurityresource
b)thereisanissueinsecurelytransmittingthesharedsecretfromtheusertotheserver.Varioustechnologies(likeTLS/SSL)existforsecuringthetransportofdatabetweenmachines,howeveritisincumbentuponeachservicetoutiliseserviceslowerdowninthenetworkstack.
Kerberosisdesignedtoovercometheselimitations.InthispartwelookathowasimpleKerberosimplementationworks.Inthisscenariowehaveauserusingaclientmachinethatwishestoconnecttoaremoteservice(theuserhereisapersonorapplication,theclientistheOSormachine).Rememberthatwewantasystemthatallowsustostoresharedsecretscentrally,andtosecurelytransmitusercredentialsbetweenclientandservice.Lastlyweshouldlooktopreventreplayattacks(wheresomeonewhoissniffingthewirecanreplaycapturedpacketstoimpersonatealegitimateuser,eveniftheydonotknowhowtocreatetheauthenticationpacketsthemselves).
TobeginwithweintroducetheKerberosKDC-KeyDistributionCentre.IntheWindowsActiveDirectoryworld,theKDClivesonDomainControllers(DCs).TheclientconnectstotheAuthorisationService(AS)thatrunsontheKDCandaskstheAStoauthenticatetheusertotheremoteservice.Technically,theclientdoesn'
tneedtoauthenticateitselftotheDomainController.HoweverintheActiveDirectoryworld,somethingcalledpre-authenticationisusedtoensurethattheuser(orclientapplication)isactuallywhotheysaytheyare.
TheASontheKDCgeneratesasessionkeythatwillbeusedbytheclientandtheremoteservice.Itencryptsthesessionkeywiththeuser'
spassword(thisiswhytheuserdoesn'
tneedtoauthenticate-iftheuserisn'
twhotheysaytheyare,theywon'
tbeabletodecryptthesessionkeybecausetheydon'
tknowtheuser'
spassword).TheKDCalsopreparesasecondpieceofdata-itagainencryptsthesessionkeyaswellastheuser'
susername(knownasaKerberosprincipal),butusingtheservice'
spasswordthistimetoencryptthedata.Onlytheremoteservicewillbeabletodecryptthissecondpieceofdata.ThissecondpieceofdataisknownastheServiceTicket(orjustTicket).
TheKDCnowsendsbothpiecesofdatabacktotheclient.Theuser,knowingtheirownpassword,isabletodecryptthefirstpieceofdata,andextractthesessionkey.Theuserhoweverdoesnotknowtheservice'
spassword,soisunabletodecryptthesecondpieceofdata.Theclientusesthesessionkeytoencryptthecurrenttime(amongstotherthings,buttheyaren'
tsoimportantrightnow).ThispieceofdataisknownastheAuthenticator.TheclientsendstheAuthenticatoritjustgenerated,alongwiththeServiceTicketreceivedfromtheKDCtotheremoteservice.
TheremoteserviceisabletodecrypttheServiceTicketusingitsownpassword.Itisthusabletogetaccesstothesessionkey,andthePrincipal(user)attemptingtoconnect.ItnowusesthesessionkeytodecrypttheAuthenticator,andextractthetime.Itcomparesthetimetothecurrentsystemtimeontheservertoensureamatch.Sinceonlytheservice,theKDCandtheuser,knowthesessionkeythentheservicecanassumethatusermustbewhotheysaytheyare.
IfanimpostersentaServiceTickettotheservice(e.g.byreplayingcapturedpackets)theywouldn'
tknowthecorrectsessionkeynecessarytoencryptthetimestampcorrectly.Alternatively,iftheimposterattemptstousecapturedAuthenticatorpackets(whichcontainatimestamp),thusbypassingtheneedtoknowthesessionkey,thenthetimeswillnotmatchwhentheAuthenticatorisdecryptedbytheserviceandtheservicewillrefusetoauthenticatetheremoteuser.
IfthiswastheextentoftheKerberos,theneachandeverytimetheclientreceivedanencryptedsessionkeyfromtheKDC,theuserwouldneedtoentertheirpasswordtoallowtheclientmachineaccesstoit.Thatcouldrapidlybecomeaproductivitysinkhole(imaginehavingtoenteryourpasswordforeachandeveryHTTPrequestyoumade!
).Togetaroundthis,theclientmachinecouldcachetheuser'
spassword,butthatisn'
taparticularysecuresystem.WhatKerberosdoesisintroducetheconceptofaTicketGrantingTicket(TGT).
TicketGrantingTicketsareissuedbytheASrunningontheKDCinthesamewaythatanormalserviceticketisissued.HowevertheTGTisvalidfortheTicketGrantingService,ratherthanaremoteHTTPserver(oranyothertypeofserver).Whenevertheuserwishestoconnecttoaremoteservice,itcanusetheTGTthatithasalreadyreceivedtoconnecttotheTGS.TheTGS,afterauthenticatingtheuserviatheTGT,issues
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- IIS and Kerberos