slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Kerberos Delegation PowerPoint Presentation
Download Presentation
Kerberos Delegation

Loading in 2 Seconds...

play fullscreen
1 / 10

Kerberos Delegation - PowerPoint PPT Presentation


  • 150 Views
  • Uploaded on

GOPAS TechEd 2012. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@ sevecek.com | www.sevecek.com |. Kerberos Delegation. Basic Delegation. Front-End Server. Back-End Server. Client. Password. TGT: User. TGS : Back-End. DC.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Kerberos Delegation' - kendis


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

GOPAS

TechEd 2012

Ing. Ondřej Ševeček | GOPAS a.s. |

MCM: Directory Services | MVP: Enterprise Security |

ondrej@sevecek.com | www.sevecek.com |

Kerberos Delegation

basic delegation
Basic Delegation

Front-End Server

Back-End Server

Client

Password

TGT: User

TGS: Back-End

DC

kerberos delegation options1
Kerberos Delegation Options
  • Unconstrained Delegation
    • DFL 2000
    • to any back-end service
    • user “knows” about it
  • Constrained Delegation
    • DFL 2003
    • to listed back-end SPNs
    • user does not know about it
  • Constrained Delegation with Protocol Transition
kerberos delegation simplified
Kerberos Delegation (Simplified)

Front-End Server

Back-End Server

Client

TGS: Front-End

TGT: User

TGS: Back-End

TGS: Front-End

DC

DC

ad delegation requirements
AD Delegation Requirements
  • Front-end account must be able to read tokenGroups and tokenGroupGlobalandUniversal attributes
    • Windows Authorization Access Group
    • 2003 schema update
  • User account must have delegation enabled
    • Account is sensitive and cannot be delegated
protocol transition requirements
Protocol Transition Requirements
  • Protocol Transition requires Act as part of operating system (SeTCBPrivilege)
  • Protocol Transition requires front-end resource domain = account domain
kerberos with iis 7
Kerberos with IIS 7+
  • Providers
  • Kernel Mode Authentication
    • SharePoint does not support it
  • useAppPoolCredentials
protocol transition
Protocol Transition

Front-End Server

Back-End Server

Client

Nothing

Kamil

TGS: Back-End

DC

slide10

GOPAS

TechEd 2012

Ing. Ondřej Ševeček | GOPAS a.s. |

MCM: Directory Services | MVP: Enterprise Security |

ondrej@sevecek.com | www.sevecek.com |

Thank you!