windows nt ® single sign on backoffice ® applications (part i) peter brundrett program manager...
Post on 21-Dec-2015
229 views
TRANSCRIPT
Windows NTWindows NT®® Single Single Sign On Sign On BackOfficeBackOffice®® Applications (Part I) Applications (Part I)
Peter BrundrettPeter BrundrettProgram Manager Program Manager Windows NT SecurityWindows NT SecurityMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Windows NT single sign onWindows NT single sign on Kerberos v5 authentication and SSPIKerberos v5 authentication and SSPI Three-tier security delegationThree-tier security delegation Windows NT authorizationWindows NT authorization
Single Sign On IssuesSingle Sign On Issues
User issue:User issue: Too many passwords to rememberToo many passwords to remember
Administrator issue:Administrator issue: Too many places to define user accountsToo many places to define user accounts Hard to determine user accessHard to determine user access
Security issue:Security issue: Clear text passwordsClear text passwords Hard to disable an accountHard to disable an account
IT Manager issue:IT Manager issue: Heterogeneous computer systemsHeterogeneous computer systems
Single Sign On GoalsSingle Sign On Goals
UserUser Logon once to the EnterpriseLogon once to the Enterprise Use few passwords, ideally one!Use few passwords, ideally one!
AdministratorAdministrator Create user account onceCreate user account once Assign access based on rolesAssign access based on roles Manage accounts across systemsManage accounts across systems
Security administratorSecurity administrator Define and verify security policiesDefine and verify security policies
Integrated Integrated Kerberos v5 logonKerberos v5 logon
Key DistributionKey DistributionCenter (KDC)Center (KDC)
Protected store Protected store for public for public key credentialskey credentials
Industry standard Industry standard network security network security protocolsprotocols
Kerberos,Kerberos,SSL/TLS,SSL/TLS,othersothers
Windows NT Single Sign OnWindows NT Single Sign On
Single account store Single account store in Active Directoryin Active Directory
PK KerberosPK Kerberos
ProfileProfile
CertsCerts KeysKeys
Internet ExplorerInternet Explorer User profile User profile
for other keys for other keys and certificatesand certificates
Domain credentialsDomain credentials Obtain Kerberos Obtain Kerberos
TGT and NTLM TGT and NTLM credentialscredentials
TGTTGT
Smart Card LogonSmart Card Logon
Private key and Private key and certificate on cardcertificate on card
Public key domain Public key domain authenticationauthentication
Windows NT Single Sign OnWindows NT Single Sign On
Standards-based Distributed Standards-based Distributed System InfrastructureSystem Infrastructure
Well documented APIs for developersWell documented APIs for developers Platform services used in applicationsPlatform services used in applications Integrated logon to strategic platformsIntegrated logon to strategic platforms Integrated Windows NT authorizationIntegrated Windows NT authorization
File and File and Print Print ServicesServices
ExchangeExchangeSQL SQL ServerServer
Internet Internet InformationInformation
ProxyProxy
InternetInternet
Remote Remote AccessAccess
Public Public networknetwork
YourYour app app HERE HERE
YourYour app app
HERE HERE
SNA SNA ServerServer
Integrated Single Sign Integrated Single Sign On TodayOn Today
BackOffice Logo ProgramBackOffice Logo Program
Security requirements for client/ Security requirements for client/ server applicationsserver applications
Core baseline requirementsCore baseline requirements Windows NT authenticationWindows NT authentication
NTLM for Windows NT 4.0NTLM for Windows NT 4.0 Kerberos v5 for Windows NT 5.0Kerberos v5 for Windows NT 5.0
BenefitsBenefits Easier administration, stronger securityEasier administration, stronger security Intranet ready!Intranet ready!
