10.29.2012 Tim Springston
In this article, I will try to clarify some aspects of the "most incomprehensible dialog box in AD", which is the delegation tab in the properties window of the Active Directory Users and Computers of the Microsoft Management Console (MMC) (DSA.msc). We will look at the attribute values \u200b\u200bfor different configurations. Understanding the assignment of installation parameters will allow you to correctly configure in AD applications and services using delegation of Kerberos
Tim Springston ( [Email Protected]) - senior service engineer technical support The Commercial Technical Support divisions in Microsoft is responsible for the security and authorization.
One of the most actively discussed in Microsoft technology is authentication on the Kerberos protocol. It is strange if we consider that the technology itself and its functions have not undergone significant changes since the release Windows Server 2003. And yet Kerberos remains the subject to compile additional documentation.
Permanent need to study the technical aspect of the work of Kerberos and the cause of errors is due to the fact that, although the technology itself remains unchanged, using its services and methods of its use are often unique. However, in each scenario, the assignment of the Active Directory (AD) installation parameters and the meaning of error messages remains.
In this article, I will try to clarify some aspects of the "most incomprehensible dialog box in AD", which is the delegation tab in the properties window of the Active Directory Users and Computers of the Microsoft Management Console Console (MMC) (DSA.msc). We will look at the attribute values \u200b\u200bfor different configurations. Understanding the assignment of installation parameters will allow you to properly configure in AD applications and services using the delegation of Kerberos.
Simple interface
Why spend time to explore the "simple" interface? It is necessary to delve into the details, because the understanding of the technical aspect of the work of various parameters will allow more successfully to correct errors in their configuration. Therefore, let's start with comprehending the meaning of the installations. If you open the Active Directory Users and Computers snap and go to the properties of the computer account, you will see the Delegation Delegation tab (provided that your forest is at the Server 2003 functional level). This tab is shown on the screen 1. To explain the assignment of the switches of this tab on the screen 2, alternative names can be given.
Before you deepen in the meaning of the parameters, explain what delegation is kerberos. Delegation (also referred to as "personification" or simple delegation) is the process of receiving the application or Kerberos ticket service to access resources or remote computer On behalf of the user. Trusted for delegation Essence is a service account, on behalf of which the application works. Delegation allows the application to access only the resources to which the user would have access and deliver the user information. As an example of the script, you can bring a web server connected to the SQL Server system to display the user-needed data to the web client.
Two upper options ("Do not trust the computer delegation" and "trust the computer delegate any services") on the screen 1 do not require clarification. The third option is a limited delegation of Kerberos Constrained Delegation (KCD), almost similar to simple delegation, but it provides for delegation of an individual certificate only to specified services or computers. This option provides more high level Safety, limiting the scope of delegation of identity of the personified user, so in the case of a compromise of a service certificate trusted for delegation, the consequences are limited to the ability to access only those resources on remote serverswhich are selected manually for limited delegation.
The fourth version on Screen 1 allows the KCD and the SERVICES FOR UPER (or S4U) extension. Extension S4U provides broader functions, such as a change of protocol. The change of the protocol occurs when the client first performs authentication via a protocol other than Kerberos, with an incoming connection, and then switches to Kerberos. Detailed description The S4U is contained in the "Exploring S4U Kerberos Extensions in Windows Server 2003" documentation (MSDN.microsoft.com/en-us/magazine/cc188757.aspx) and "Protocol Transition with Constrained Delegation Technical Supplement" (msdn.microsoft.com/en- US / Library / FF650469.aspx). These resources are focused on programmers, and not on administrators, but it is also important for the administrator to understand what S4U is how to perform it and when it should be used. For this purpose, we give a brief list of S4U features for administrator.
Obtaining information about the user's marker without actual receipt of this marker and without receiving the Ticket-Granting Ticket (TGT) ticket with a trusted Ticket service ticket from a trusting user or access to account data. The information obtained can then be used, for example, to verify authorization. This extension is known as Services-For-User-to-Self (S4U2SELF).
Obtaining tickets without the need to receive the Kerberos utility ticket, without access to account data, TGT transmission or without authentication - Services-for-user-to-proxy (S4U2Proxy).
Performing a previously mentioned change of protocol. The client appeals to the corporate service initially performs authentication using a method other than Kerberos, and S4U allows the trusted service to switch the user session that has already passed authentication to the use of Kerberos. It is here that the configuration errors caused by the configuration errors often occur, since the application documentation often does not contain clear explanations on whether the protocol is needed and how to configure it in AD. However, this topic is relevant, since today there is almost no article without mentioning the "clouds". Clients connecting through the "cloud" will most often apply NTLM authentication due to the lack of domain controllers (DC) processing requests for the issuance of the Kerberos service ticket on the Internet. Changing the protocol allows the user to connect this domain through software network screen or proxy servers using one of the authentication methods (for example, NTLM), and then switch to Kerberos authentication to perform further actions inside corporate network. Since the "cloud" means connecting via the Internet, you may not doubt that if you use any "cloudy" solution, then sooner or later you will come to the use of the Kerberos protocol change.
