windows nt ® single sign on cross platform applications (part ii) john brezak program manager...
TRANSCRIPT
Windows NTWindows NT®® Single Single Sign On Sign On Cross Platform Applications (Part II)Cross Platform Applications (Part II)
John BrezakJohn BrezakProgram Manager Program Manager Windows NT SecurityWindows NT SecurityMicrosoft CorporationMicrosoft Corporation
TopicsTopics
Multiple account logon strategiesMultiple account logon strategies Single account logon with Single account logon with
Kerberos v5 interoperabilityKerberos v5 interoperability Secure three-tier cross Secure three-tier cross
platform applicationsplatform applications
Single Sign-On ProblemSingle Sign-On Problem
Multiple authentication Multiple authentication authoritiesauthorities Users have multiple logons Users have multiple logons
and passwordsand passwords
Admin functions Admin functions for management for management and synchronizationand synchronization
Better to have a Better to have a singlesingle account domain! account domain!
Logon StrategiesLogon Strategies
Accommodating multiple logonsAccommodating multiple logons Custom GINACustom GINA Network ProviderNetwork Provider
Credential Manager/ Credential Manager/ Authentication PackageAuthentication Package
Single account domainSingle account domain Public Key InfrastructurePublic Key Infrastructure Kerberos v5Kerberos v5
WinlogonWinlogon
GINAGINA NPNPNPNP
Extendable Winlogon Extendable Winlogon ArchitectureArchitecture WinlogonWinlogon Graphical Identification Graphical Identification
and Authentication and Authentication (GINA) DLL(GINA) DLL
Customize for Customize for integrated multiintegrated multi-logon capability-logon capability
Network providersNetwork providers
Anatomy Of A Anatomy Of A Network ProviderNetwork Provider
Credential Manager sub-set (APIs)Credential Manager sub-set (APIs) LogonNotifyLogonNotify PasswordChangeNotifyPasswordChangeNotify
Authentication packageAuthentication package LogonTerminatedLogonTerminated
Example: Network ProviderExample: Network Provider
Code walk-through of a simple Code walk-through of a simple Credential ManagerCredential Manager
Issues With Issues With Multiple AccountsMultiple Accounts Passwords need to stay in syncPasswords need to stay in sync Need to manage each Need to manage each
account separatelyaccount separately Still need to be careful about Still need to be careful about
passwords in the clearpasswords in the clear Better to have a single account domainBetter to have a single account domain
SSPISSPI
Kerberos SSPKerberos SSP
Application protocolApplication protocol
Windows NT5Windows NT5 Workstation Workstation
Application protocolApplication protocol
GSS KerberosGSS Kerberosmechanismmechanism
GSS-APIGSS-API
UnixUnixServerServer
Windows NT5 Windows NT5 KDCKDC
TICKETTICKET
Single Account DomainSingle Account Domain
Common cross-platform Common cross-platform Kerberos v5 domainKerberos v5 domain
Kerberos v5 Interop GoalsKerberos v5 Interop Goals
Cross-platform protocol interoperabilityCross-platform protocol interoperability AuthenticationAuthentication Message integrity (sign/verify)Message integrity (sign/verify) Confidentiality (seal/unseal)Confidentiality (seal/unseal)
Single user account storeSingle user account store Scalability and ease of administrationScalability and ease of administration
Use existing authorization mechanismsUse existing authorization mechanisms Name-based authorizationName-based authorization Integrated Windows NTIntegrated Windows NT®® authorization authorization
Cross-Platform InteropCross-Platform Interop
Based on Kerberos v5 protocolBased on Kerberos v5 protocol RFC 1510 and RFC 1964 token format RFC 1510 and RFC 1964 token format
Windows NT hosts the KDCWindows NT hosts the KDC UNIX clients to Unix ServersUNIX clients to Unix Servers UNIX clients to NT ServersUNIX clients to NT Servers NT clients to UNIX ServersNT clients to UNIX Servers
Simple cross-realm authenticationSimple cross-realm authentication UNIX realm to NT domainUNIX realm to NT domain
Not DCE compatibleNot DCE compatible
SSPI And GSSAPISSPI And GSSAPI
Security Support Provider InterfaceSecurity Support Provider Interface MicrosoftMicrosoft®® Win32 Win32®® API API
Generic Security Service - APIGeneric Security Service - API IETF RFC-1509IETF RFC-1509 Kerberos mechanism type RFC-1964Kerberos mechanism type RFC-1964
SSPI is semantically similar to GSS-APISSPI is semantically similar to GSS-API Another alternative: native Krb5 Another alternative: native Krb5
AP requestsAP requests
Get outboundGet outbound credentialscredentials
AcquireCredentialsHandleAcquireCredentialsHandle
Get authnGet authn tokentoken
InitializeSecurityContextInitializeSecurityContextConstructConstructMessageMessage
Wait forWait forReplyReply
ReceiveReceiveParseParse
Reply MsgReply Msg
Connection EstablishedConnection Established
ContinueContinueNeeded?Needed?