Secure ApplicationsSecure Applications
Connection authenticationConnection authentication Establish credentialsEstablish credentials Mutual authentication of client and serverMutual authentication of client and server
Secure communicationSecure communication Message privacy and integrityMessage privacy and integrity
Impersonation and delegationImpersonation and delegation Assuming client’s identityAssuming client’s identity
Authorization and auditingAuthorization and auditing Using security descriptorsUsing security descriptors
ClientClient
Kerberos Security Kerberos Security PackagePackage
ServerServer
SSPISSPI SSPISSPI
Kerberos Security Kerberos Security PackagePackage
Security Support Security Support Provider InterfaceProvider Interface
Application protocol carries all dataApplication protocol carries all data Kerberos SSP manages Kerberos SSP manages
security contextsecurity context
Connection AuthenticationConnection Authentication
Client sideClient side Acquire credentialsAcquire credentials
Default or alternateDefault or alternate Initialize security contextInitialize security context Initiate connectionInitiate connection
Server sideServer side Acquire credentialsAcquire credentials
Default or alternateDefault or alternate Accept client’s security contextAccept client’s security context
Example: SSPI Example: SSPI
Security package nameSecurity package name ““Kerberos” or “Negotiate”Kerberos” or “Negotiate” Negotiate package will choose KerberosNegotiate package will choose Kerberos
AuthenticationAuthentication InitializeSecurityContextInitializeSecurityContext AcceptSecurityContextAcceptSecurityContext
ImpersonationImpersonation
ImpersonationImpersonation
Security contextsSecurity contexts Access Token associated Access Token associated
with processes and threadswith processes and threads Primary TokenPrimary Token Client TokenClient Token
ImpersonationImpersonation Accessing system resources Accessing system resources
on client’s behalfon client’s behalf Access check and auditing Access check and auditing
on private resourceson private resources
Impersonation APIImpersonation API
Using SSPIUsing SSPI ImpersonateSecurity ImpersonateSecurity
ContextContext RevertSecurity ContextRevertSecurity Context
Using RPCUsing RPC RpcImpersonateClientRpcImpersonateClient RpcRevertToSelfRpcRevertToSelf RpcRevertToSelfExRpcRevertToSelfEx
SECURITY_STATUSSECURITY_STATUS
ImpersonateSecurityContext(ImpersonateSecurityContext(
PCtxtHandle phContextPCtxtHandle phContext
););
SECURITY_STATUSSECURITY_STATUS
RevertSecurityContext(RevertSecurityContext(
PCtxtHandle phContextPCtxtHandle phContext););
RPC_STATUSRPC_STATUS
RpcImpersonateClient(RpcImpersonateClient(
RPC_BINDING_HANDLE RPC_BINDING_HANDLE pBindingpBinding
););
RPC_STATUSRPC_STATUS
RpcRevertToSelf(RpcRevertToSelf(););
Impersonation APIImpersonation API
Using DCOMUsing DCOM IServerSecurityIServerSecurity CoImpersonate ClientCoImpersonate Client CoRevertToSelfCoRevertToSelf
For HTTP, Internet For HTTP, Internet Information Server Information Server impersonates impersonates the clientthe client ISAPI runs in the ISAPI runs in the
client’s contextclient’s context
HRESULTHRESULT
CoImpersonateClient()CoImpersonateClient()
HRESULTHRESULT
CoRevertToSelf()CoRevertToSelf()
HRESULTHRESULT
IServerSecurity :: IServerSecurity :: ImpersonateClient()ImpersonateClient()
