Relationship between keytab and spn [Kerberos] - spring-security

Recently I'm doing some experiment with AD and Spring Security Kerberos. I'm not sure is this a bug or did I mis-configured some settings.
I have 2 domains (domain1 and domain2). Domain1 and domain2 are not in the same forest and doesn't have any trust between them.
Domain1 has a spn (HTTP/test-server.domain1.org). Another HTTP application running on a different server has a keytab generated in domain1 and this tie to the spn we have earlier.
In domain2, I added the same spn I have for domain1 (HTTP/test-server.domain1.org) into it. On the other hand, I have a win7 client that's a member of domain2, and when I tried to do a SSO to the HTTP application, it allows me to go through. Could this be a security issue? Because It seems that the keytab I have in the HTTP application is generated in domain1 and tied to a user in domain1 as well.

When you have a keytab file, you are using Kerberos, against AD like you stated. You generate the keytab and map it and the SPN to a user account on the domain, that is used to query AD. You have to note that when Kerberos authentication fails, browsers fall back to the next authentication mechanism by priority. In this case, it would be NTLM, which is a Microsoft authentication mechanism that they are phasing out as it is less secure, but it can easily and automatically pass windows logon credentials to a web server. This could and likely will explain the behavior that you are seeing.

Related

Okta secure web apps on Azure Virtual Machines

We have 2 web applications in production since several years. They are currently only accessible from the intranet of the company. Future changes in the company's organization require to make these applications accessible from the internet. It is planned to use Okta to reinforce security. I don't know nothing about Okta yet. As far as possible, the changes should have as little impact as possible.
Current situation:
Web App 1:
ASP.NET MVC solution secured with userid/password ASP.NET Membership with forms authentication. Userid is an internal user code like ADE465 for example.
Web App 2:
ASP.NET MVC solution secured with userid/password authentication through IdentityServer2 (Thinktecture). Userid is firstname dot lastname like john.doe for example.
All web apps are hosted on IIS on an Azure virtual machine named (let's say) FABVM03.
For the future Okta integration: no need to have SSO (Single Sign On). Would it be possible to simply secure with Okta everything accessed on the server FABVM03? Or everything accessed from a specific URL ?
For example, if someone tries to access https://example.com/webapp1/login.html Okta should comes up and ask for authentication (Okta verify) and if successful allow the user to access the requested url. In fact, the 'already in place' login/password should then be asked as it is already the case. I agree the user would have to enter credentials 2 times: first for Okta verify, next for login the specific web application. But that's okay. As you will have understood, no code modification in the web apps would be necessary in this scenario.
My question is to know if something like that is possible with Okta. If not what is the less impacting possible solution with Okta ?
Okta is not to enforce your policies (PEP), it's mainly SSO and Access Management solution.
Okta has a component, called OAG (Okta Access Gateway), which can be used to reverse-proxy your on-prem applications (which will work in your situation too, as your VPC is effectively equal to "on-prem in a cloud"). Which can do something like you want (protect your application and ask for authentication/authorization), but it's an additional package on top of basic Okta costs.
What you may need is a level of protection added on Azure Network layer, not sure if there is something like that though. I've seen some modules for nginx, capable of intercepting traffic and redirecting it to Okta, if not accompanied with a token. So try to dig into these 2 directions...
You need some proxy-based solution to talk to Okta and enforce the protection for your applications. There are open source tools:
https://github.com/vouch/vouch-proxy
https://github.com/oauth2-proxy/oauth2-proxy
https://github.com/buzzfeed/sso
Or you can checkout some commercial tools:
https://www.okta.com/products/access-gateway/
https://www.datawiza.com/platform/

How to do Kerberos client authentication .Net api 7.1

I am using solace as middle-ware for client and server communication.
I want to move from none to kerberos authentication.
Servers are unix and already configured for kerberos authentication.
Client is .Net desktop gui application. And there are be multiple users.
I have some question regarding client kerberos authentication.
Do we need keytab file to connect to server and keytab file should be common for all users Or keytab file should be create with each users credentials.
What if the password changes?
Do we need to ask users to install java to get kinit or krb5?
What are the setting/configuration required on client side?
Thanks in advance..!
You do need to add a keytab to Solace's /keytabs directory. To configure the keys from the keytab tab to Solace's registered key table after the file has been added, enter the following Kerberos Keytab Authentication CONFIG CLI command:
solace(config-kerberos keytab)# add-keytab <keytab-filename> <index>
The number of keytab files is completely dependent on your setup. Typically, there will one keytab file per IP address that is common for all users but if your setup requires greater control, you can add up to a total of 48 keytabs.
When you change your Kerberos password, you will need to recreate and re-add all your keytabs.
The client-side API requirements for a client to use Kerberos authentication do include using the appropriate Java distribution or installed Kerberos libraries for the messaging API that is used. For .NET applications, the SSPI that is distributed with Windows is used, so Java is not required.
A client application must also set the authentication scheme to Kerberos for the respective session. In .NET, this is done with the SessionProperties.AuthenticationSchemeKRB session property. You can also set the Service Principle Name with the Session.Properties.KRBServiceName session property.

