Re: Creating an MIT style keytab for an existing Windows AD member computer

[Nicolas Williams]

On Wed, Jul 23, 2008 at 05:55:20PM -0700, Russ Allbery wrote:
> Nicolas Williams <[EMAIL PROTECTED]> writes:
> > On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
> 
> >> Extracting the keys from AD is not possible [1].
> 
> > Nor ist it possible to extract them from MIT krb5 KDCs.
> 
> It is as of 1.6 using kadmin.local (not that this changes the rest of your
> point).

Right, it doesn't -- running kadmin.local on the KDC with sufficient
privilege qualifies as "privileged access to a KDC" :)

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Creating an MIT style keytab for an existing Windows AD member computer

[Russ Allbery]

Nicolas Williams <[EMAIL PROTECTED]> writes:
> On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:

>> Extracting the keys from AD is not possible [1].

> Nor ist it possible to extract them from MIT krb5 KDCs.

It is as of 1.6 using kadmin.local (not that this changes the rest of your
point).

-- 
Russ Allbery ([EMAIL PROTECTED]) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Creating an MIT style keytab for an existing Windows AD member computer

[Nicolas Williams]

On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
> Extracting the keys from AD is not possible [1].

Nor ist it possible to extract them from MIT krb5 KDCs.

> However, the ktpass utility from MS can set the password, generate the
> corresponding key separately and put it into a keytab file.

You can build keytabs directly on MIT krb5 systems using the MIT krb5
API, or even interactively with kpasswd and ktutil (an early version of
adjoin [see below] did just that).

Or you could probably just use or adapt Sun's adjoin/ksetpw tools to
your purposes:

http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp
http://www.sun.com/bigadmin/features/articles/kerberos_s10.pdf
http://opensolaris.org/os/project/winchester/files/adjoin-s10u4.tar.gz
http://opensolaris.org/os/project/winchester/files/adjoin-s10u5.tar.gz

> Note that you must have at least account operator privilege to set a
> password in AD.

Indeed.

> Mike
> 
> [1] There is a freeware utility called ktexport that can extract the
> keys from a DC and dump them into a keytab but it is only (sometimes)
> useful for debugging purposes with WireShark. The resulting keytab is
> not valid for use with any kind of service.

Sure, if you have direct, privileged access to a KDC you could always
extract its keys.  Portions of the KDC could run directly in a hardware
keystore, making it really hard to get to the keys, but that's not the
case here.

Nico
-- 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Creating an MIT style keytab for an existing Windows AD membercomputer

[Douglas E. Engert]

Paul Moore wrote:
> "It could then impersonate any user to the machine"
> 
> Can you explain that. I want to make sure I understand all potential
> kerb threats, this is a new one to me. 

This is at the heart of Kerberos. Client and server trust KDC and trust
KDC to give service ticket to client usable at server.

The server trust the KDC only because the KDC and server share a secret,
the key in the keytab. If someone else knows the key of the service
principal, they could create a service ticket claiming to be any client,
and present it to the server. The server will decrypt the ticket
assuming it came form the KDC introducing the client to the server.