HRESULTHRESULT
IServerSecurity :: IServerSecurity :: RevertToSelf()RevertToSelf()
Application
DCOM security
Authenticated RPC
SSPIKerberos SChannel
Crypto API
WinInet
Public KeyApplication
Where Does SSPI Fit InWhere Does SSPI Fit In
Kerberos AuthenticationKerberos Authentication
Kerberos service uses Active DirectoryKerberos service uses Active Directory Implemented by SSPI security providerImplemented by SSPI security provider Mutual authenticationMutual authentication Supports 3-tier delegation Supports 3-tier delegation Windows NT access controlWindows NT access control Standards-based interoperabilityStandards-based interoperability
Windows NTWindows NT Workstation Workstation
UnixUnixServerServer
Windows NT Windows NT KDCKDC
GSS-Kerb5 Token GSS-Kerb5 Token formats (RFC 1964)formats (RFC 1964)
SSPISSPI
Kerberos SSPKerberos SSP
Application protocolApplication protocol Application protocolApplication protocol
GSS KerberosGSS Kerberosmechanismmechanism
GSS-APIGSS-APITICKETTICKET
Cross-platform StrategyCross-platform Strategy
Common Kerberos domainCommon Kerberos domain
Three-Tier Three-Tier Security DelegationSecurity Delegation End-to-end user authenticationEnd-to-end user authentication Application requires data Application requires data
from several sourcesfrom several sources Flexibility to separate Web server Flexibility to separate Web server
from back-end data serversfrom back-end data servers Single user accountSingle user account
Simplify user managementSimplify user management
Access control through groups Access control through groups
SQLSQL Server Server
IISIIS
1. 401 Access Denied1. 401 Access Denied WWW-Authenticate: Negotiate WWW-Authenticate: Negotiate
2. Ticket 2. Ticket request request to KDC to KDC
6. SQL Server6. SQL Server impersonates impersonates original client, original client, then data access then data access
5. ASP uses ADO to5. ASP uses ADO to query SQL, query SQL, integrated security integrated security requests ticket requests ticket
3. WWW-Authenticate:3. WWW-Authenticate: Negotiate <blob> Negotiate <blob>
ISAPIISAPI
4. IIS impersonates client,4. IIS impersonates client, invokes ISAPI extension invokes ISAPI extension
Server-AServer-A
Server-BServer-B
Example: Delegation Example: Delegation in Actionin Action
Configuration SetupConfiguration Setup
Windows NT 5.0 with Kerberos protocolWindows NT 5.0 with Kerberos protocol Internet Information ServerInternet Information Server SQL ServerSQL Server™™
Client is Windows NT 5.0 or Client is Windows NT 5.0 or WindowsWindows®® 95/98 95/98 With Distributed Systems client updateWith Distributed Systems client update
Internet Information Server Internet Information Server Virtual Directory uses Virtual Directory uses “Windows NT Authentication”“Windows NT Authentication”
SQL Server is using Integrated SecuritySQL Server is using Integrated Security
Trusted For DelegationTrusted For Delegation
Delegation means…Delegation means… Server can do anything on behalf of clientServer can do anything on behalf of client Trusted not to run unauthorized servicesTrusted not to run unauthorized services Enabled on per-server basisEnabled on per-server basis
Enable on the computer object Enable on the computer object in Active Directoryin Active Directory
Do not assume delegation Do not assume delegation is always enabled!is always enabled!