Problems while implementing SSO with Spring Security CAS extension

I'm trying to use Spring Security CAS extension to authenticate users on my applications. Earlier there was only one application, so SSO was not needed. Now there is one more application and I want the user to log in once and use all the applications without having to go through authentication again (SSO, basically). I've a bunch of questions like these -
All the applications I have are part of a single tomcat container and will be served via same domain. I checked Tomcat SSO Valve, but it seems to need container based authentication, I'm not really sure if I would want to use that for authentication / authorization. I'm using spring security form-based login. Do I really need something like Jasig CAS or will it be an overkill?
Spring Security and CAS deployerContext Configuration - http://pastie.org/8408976 and http://pastie.org/8408967
I set up Spring Security CAS with Jasig server and SSO seems to work as logging in to any of the applications suffices to access the other application. I've modified the deployerConfigContext.xml to replace the inMemoryServiceRegistryDaoImpl with JPA / Hibernate one. But I always see the below line in my logs. Though the tables have been created (SERVICETICKET and so on) in my db. These tables are always empty when I try logging in and out.
2013-10-17 16:41:18,882 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 0 services.>
When I try to access URL https://localhost/cas/services, it returns an error "This website has a redirect loop". and I see the below piece repeating n number of times in the logs (with different ticket numbers)-
http://pastie.org/8408940
I don't have any REST or stateless services accessing authenticated resources, do I need proxy tickets at all?
Note: I'm using Spring Security 3.1.4.RELEASE and CAS server 3.5.2 version.
Any pointers will be helpful.
I set up Spring Security CAS with Jasig server and SSO seems to work
as logging in to any of the applications suffices to access the other
application. I've modified the deployerConfigContext.xml to replace
the inMemoryServiceRegistryDaoImpl with JPA / Hibernate one. But I
always see the below line in my logs. Though the tables have been
created (SERVICETICKET and so on) in my db. These tables are always
empty when I try logging in and out.
When I try to access URL `https://localhost/cas/services`, it returns an error "This website has a redirect loop". and I see the
below piece repeating n number of times in the logs (with different
ticket numbers)
I figured out the solution to this. This was happening as filterProcessesUrl in CAS server configuration had the string "acegi" (old name for Spring Security), which didn't match to "spring", hence the problem. Modifying that helped. Not sure why old name was hardcoded there. Also, it didn't pick up this string from cas.properties, so figuring it out was a little more difficult.
I hope to get answers for other questions.

Are Kerberos and e-commerce inconsistent?

I recently read about Kerberos and its great algorithm to securely authenticate user.
But the "drawback" of Kerberos is that it requires credentials (calls "principals") to be added manually directly from the authentication server (implemented with Kerberos so).
So, unless I ignore it, it's impossible to use a classic form in an e-commerce to add a NEW user to Kerberos. Indeed, obviously, it will waste Kerberos principle because credentials would be sent over the network, even if they are encrypted with SSL...
Could you confirm me or not that Kerberos cannot be use for classical Web Site requiring each user to create themselves adding their own login/pass? That means without need of Kerberos server's administrator.
You can, in terms of technical capabilities, use Kerberos as the backing store for authentication information and still support username and password over SSL. It's not the ideal Kerberos model, since it means that a system other than the local system the user is sitting in front of gets a copy of the password. But that just means that you're not using the full security capabilities of Kerberos; it doesn't mean that Kerberos won't work. It may still be convenient to use Kerberos for other reasons.
One of the dirty little secrets of Kerberos is that nearly every site that has deployed it on a large-scale basis accepts username and password over SSL for at least some applications and validates the username and password on the server. There just isn't any other good way to do it in a lot of cases. This is particularly true of web applications. While many web browsers do support SPNEGO via Negotiate-Auth to do a real Kerberos authentication, this doesn't work in a wide variety of situations (no Kerberos locally on the system, kiosk system, phone device with no local Kerberos libraries, etc.).
(I'm the Kerberos administrator for Stanford University and also the maintainer of our web authentication system, which is based on Kerberos but still, for most users, takes username and password over SSL and verifies them on a central web login server.)

DB access denied with ASP.Net MVC application after switching to windows authentication mode

I have a MVC application that I am now trying to add authentication and authorization to.
I want to allow users to get to the site and be automatically authenticated. So I set authentication mode="Windows" in the web.config, and enabled NTLM in the project options. The site now shows my domain name in the top right when I run it, but when I hit a action than needs DB access, it tells me access is denied for my user-name?
What step am I missing?
This is not necessarily an IIS or Windows Authentication issue. I would assume that your connection string looks something like this
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
Now that you are using Windows authentication, the Domain\username is being passed to SQL to authenticate to the database. If you do not have the entire domain (or at least the subset logging into your application) as valid users in SQL, then you will get an unauthorized exception. You will need to a) pass a username/password to SQL in the conneciton string as below or b) add the users of your application to the security users of the database or c) use the impersonate attribute in the web.config file to impersonate a user that has access to both the application files on the web server and the database
SQL connection string with username/password
Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=myPassword;
This is the subtle difference between authentication and authorization.
Authentication is the act of identifying who the user is (And you've done this bit)
Authorisation is the act of determining who is allowed to do what (You need to apply the appropriate access permissions to the database, for each of your users/roles)
The subject of database access permissions is a little to complicated for sensible coverage on this forum, so i suggest that you do a bit of research via Google, etc

Resources