See http://www.ietf.org/rfc/rfc4120.txt  section 3.2.3

> 
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Douglas E. Engert
> Sent: Wednesday, July 23, 2008 7:19 AM
> To: Edward Irvine
> Cc: kerberos@mit.edu
> Subject: Re: Creating an MIT style keytab for an existing Windows AD
> membercomputer
> 
> 
> 
> Edward Irvine wrote:
>> Hi,
>>
>> I'd like to find out if there is any way to extract a HOST keytab for 
>> a windows computer that is already a member of an active directory 
>> domain.
> 
> Do you have to be use the Windows "host" principal? Can your application
> use a different principal, like HTTP or LDAP or make up your own.
> 
> Then your application server has its own keyfile, and does not need
> access to the one use by Windows for login. There are security issues
> with letting an application access this key. It could then impersonate
> any user to the machine.
> 
>> A Java developer I look after wants to do the single sign on thing to 
>> his web application. Our environment is a mixed Active Directory and 
>> Solaris environment.
>>
>> By creating a new user in active directory, and mapping the user to a 
>> service principle using ktpass.exe, we now have SPNEGO single sign on 
>> working between the clients Internet Explorer and the JBoss server on 
>> *Solaris*. So far so good.
> 
> A common misunderstanding when reading the Microsoft docs Kerberos and
> service principals has to do with the term "user".
> The "user" account referred to with ktpass, is an ldap term for the
> objectclass user. Kerberos service principals need a "user" account in
> AD. This user account has nothing to do with real users who will
> authenticate to the service.
> 
>> The developer, who uses a Windows workstation that is part the Active 
>> Directory domain, now wants the SPNEGO authentication to work in his 
>> own windows workstation - and for that to work I need to get the 
>> keytab for the host/[EMAIL PROTECTED]
>>
>> A quick LDAP lookup of his workstation in AD reveals that it already 
>> has a servicePrincipalName of HOST/pingname.of.host - so presumably I 
>> can extract the keytab somehow. But how?
>>
>   Not really. They also change the keys every so often, so you don't
> want to copy it.
> 
> If your Java application needs to act as a server, and really use the
> "host" service principal, can you use some Java to SSPI-service class?
> (Don't know if one exists.) (GSSAPI and SSPI use the same protocols.)
> 
>> I don't personally have admin access to the AD domain, but I work with
> 
>> the folks who do.
>>
>> Eddie
>>
>> 
>> Kerberos mailing list   Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Creating an MIT style keytab for an existing Windows AD member computer

[Michael B Allen]

On Wed, Jul 23, 2008 at 3:59 AM, Edward Irvine <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I'd like to find out if there is any way to extract a HOST keytab for
> a windows computer that is already a member of an active directory
> domain.
>
> A Java developer I look after wants to do the single sign on thing to
> his web application. Our environment is a mixed Active Directory and
> Solaris environment.
>
> By creating a new user in active directory, and mapping the user to a
> service principle using ktpass.exe, we now have SPNEGO single sign on
> working between the clients Internet Explorer and the JBoss server on
> *Solaris*. So far so good.
>
> The developer, who uses a Windows workstation that is part the Active
> Directory domain, now wants the SPNEGO authentication to work in his
> own windows workstation - and for that to work I need to get the
> keytab for the host/[EMAIL PROTECTED]
>
> A quick LDAP lookup of his workstation in AD reveals that it already
> has a servicePrincipalName of HOST/pingname.of.host - so presumably I
> can extract the keytab somehow. But how?
>
> I don't personally have admin access to the AD domain, but I work
> with the folks who do.

Extracting the keys from AD is not possible [1].

However, the ktpass utility from MS can set the password, generate the
corresponding key separately and put it into a keytab file.

Note that you must have at least account operator privilege to set a
password in AD.

Mike

[1] There is a freeware utility called ktexport that can extract the
keys from a DC and dump them into a keytab but it is only (sometimes)
useful for debugging purposes with WireShark. The resulting keytab is
not valid for use with any kind of service.

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Creating an MIT style keytab for an existing Windows AD membercomputer

[Paul Moore]

"It could then impersonate any user to the machine"

Can you explain that. I want to make sure I understand all potential
kerb threats, this is a new one to me. 





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Douglas E. Engert
Sent: Wednesday, July 23, 2008 7:19 AM
To: Edward Irvine
Cc: kerberos@mit.edu
Subject: Re: Creating an MIT style keytab for an existing Windows AD
membercomputer



Edward Irvine wrote:
> Hi,
> 
> I'd like to find out if there is any way to extract a HOST keytab for 
> a windows computer that is already a member of an active directory 
> domain.

Do you have to be use the Windows "host" principal? Can your application
use a different principal, like HTTP or LDAP or make up your own.

Then your application server has its own keyfile, and does not need
access to the one use by Windows for login. There are security issues
with letting an application access this key. It could then impersonate
any user to the machine.

> 
> A Java developer I look after wants to do the single sign on thing to 
> his web application. Our environment is a mixed Active Directory and 
> Solaris environment.
> 
> By creating a new user in active directory, and mapping the user to a 
> service principle using ktpass.exe, we now have SPNEGO single sign on 
> working between the clients Internet Explorer and the JBoss server on 
> *Solaris*. So far so good.