SendSend
Get inboundGet inbound credentialscredentials
Gss_import_nameGss_import_name
Listen forListen forrequestsrequests
Gss_accept_sec_contextGss_accept_sec_context
ReceiveReceiveParseParse
Reply MsgReply Msg
ConstructConstructMessageMessage
SendSend
ContinueContinueNeeded?Needed?
Connection EstablishedConnection Established
Gss_acquire_credGss_acquire_cred
SSPI Client To GSS ServerSSPI Client To GSS Server
Example: Windows NT Example: Windows NT Client CodeClient Code
Time for a code walk-through;Time for a code walk-through;this time the clientthis time the client
Example: Unix Server CodeExample: Unix Server Code
Now the serverNow the server
Demo: Simple Client ServerDemo: Simple Client Server
Demo a cross platform secure Demo a cross platform secure application using Windows NT application using Windows NT user credentialsuser credentials
Windows NT Windows NT User AuthenticationUser Authentication Windows NT logon obtains credentialsWindows NT logon obtains credentials
Creates initial TGT to domainCreates initial TGT to domain Klist ticketsKlist tickets
Cached Tickets:Cached Tickets: Server: [email protected]: [email protected] End Time: 10/11/1998 20:05:32End Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32Renew Time: 10/11/1998 20:05:32 Server: krbtgt/MIT.NTDEV. Server: krbtgt/MIT.NTDEV.
[email protected]@NTDEV.MICROSOFT.COM End Time: 10/11/1998 20:05:32End Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32Renew Time: 10/11/1998 20:05:32 Server: [email protected]: [email protected] End Time: 10/11/1998 20:05:32End Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32
Completing The ExampleCompleting The Example
Things to add for a real productThings to add for a real product Data integrityData integrity Data privacyData privacy Using authenticated identity Using authenticated identity
for authorizationfor authorization
Differences between the international Differences between the international and domestic versions and domestic versions of Windows NT 5.0of Windows NT 5.0
Http://server/service.dllHttp://server/service.dll
Internet ExplorerInternet Explorer
Internet Internet Information Information
ServerServer
Unix back-end Unix back-end serverserver
IISIISExtensionExtension
SSPI/KrbSSPI/Krb
AppAppServiceService
GSS/KrbGSS/Krb
IE5IE5
SSPI/KrbSSPI/Krb
HTTPHTTP TCPTCP
User: NTDEV\joebUser: NTDEV\joeb
User: NTDEV\joebUser: NTDEV\joebUser: NTDEV\joebUser: NTDEV\joeb
Three-Tier Cross Three-Tier Cross Platform ApplicationsPlatform Applications
Demo: 3-Tier ApplicationDemo: 3-Tier Application
CyberSafe CyberSafe CorporationCorporation
Cross Platform Security SolutionsCross Platform Security Solutions Unix, Windows, Tandem, MVSUnix, Windows, Tandem, MVS Clients, Servers, Developer ToolkitsClients, Servers, Developer Toolkits
Security ExpertiseSecurity Expertise Co-authors of Kerberos, PKINIT, PKCROSS, other Co-authors of Kerberos, PKINIT, PKCROSS, other
standards within the IETFstandards within the IETF Professional Services - Security Impact Analysis, Professional Services - Security Impact Analysis,
Security Architecture, Education/TrainingSecurity Architecture, Education/Training
R
WWW.CYBERSAFE.COMWWW.CYBERSAFE.COM
SummarySummary
Network Providers can unify Network Providers can unify a multiple logona multiple logon
Reserve the use of a GINA for more Reserve the use of a GINA for more complex logon scenarioscomplex logon scenarios
A Single Account domain using A Single Account domain using integrated Kerberos v5 integrated Kerberos v5
Kerberos authentication + delegation Kerberos authentication + delegation = secure three-tier applications= secure three-tier applications
Call To ActionCall To Action
Use Kerberos v5 as your cross-platform Use Kerberos v5 as your cross-platform authentication mechanismauthentication mechanism
Use the SSPI and GSSAPI as your Use the SSPI and GSSAPI as your cross-platform development cross-platform development security interfacessecurity interfaces
Use Network Providers to unify Use Network Providers to unify multiple logonsmultiple logons
For More InformationFor More Information
WhitepapersWhitepapers Microsoft Windows NT DistributedMicrosoft Windows NT Distributed
Security ServicesSecurity Services Microsoft Windows NT Security Support Microsoft Windows NT Security Support
Provider InterfaceProvider Interface http://www.microsoft.com/ntserverhttp://www.microsoft.com/ntserver http://www.microsoft.com/securityhttp://www.microsoft.com/security
Windows NT 5.0 Beta2 WalkthroughsWindows NT 5.0 Beta2 Walkthroughs http://ntbeta.microsoft.comhttp://ntbeta.microsoft.com
MIT Kerberos 5 InteroperabilityMIT Kerberos 5 Interoperability Kerberos for UnixKerberos for Unix
CyberSafe - http://www.cybersafe.comCyberSafe - http://www.cybersafe.com