Under the outer sheath
Now consider what actually happens when you install each of these four parameters, using LDP viewing the attribute values \u200b\u200bset for each of the configurations. LDP is installed with the Right of the Domain Services AD by default and can be used as a LDAP Current Processing Tool graphical interface. LDP allows you to build your own LDAP requests and view the results in a convenient form for perception. Additional advantage of using LDP to view attribute values \u200b\u200b(for example, UserAcCountControl) is to transfer the calculated parameter values \u200b\u200bto the steamed form instead of a combination of numbers. By the way, more late versions Adsiedit.msc also provide for similar processing of calculated parameter values.
Thus, in Windows Server 2008 and newer versions of LDP.exe and adsiedit.msc provide for automatic translation Attribute values \u200b\u200b(for example, UseRAcCountControl), which eliminates the need to open Calc.exe and access online documentation on the MSDN or to the Microsoft Knowledge Base.
Now consider changing the attribute values \u200b\u200bin LDP, depending on the installers. Let's start with an account that is not trusted for delegation. On the screen 3, it is clear that the test2 account is not a trusted and that the hexadecimal value 1020 of the UserAccountControl attribute (corresponds to the decimal 4128) is translated into Workstation_Trust_account and Passwd_notreqd.
On the screen 4 shows an account entrusted for delegation. We can see the UserAccountControl attribute value translated into trusted_for_delegation, indicating the resolution of the simple unlimited delegation of Kerberos to this service certificate.
Trust delegation to certain services
The following settings are crucial if it is intended to use S4U or KCD. The first case corresponds to the choice of Trust This Computer for Delegation to Specified Services Only ("Trust this computer delegate only the specified services") and Use Kerberos Only ("Use only Kerberos"). On the screen 5, it can be seen that with such a choice of the UserAccountControl attribute again receives the workstation_trust_account, and the MSDS-AllownTodelegTo attribute is automatically filled with selected services that are allowed delegation. No other procedure is filled with this attribute and is not affected. As records lists certain services on the computer for which delegation is allowed.
The second option is less secure - Use Any Authentication Protocol ("Use any protocol for authentication"), allowing the change of protocol and other extension options. In addition to entries at the MSDS-AllowedTodelegateto attribute, this setting changes the UserAccountControl attribute, which receives the trusted_to_authenticate_for_delegation (T2A4D), as shown on the screen 6. Without the T2A4D flag, you can expect a protocol change error. No other component in this flag is used. Note that this simple switch is extremely important because if it is not selected, then S4U2SELF, S4U2Proxy and the change of protocol will behave differently, which can create problems for applications and services awaiting relevant types of tickets. In particular, the change of the protocol will end with an error, and the ticket will not be issued. S4u2Proxy and S4U2SELF will have no Forwardable flag (redirection), which will result in error: for S4U2Proxy - in any case, and for S4U2SELF - in situations, when you need to send a ticket to another service or node.
"Do it yourself"
What happens if the service account of the service used by the application or service should perform an action that requires the change of the protocol, and the DELEGATION tab will be set to the USE Kerberos Only ("Use only Kerberos") instead of Use Any Authentication Protocol ("Use any protocol authentication ")? For the client application, an error can take the ACCESS DENIED form ("denied access") when you try to gain access to network resources, or an error may occur without notifying NTLM authentication, or an unexpected application-dependent error. The uncertainty of the manifestation of the error further complicates the task. The most likely result, however, will be Access denied ("denied access"). In such a situation, be sure to learn the documentation of the application or service and find out whether the protocol changes or requests for receiving a ticket from service without TGT will not be said. The problem is that the majority of documentation compilers truly do not understand the meaning of the KCD configuration and therefore give insufficient explanations, or they are generally costs without them.
The method of clarifying the causes of the error on the principle of "DIY" can be a simple collection of network trace data from a server trusted for delegation. Collected data Filter by Kerberos (Kerberosv5 in Microsoft Network Monitor or Kerberos in Wireshark). Request for a ticket for issuing a ticket (TGS_REQ) is transmitted to the Kerberos Distribution Center (KDC) AD key distribution center and contains the parameters of the KDC with the limited delegation flag. If you refuse to issue a ticket, the server response (TGS_REP) will contain an error KDC_ERR_BAD_OPTION, which is easy to notice in the results of the network tracing.