A common misunderstanding when reading the Microsoft docs Kerberos and
service principals has to do with the term "user".
The "user" account referred to with ktpass, is an ldap term for the
objectclass user. Kerberos service principals need a "user" account in
AD. This user account has nothing to do with real users who will
authenticate to the service.

> 
> The developer, who uses a Windows workstation that is part the Active 
> Directory domain, now wants the SPNEGO authentication to work in his 
> own windows workstation - and for that to work I need to get the 
> keytab for the host/[EMAIL PROTECTED]
> 
> A quick LDAP lookup of his workstation in AD reveals that it already 
> has a servicePrincipalName of HOST/pingname.of.host - so presumably I 
> can extract the keytab somehow. But how?
> 
  Not really. They also change the keys every so often, so you don't
want to copy it.

If your Java application needs to act as a server, and really use the
"host" service principal, can you use some Java to SSPI-service class?
(Don't know if one exists.) (GSSAPI and SSPI use the same protocols.)

> I don't personally have admin access to the AD domain, but I work with

> the folks who do.
> 
> Eddie
> 
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Creating an MIT style keytab for an existing Windows AD member computer

[Douglas E. Engert]

Edward Irvine wrote:
> Hi,
> 
> I'd like to find out if there is any way to extract a HOST keytab for  
> a windows computer that is already a member of an active directory  
> domain.

Do you have to be use the Windows "host" principal? Can your application
use a different principal, like HTTP or LDAP or make up your own.

Then your application server has its own keyfile, and does not need access
to the one use by Windows for login. There are security issues with letting
an application access this key. It could then impersonate any user to the
machine.

> 
> A Java developer I look after wants to do the single sign on thing to  
> his web application. Our environment is a mixed Active Directory and  
> Solaris environment.
> 
> By creating a new user in active directory, and mapping the user to a  
> service principle using ktpass.exe, we now have SPNEGO single sign on  
> working between the clients Internet Explorer and the JBoss server on  
> *Solaris*. So far so good.

A common misunderstanding when reading the Microsoft docs Kerberos
and service principals has to do with the term "user".
The "user" account referred to with ktpass, is an ldap term for the
objectclass user. Kerberos service principals need a "user" account
in AD. This user account has nothing to do with real users who will
authenticate to the service.

> 
> The developer, who uses a Windows workstation that is part the Active  
> Directory domain, now wants the SPNEGO authentication to work in his  
> own windows workstation - and for that to work I need to get the  
> keytab for the host/[EMAIL PROTECTED]
> 
> A quick LDAP lookup of his workstation in AD reveals that it already  
> has a servicePrincipalName of HOST/pingname.of.host - so presumably I  
> can extract the keytab somehow. But how?
> 
  Not really. They also change the keys every so often, so you don't
want to copy it.

If your Java application needs to act as a server, and really use the
"host" service principal, can you use some Java to SSPI-service class?
(Don't know if one exists.) (GSSAPI and SSPI use the same protocols.)

> I don't personally have admin access to the AD domain, but I work  
> with the folks who do.
> 
> Eddie
> 
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Creating an MIT style keytab for an existing Windows AD member computer

[Edward Irvine]

Hi,

I'd like to find out if there is any way to extract a HOST keytab for  
a windows computer that is already a member of an active directory  
domain.

A Java developer I look after wants to do the single sign on thing to  
his web application. Our environment is a mixed Active Directory and  
Solaris environment.

By creating a new user in active directory, and mapping the user to a  
service principle using ktpass.exe, we now have SPNEGO single sign on  
working between the clients Internet Explorer and the JBoss server on  
*Solaris*. So far so good.

The developer, who uses a Windows workstation that is part the Active  
Directory domain, now wants the SPNEGO authentication to work in his  
own windows workstation - and for that to work I need to get the  
keytab for the host/[EMAIL PROTECTED]

A quick LDAP lookup of his workstation in AD reveals that it already  
has a servicePrincipalName of HOST/pingname.of.host - so presumably I  
can extract the keytab somehow. But how?

I don't personally have admin access to the AD domain, but I work  
with the folks who do.

Eddie


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos