Kerberos Notes

Kerberos is not a Microsoft technology, it was developed by MIT and documented as RFC 1510 (1510 is Kerberos Version 5). With that in mind, some quick notes on what changed between Kerberos popping up in Windows 2000 and Windows 2003.

2 Key extensions - Protocol Transition and Constrained Delegation. Windows 2003 Kerberos Extensions: .

1. Protocol Transition: Allowing a security principal to get a service ticket for the next tier without using kerberos on the initial tier. For example - enter the website with SSL, then obtain kerberos ticket for the hop to the database server.

2. Constrained Delegation: rather than letting a service delegate any account, the ability to choose which ones.

Lab setup to test Protocol Transition and Constrained Delegation:

SPN Management:

Troubleshooting Kerberos Delegation

When dealing with multi-tier applications, break the problem up into the components and then review each individually:

1.Client. IE, .NET app.
2. AD. Security Princiapls (Users + Computer objects)and KDC.
3. Middle Tier(s). IIS or could be SQL, COM+.
4. Back End. SQL.


Look at "Login Failed for NULL", "Login Failed for Anonymous" - these are indications that delegation is not working, and is presenting the back tier a NULL authentication. This is very different from "Access Denied" which leans towards ACLs on the tiers.

Client Account:

On the user account, the one actually using the client application, check that the "account is sensitive and cannot be delegated" is not set.

Again, on the user account, ensure token size is not getting in the way. (maxtokensize).

Client Machine:

Check DNS can resolve all tiers.

Check IE. "Enable Integrated Authentication", "Bypass Proxy for local".

Middle tier security logs will give clues if the client is getting that far, and which security provider they are using.

Use Klist or Kerbtray, and Netmon filtering on port 88.

Middle Tier:

SPNS - check that valid SPNs exist for the middle tier. If the ISS account details are not the default a manual SPN may need to be added.

If the IIS app is running as network service or other system account, the computer object will need the trusted for delegation. If running as a domain account, the domain account will need it. 2003 introduces the "delegation" tab with advanced options for constrained delegation.

Check for duplicate SPNs. There is a queryspn tool. Alternate is to use ldifde: "ldifde -f filename -d "dc=contoso,dc=com" -l spn -r (serviceprincipalname=MSSQLSvc\*) -p subtree.

Check the security policy that the account running the IIS app has either "act as part of the OS" or "impersonate user after authentication" rights.

Check IIS actually has integrated authentication enabled.

Back Tier

SPN is the common problem here. use setspn -a to check and add SPN if nessesary.

Use event logs to identify attempts.