Wednesday, 21 December 2011

LDAP authentication....

LDAP is primarily a directory access protocol.
It does have a primitive authentication mechanism called a simple bind where usernames and passwords are sent using clear text.

However, LDAP also includes an extensible authentication framework called Simple Authentication and Security Layer (SASL).
The rootDSE includes an attribute called supportedSASLMechanisms that lists the supported SASL features.
AD supports Kerberos v5 and NTLM SASL mechanisms.
GSSAPI = kerberos
GSS-SPNEGO = NT negotiate (so still probably kerberos).
There is also Digest and External for client certificate authentication.

Therefore kerberos is often used by an application during an LDAP bind operation.

Apparently scripts using GetObject("LDAP://...") also use GSS-SPNEGO authentication using current user's credentials, so will use kerberos where possible, though I have not tested this myself.

Thursday, 15 December 2011

Unreliability of logonserver variable

When referencing this variable, be aware that it is not updated, so may not show where the secure channel is currently with.
So, you may log on and find that the initial logon is against DC2. However, at some point during the session, the secure channel may be established with DC1. However, the logonserver variable will not be updated to show this.
Therefore, nltest /sc_query: is far more reliable.

Wednesday, 20 July 2011

Computer Account Password Reset process

This succinctly sums up the process.
Note that resetting a computer account is a client-initiated process, so clients that are turned off for months will still authenticate since they will only change the old password when they come back on line.
Also worth noting that before changing the password locally, they ensure that a valid secure channel exists so lack of connectivity should not cause a password mismatch.

Wednesday, 6 July 2011

Connecting to DNS on Server 2008 R2 from older OS's

Server 2008 R2 implements RPC integrity. This is not supported in the W2K and W2K3 versions of DNSMGMT.msc or DNSCMD.exe.
which suggests that only W2K8R2 machines can be managed from the same OS, and only W2K3 machines can be managed by older OS's.
Which is a pain.

I understand the following would "fix" Server 2008 R2, but by running this you are effectively exposing DNS to man in the middle attacks:
dnscmd.exe /Config /RpcProtocol 7
dnscmd.exe /Config /RpcAuthLevel 0 
I have not attempted this to be able to confirm that it works.

Tuesday, 15 March 2011


This topic could get huge, so let's restrict it to the modes of authentication supported by IIS. They are:

  • Anonymous - a token is created in IIS to represent all anonymous users with the same anonymous account. The default account is IUSR_NetBIOSNameOfMachine

  • Basic - credentials are then transmitted in unencrypted Base64-encoded format. This means that they will be sent in clear text. The only way to prevent this is to wrap the credentials using SSL. Since the server receives unencrypted credentials, it can then use them to impersonate the caller and use the same credentials to access network resources.

  • Integrated windows - uses either NTLM or Kerberos v5. Kerberos is used if the following criteria are met:

  • The application is using the network service or a domain account (otherwise NTLM used if the application is running under a local user account).

  • A SPN exists for the domain account used to run the service with which the client is authenticating.

  • Client and server are W2K+, and are in the same or trusting domain.

  • NTLM Authentication

    Note in the above diagram, the challenge is just a 16 byte random number, so the client then just encrypts it with the password hash of the user and returns it. Then, in step 5, the DC obtains the password hash for the user and then uses it to encrypt the original challenge. If this matches the original response from the client then the DC sends the server confirmation that the user is authenticated.

    Kerberos Authentication

    Breaking this down further:
    1. When a user attempts to log on to client, the kerberos service on the client sends a kerberos authentication request to the KDC. This request will contain user name, service information for which the TGT is requested, and a time stamp that is encrypted with the user password.
    2. The DC will decrypt the timestamp with the user password that it gets from AD. If the timestamp is then valid, the user is genuine. The KDC will then create a logon session key, and encrypts the copy with the user password. The authentication service then creates a TGT which includes user info and the logon session key. The authentication service will then encrypt the TGT with its own key and passes both the encrypted session key and encrypted TGT to the client.
    3. The client will then decrypt the logon session key using the user password and caches it locally. Also stores the encrypted TGT in its cache. When accessing a network service, the client will send a request to the KDC ticket granting service (TGS) with information that includes the user name, an authenticator message encrypted using the user's session key, the TGT and the name of the service that they want to access.
    4. The TGS on the KDC decrypts the TGT using its own key and extracts the logon session key. Using this logon session key it can decrypt the authenticator message (which is usually a timestamp). If this authenticator message is successfully decrypted, the TGS extracts user info from the TGT, and using this user info will create a service session key for accessing the service. One copy of the service session key is encrypted with the user's logon session key, and a service ticket is then created with the service session key and the user info. The service ticket is then encrypted with the server's password. The TGS then sends the encrypted service session key and service ticket to the client.
    5. When the client accesses the service, it sends a message to the server containing the authenticator message (timestamp) which is encrypted using the service session key and the service ticket.
    6. The server decrypts the service ticket and extracts the service session key, which it then uses to decrypt the authenticator message. It evaluates this. If the authenticator passes the test, the server encrypts the authenticator message using the service session key and then passes the authenticator back to the client. The client decrypts it and if it is the same as the original the service is genuine and the client proceeds with the connection.
    Advantages of kerberos
    • Mutual authentication - so client is assured that the service is not being impersonated.
    • Delegation support - servers that authenticate clients using kerberos can impersonate those clients and use their security context to access network resources.
    • Better performance than NTLM.
    • In multiple domains, point to point trust relationships are not required.
    These enable mutual authentication, and allow clients to request tickets to then communicate with a particular service.
    SPNs in AD maintain a mapping between the constructed name e.g. MyService/MyServer:1879 and the domain account under which the service you want is running. For this to be impersonated, an attacker would need to disable the real service and remove the actual server from the network. They'd then need to add a new computer with the same name and expose the duplicated service. Since Kerberos v5 uses mutual authentication, the client will not be able to use the duplicated service unless it knows the password for the domain account under which the actual service is configured to run.