More information about the work of Microsoft Kerberos implementations can be found in the open protocols online specification. Kerberos Protocol Extensions (MSDN.microsoft.com/en-us/library/cc233855%28V\u003dprot.13%29.aspx) contains general documentation for Kerberos, and "Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol Specification "(Msdn.microsoft.com/en-us/library/cc246071%28V\u003dprot.13%29.aspx) - documentation on limited delegation of Kerberos and S4U.
Perfect world
I hope that the above analysis of settings in the Kerberos interface window and their correspondences in AD will help you better understand their meaning. Ideal could be a world in which the documentation of the administered services would contain the technical guide to their proper setting For authentication. However, if reality is far from ideal, this information should help improve your toolkit. Understanding the technical aspect of the work of the parameters will be the key to success.
2 answers
solved.
The first half was my overpressure. The second half ... Well, I have no word about what was wrong. In fact, this is not a mistake, or incompatibility, but something is very uncomfortable, intermittent and difficult to understand. First, the summary, and then the explanation of the length for those who cares:
Despite the sentences of error messages, this is not a problem with the conceptual model (CSDL), but the problem of comparing columns, which recreated itself with interruptions.
The conceptual model was built using Edmxwriter for dbcontext syntactic analysis and its main parts.
The model was then used to generate SQL scripts to transfer the circuit to a new database. The focus is that the database is Oracle.
Oracle is a child and does not accept long column names. Thus, the generated EDMX and SQL scripts had to be modified to create and compare parts of the conceptual model with shortened column names.
Not a very big deal. It works fine. So where did everything go wrong?
Oracle does not support the "code first". And although it was done manually, the use of EDMXWRITER is a code approach in Oracle. Therefore, when the first EDMX scheme was dismantled, it binal on logical comparisons. The decision was to temporarily remove the BOOLS from my C # models, add them to EDMX manually and mapping the Web.config Oracle (Mapping BOOL to NUMBER (1.0)).
All again Groovy. But why does he continue to repeat?
At different times throughout the development process, some ends of the agreement - either C #, EDMX or Oracle change. And every time it seems, the columns were automatically reassigned, and I did not know. If the EDMX model has been updated from Oracle, the comparable indicated the properties of the C #, which were not (short column names). If the model has been updated from C # code, the mapping was not saved, and they tried to compare the long names of the columns that were not in Oracle.
Bug with this approach (first the first hybrid code and model) is if I want to continue to control my own models and handle the settings necessary for a small attitude towards a child, I must be very careful and follow the feature of the EDMX file.
Sites, applications, games - information resources that are managed by users. To divide the permitted and prohibited operations for one or another user of the action, access rights (PD) are used. The scope of the PD forms roles. For example, look at the basic site with the possibility of registration.
On this site "live" 3 roles with their rights and obligations:
1.
All anonymous defaults operate in this role. If we dress the guests of the site by the right "Adding comments", then the user who came to the site will be able to comment on your interest. And if not, then to comment on the content you will need to register first.
2.
Past authentication and authorization anonymous get new role. Only authorized users can manage personal Account, add and edit personal data, view information about other characters. Unregistered users do not have the right to these operations.
3. Administrator
This default role gives the user full access to the site. The resource administrator adds, removes blocks and gives or takes away from other users the right to access one or another functionality.
How to test and what do you pay attention?
First of all, we will try to not remove the "super-admin", playing with the settings.
- Create a safe character
To get closer to real activities on the project, there is enough additional user with similar administrative powers. And already by these character, we test the resource and change the permissions for the access of other users.
- Check in several browsers
We do at the same time: in one modify the PD, in another you check the use of rights for the user, thus sharing user sessions.
- We pass by direct link
Test block restrictions, moving on them URL address. View some resource data should be unavailable by reference for an unauthorized guest site. If access is limited, then everything is OK: Instead of closed information, anonymous will receive a warning message in the form of a special page, most often with code 403.
- We test the blocking of entities
For resources, such as tickets for tickets and tours, it is important to block the item when several users can immediately access it. There are two blocking options:
+ Optimistic blocking When saving checks the database for more new version Data left by another user. If it is, then the current user updates this instance of the entity.
+ Pessimistic blocking Entities are used when optimistic generates too many collisions. In this case, only one user currently uses and changes this option Entities.
Can be tested from one computer in several browsers or different accounts.
- We use a test matrix
She simplifies the work of the tester, clearly shows permitted and prohibited actions, and it just helps not miss anything. We paint in it all the roles, users, variations of restrictions of the possibilities of our characters.
And here is the simplest example of a test matrix:
Access control is one of the main checks within. Even checking the site of the local library with three roles faces the test of difficulties. But the popular resources with dozens of roles, thousands of users and millions of permits require a whole army of administrators! It is difficult for us to imagine the scale of damage if the testing takes the dilettage. Attract competent specialists and do not allow spaces safe your products!