Windows NT AuthorizationWindows NT Authorization
What is the client allowed to do?What is the client allowed to do? Single sign on is not sufficientSingle sign on is not sufficient
Centralize authorization through rolesCentralize authorization through roles Windows NT group membershipWindows NT group membership
Integrate authentication with server Integrate authentication with server security modelsecurity model
Windows NT object security modelWindows NT object security model
SecureSecureServerServer
Client access requestClient access request
Impersonate ClientImpersonate Client
Get object’sGet object’ssecuritysecuritydescriptordescriptor
Get client’s Get client’s access tokenaccess token
Perform access checkPerform access check
PrivatePrivateStoreStore
Return responseReturn response Encrypted FilesEncrypted Files
Object Access ControlObject Access Control
……
// COM server impersonates client// COM server impersonates client
CoImpersonateClient(…);CoImpersonateClient(…);
// Obtain private object security descriptor// Obtain private object security descriptor
MyStatus = GetObjectSD(Object,…,&SD); // your own routineMyStatus = GetObjectSD(Object,…,&SD); // your own routine
// Obtain client’s token// Obtain client’s token
Status = OpenThreadToken(…,&Token);Status = OpenThreadToken(…,&Token);
// Perform Access Check// Perform Access Check
Status = AccessCheck( SD, Token, DesiredAccess, GenericMapping,Status = AccessCheck( SD, Token, DesiredAccess, GenericMapping,
&PrivsUsed, &PrivLength, &PrivsUsed, &PrivLength, &GrantedAccess,&GrantedAccess,
&Allowed);&Allowed);
// Act as per the result// Act as per the result
if(Allowed) {if(Allowed) {
… …
}}
AccessCheckAccessCheck
……
// Impersonate client// Impersonate client
CoImpersonateClient(…);CoImpersonateClient(…);
// Obtain private object security descriptor// Obtain private object security descriptor
MyStatus = GetObjectSD(Object,…,&SD); // your own routineMyStatus = GetObjectSD(Object,…,&SD); // your own routine
// Perform Access Check & Audit// Perform Access Check & Audit
Status = AccessCheckAndAuditAlarm( L”YourServerName”, Object,Status = AccessCheckAndAuditAlarm( L”YourServerName”, Object,
L”ObjectTypeName”, L”ObjectName”, SD,L”ObjectTypeName”, L”ObjectName”, SD,
DesiredAccess, GenericMapping, FALSE,DesiredAccess, GenericMapping, FALSE,
&GrantedAccess, &Allowed, &OnClose);&GrantedAccess, &Allowed, &OnClose);
// Act as per the result// Act as per the result
if(Allowed) {if(Allowed) {
… …
}}
AccessCheckAndAuditAlarmAccessCheckAndAuditAlarm
User Account ManagementUser Account Management
One unified enterprise account imageOne unified enterprise account image All account properties, extensible schemaAll account properties, extensible schema LDAP access, remote managementLDAP access, remote management
Synchronize with other account storesSynchronize with other account stores Directory synchronization - LDAP, LDIFDirectory synchronization - LDAP, LDIF Password change notificationPassword change notification
Authorization based on group Authorization based on group membership for central access controlmembership for central access control Roles defined by group membershipRoles defined by group membership
Single Sign On SummarySingle Sign On Summary
Comprehensive solution todayComprehensive solution today Windows NT and BackOffice servicesWindows NT and BackOffice services Platform security services for applicationsPlatform security services for applications
Cross-platform with industry standardsCross-platform with industry standards Kerberos v5 and GSS token formatsKerberos v5 and GSS token formats X.509 v3 certificates with SSL/TLSX.509 v3 certificates with SSL/TLS
Familiar Windows NT security model Familiar Windows NT security model extended to n-tier applicationsextended to n-tier applications
Call To ActionCall To Action
Stop prompting for passwords!Stop prompting for passwords! Use Windows NT distributed securityUse Windows NT distributed security Use SSPI or DCOM/RPC securityUse SSPI or DCOM/RPC security Use Windows NT access controlUse Windows NT access control
Leverage industry standard protocols Leverage industry standard protocols for cross-platform securityfor cross-platform security
Depend on Active Directory for single Depend on Active Directory for single user account storeuser account store
Check out the Security Showcase!Check out the Security Showcase!
More InformationMore Information
SSPISSPI SSPI Whitepaper on MSDNSSPI Whitepaper on MSDN Platform SDK: doc and samplesPlatform SDK: doc and samples \mssdk\samples\win32\winnt\security\sockauth\mssdk\samples\win32\winnt\security\sockauth
Kerberos v5Kerberos v5 Distributed Security Services whitepaperDistributed Security Services whitepaper http://www.microsoft.com/ntserver http://www.microsoft.com/ntserver
BackOffice logo programBackOffice logo program http://www.microsoft.com/backoffice/designedhttp://www.microsoft.com/backoffice/designed
MSPressMSPress®®
““Running Microsoft Internet Information Server”Running Microsoft Internet Information Server”