4.1 Registration with Kerberos

The following flow outlines how the Kerberos authentication mechanism works during the registration process. At this point in time, the client discovers its outbound proxy and initializes an SA (or context) with it.

Kerberos registration flow

Figure 1: Kerberos registration flow

The fundamental difference between the NTLM Authentication Protocol  and Kerberos is the way in which the client answers a challenge from the server. With Kerberos, the client first acquires a Kerberos ticket from the KDC (Active Directory) for the specific server that is issuing the challenge. The server is identified by an SPN containing a fully qualified domain name (FQDN). The SPN is of the form sip/<FQDN>. The SPN for a challenge is carried in the targetname parameter in the Proxy-Authenticate: header of the challenge.

  1. Alice's client sends a REGISTER request with no credentials (no Proxy-Authorization: header) to the outbound server it selected.

     REGISTER sip:registrar.contoso.com SIP/2.0
     Via: SIP/2.0/TLS alice1.contoso.com;branch=z9hG4bK7
     From: "Alice" <sip:Alice@contoso.com>;tag=354354535;epid=6534555
     To: "Alice" sip:Alice@contoso.com
     Call-ID: 123213@Alice1.contoso.com
     CSeq: 12345 REGISTER
     Max-Forwards: 70
     User-Agent: Windows RTC/1.1.2600
     Contact: "Alice" sip:Alice@Alice1.contoso.com
     Content-Length: 0
    

    The epid parameter on the From: header uniquely identifies this particular endpoint for the user. The server uses this value in subsequent messages to determine the SA with which to sign the message.

  2. Authentication is enabled at the outbound server, and it challenges Alice's client. The server indicates support for NTLM and Kerberos in the challenge.

     SIP/2.0 407 Proxy Authentication Required
     Via: SIP/2.0/TLS Alice1.contoso.com;branch=z9hG4bK7
     From: "Alice" <sip:Alice@contoso.com>;tag=354354535;epid=6534555
     To: "Alice" <sip:Alice@contoso.com>;tag=5564566
     Call-ID: 123213@Alice1.contoso.com
     CSeq: 12345 REGISTER
     Date: Sat, 13 Nov 2010 23:29:00 GMT
     Proxy-Authenticate: Kerberos realm="Contoso RTC Service Provider", 
        targetname="sip/hs1.contoso.com", qop="auth"
     Proxy-Authenticate: NTLM realm="Contoso RTC Service Provider", 
        targetname="hs1.contoso.com", qop="auth"
     Content-Length: 0
    

    The targetname parameter carries the SPN for this proxy for Kerberos and the FQDN of the proxy for NTLM. The actual contents of this parameter are meaningful for this proxy but are opaque to other proxies and the client. It is merely a unique string for correlation of the message header to an SA. Two Proxy-Authenticate: headers are present, indicating the server's capability to do one of Kerberos or NTLM.

    The proxy inserts a Date: header in the 407 challenge to allow the client to detect clock skew between the client and server. Both NTLM 2.0 and Kerberos 5.0 require synchronization of the client and server clocks. Clock skew can cause authentication to fail even with valid credentials. The presence of the Date: header allows the client to log this condition and the administrator to correct the deviation.

  3. The client acquires a Kerberos ticket for the server indicated in the targetname parameter of the Kerberos Proxy-Authenticate: header. The client reissues the request with a Proxy-Authorization: header containing the encoded Kerberos ticket.

     REGISTER sip:registrar.contoso.com SIP/2.0
     Via: SIP/2.0/TLS Alice1.contoso.com;branch=z9hG4bK9
     From: "Alice" <sip:Alice@contoso.com>;tag=354354535;epid=6534555
     To: "Alice" sip:Alice@contoso.com
     Call-ID: 123213@Alice1.contoso.com
     CSeq: 12346 REGISTER
     Max-Forwards: 70
     User-Agent: Windows RTC/1.1.2600
     Proxy-Authorization: Kerberos realm="Contoso RTC Service Provider", 
        targetname="sip/hs1.contoso.com",qop="auth",gssapi-data="34fcdf9345345"
     Contact: "Alice" sip:alice@alice1.contoso.com
     Content-Length: 0
    

    The Cseq number has been incremented. The Call-ID and epid remain the same.

    The targetname parameter echoes the value of the targetname parameter in the previous Proxy-Authenticate: header. The gssapi-data parameter contains the Kerberos ticket information. The choice of Kerberos authentication is indicated by the scheme (Kerberos) as the first token in the header.

  4. On reception of the REGISTER request, the outbound server authenticates the user with the information in the Proxy-Authorization: header. Authentication succeeds, and an SA is created in the outbound server for Alice's client.

    The Director then redirects the REGISTER request to point the client at the appropriate home server for this user. The redirect response is signed, using the newly established SA between the client and this proxy.

