Kerberos delegation between different services

2020-07-18 05:24发布

问题:

We have the following setup with httpd webservers as shown below:

Heres the scenario: Server A takes the request from Browser does some operations and creates a new request and sends it to Server B. User X is authenticated on Server B, but User Y is not (and it is not supposed to). Since A is creating a new request, B is thinking that Y has sent the request and so denying it. Removing Server A is not an option. How do I solve this. Can you please help?

回答1:

This can be solved by delegation: server A should authenticate itself as user X while making request to server B.

Delegation:

  • server A receives request from browser, containing TGS ticket.
  • server A has correct username/password combination (as stored in Kerberos database in user representing service), so it can open the ticket and authenticate this user
  • server A makes request to KDC for a delegated ticket, with ticket received from user attached.
  • KDC (for example AD) checks if delegation is possible (in Active Directory user representing server A must be granted right to delegate. This tab becomes visible after you use command ktpass on ADC to generate keytab file. AD also checks if user account permits delegation of its ticket - it's enabled by default, can be disabled for some special, sensitive users)
  • KDC gives server A a delegated Kerberos ticket. Server A uses it to log in to server B.
  • server B receives request from server A with delegated ticket which says that it's the user X who logs in.

Kerberos delegation is sometimes called "a double hop": http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx

Active Directory administrators might not like the idea of giving service A right to delegate tickets (i.e. logging in to any other service in domain as user X). That's why a "constrained delegation" was introduced few years ago. It enables AD administrators to let service A log in as user X only to server B. They can set that on activeDirectory account representing service A.

http://windowsitpro.com/security/how-windows-server-2012-eases-pain-kerberos-constrained-delegation-part-1