     SIP/2.0 301 Moved Permanently
     Via: SIP/2.0/TLS Alice1.contoso.com;branch=z9hG4bK9
     From: "Alice" <sip:Alice@contoso.com>;tag=354354535;epid=6534555
     To: "Alice" sip:Alice@contoso.com
     Call-ID: 123213@Alice1.contoso.com
     CSeq: 12346 REGISTER
     Proxy-Authentication-Info: 
         Kerberos realm="Contoso RTC Service Provider", 
         targetname="sip/hs1.contoso.com", qop="auth", opaque="ACDC123", 
         srand="3453453", snum=1, rspauth="23423acfdee2"
     Contact: sip:hs2.contoso.com
     Content-Length: 0
    

    The Proxy-Authentication-Info: header carries the signature for this SIP message. The snum is set to 1 as this is the first message signed with the newly established SA. The srand parameter contains the (random) salt value used by the server to generate the signature. The opaque parameter contains a unique token for this newly established SA.

  5. The client receives the redirect response, verifies the signature using the now complete SA for the outbound proxy, and reissues the REGISTER request to its proper home server.

     REGISTER sip:hs2.contoso.com SIP/2.0
     Via: SIP/2.0/TLS Alice1.contoso.com;branch=z9hG4bKa
     From: "Alice" <sip:Alice@contoso.com>;tag=354354535;epid=6534555
     To: "Alice" sip:Alice@contoso.com
     Call-ID: 123213@Alice1.contoso.com
     CSeq: 12347 REGISTER
     Max-Forwards: 70
     User-Agent: Windows RTC/1.1.2600
     Contact: "Alice" sip:Alice@Alice1.contoso.com
     Content-Length: 0
    

    The client will replace its current outbound proxy with the proxy indicated in the Contact: header of the 301 response. The REGISTER request is sent to this new outbound proxy (the user's true home server). Because no SA exists yet with this new outbound proxy, no Proxy-Authorization: header is present in the request.

  6. Alice's home server receives the REGISTER request and issues a challenge, indicating support for NTLM and Kerberos.

     SIP/2.0 407 Proxy Authentication Required
     Via: SIP/2.0/TLS Alice1.contoso.com;branch=z9hG4bKa
     From: "Alice" <sip:Alice@contoso.com>;tag=354354535;epid=6534555
     To: "Alice" <sip:Alice@contoso.com>;tag=8823488
     Call-ID: 123213@Alice1.contoso.com
     CSeq: 12347 REGISTER
     Date: Sat, 13 Nov 2010 23:29:00 GMT
     Proxy-Authenticate: Kerberos realm="Contoso RTC Service Provider",
        targetname="sip/hs2.contoso.com", qop="auth"
     Proxy-Authenticate: NTLM realm="Contoso RTC Service Provider", 
        targetname="hs2.contoso.com", qop="auth"
     Content-Length: 0
    

    The targetname parameter for Kerberos contains the SPN for Alice's home server. The two Proxy-Authenticate: headers indicate support for Kerberos and NTLM, respectively. The realm is the same as for HS1 because they fall under the same protection space. This means the client will use the same credentials in responding to HS2's challenge.

  7. Alice's client receives the challenge, selects Kerberos authentication, and reissues the REGISTER request to her home server. The client will acquire a Kerberos ticket for HS2 and include this information in the gssapi-data parameter of the Proxy-Authorization: header.

     REGISTER sip:hs2.contoso.com SIP/2.0
     Via: SIP/2.0/TLS Alice1.contoso.com;branch=z9hG4bKc
     From: Alice <sip:Alice@contoso.com>;
           tag=354354535;
           epid=6534555
     To: Alice sip:Alice@contoso.com
     Call-ID: 123213@Alice1.contoso.com
     CSeq: 12348 REGISTER
     Max-Forwards: 70
     User-Agent: Windows RTC/1.1.2600
     Proxy-Authorization: Kerberos realm=Contoso RTC Service Provider,
          targetname=sip/hs2.contoso.com,
          qop=auth, gssapi-data=8234934234,
          opaque=CDEF1245
     Contact: Alice sip:alice@alice1.contoso.com
     Content-Length: 0
    

    The Cseq: number is incremented. The Call-ID and epid remain the same. The Proxy-Authorization: header indicates support for Kerberos authentication.

  8. Alice's home server receives the REGISTER request, verifies the Kerberos ticket, and processes the REGISTER request. The SA between Alice's home server and Alice's client is now complete. The server responds to the REGISTER request and signs the response using the newly completed SA. The epid parameter from the From: header is saved as part of the registration information for Alice. This value will be inserted in the To: header of subsequent requests that are forwarded to Alice via her home server (registrar).

     SIP/2.0 200 OK
     Via: SIP/2.0/TLS Alice1.contoso.com;branch=z9hG4bKc
     From: "Alice" <sip:Alice@contoso.com>;tag=354354535;epid=6534555
     To: "Alice" <sip:Alice@contoso.com>;tag=8823488
     Call-ID: 123213@Alice1.contoso.com
     CSeq: 12348 REGISTER
     Expires: 3600
     Proxy-Authentication-Info: 
        Kerberos realm="Contoso RTC Service Provider", 
        targetname="sip/hs2.contoso.com", qop="auth", 
        opaque="CDEF1245", rspauth="fefeacdd", srand=98984345, snum=1
     Contact: "Alice" sip:Alice@Alice1.contoso.com
     Content-Length: 0
    

    The epid parameter on the From: header is used by the server to determine how to sign this response (find the SA). The signature for this response is carried in the rspauth parameter of the Proxy-Authentication-Info: header. The opaque parameter indicates the newly established SA. Because this is the first signed message from HS2 to the client, the snum parameter is set to 1.