Kerberos, delegation and how to do this correctly?

kerberos delegation
Vilx- picture Vilx- · Oct 22, 2009 · Viewed 13.1k times · Source

I've got two separate homemade applications that need to communicate among themselves. One is a frontend application (asp.net actually), the other is a backend interface to an accounting application. The backend interface was not created specifically for this frontend - it is a generic interface that many other applications use to integrate with our product.

For the convenience of users we wish to provide a Windows Authentication in our frontend application. That means however that we need to pass the credentials on to the backend application which has to check them.

We do not wish to set up our frontend as a "trusted" application to the backend which can authenticate itself as any user. If the frontend was to be hacked, it would then also compromise the backend system.

As I understand it, one way to do it with Windows Authentication is Kerberos Delegation. However this requires to be explicitly enabled for the user that is to be delegated, and the machine which does the delegation (the server with our frontend). By default these options are disabled in Active Directory, and I suspect that many sysadmins will have their reservations about turning them on for all their users.

Also, I'm not really sure that this is what Kerberos Delegation was meant for. I don't need our frontend to impersonate the user that is connecting. I just need to prove that this user has authenticated itself to me.

How would you do this?

Answer

Hogan picture Hogan · Sep 30, 2013

I'm not clear what you can and can't do with your use case but I can answer the question what Kerberos Delegation was meant for.

First let's talk about what Kerberos does prior to delegation. It is important to understand this part well because it is subtle.

Kerberos authenticates the identity of BOTH ends of a communication between two end-points across a network, those end-points can be interactive users or services running on a computer.

This is strong authentication so it will not allow a man-in-middle attack in any form. If set up correctly an end point can guarantee they won't be compromised. To the level of the service name (if you are connecting to IIs on a machine it is different than connecting to SQL Server on the same machine). It makes heavy use of modern encryption techniques and requires the use of secure certificates. The details of the authentication protocol are complicated and not worth going into now, but it involves about 20 different distinct steps of confirmation between the two authenticating end points and authentication server (in windows the Domain Controller is the authentication server).

So what the heck is delegation?

Delegation is a Microsoft extension to the Kerberos standard which allows a trusted source to continue the authentication to another end-point.

This allows you to act as a "man in the middle" -- however many settings have to be explicitly setup, certificates installed, etc to allow this to work. It is far from simple. (EDIT: Here is another SO answer on the details - https://stackoverflow.com/a/954154/215752)

So, for example, you could have someone authenticate to a website and then have the .NET code connect to an SQL Server AS THE SAME USER to read data with that user's rights.

Now to answer your question, since I'm not sure what you want to do I present three choices:

1) You want to connect to the back end system as the SAME user as the one authenticating at the website.

  • In this case Kerberos delegation is perfect -- it does exactly what you want.

2) You want to connect to the back end system as a DIFFERENT user than the one authenticating at the website (eg a service account).

  • In this case you don't want delegation. Kerberos to the website and Kerberos (as a different user) to the back-end will work great.

3) You want to connect to the back end system as the SAME user some of the time and as a DIFFERENT user other times. (For example, you need to validate this is a legal user for the back end system, but want to perform trusted actions as a system account other times. This is (in my experience) the most common use case.)

  • In this case you use both. Delegation for the connections which need to validate the user identity and then revert to the service account identity for the times when you need system access to the back end. (A previous question of mine went into the details of how to revert to the system identity on the .NET platform see How to "un-impersonate" (un-delegate?) in Kerberos.)

Related questions

ASP.Net web application trying to use Impersonation and Delegation to connect to SQL Server

I'm trying to use Impersonation and Delegation in an intranet ASP.Net web-app in order to pass authenticated users' credentials onto a SQL Server. The web server and SQL server are two separate machines, but in the same domain, so …

Read More
How do I configure IIS so that the user's domain credentials are used when connecting to SQL server?

We've recently released the latest version of our intranet application, which now uses windows authentication as standard, and needs to be able to connect to a configured SQL server with the end-user's domain credentials. Lately we've found that on a …

Read More
The target principal name is incorrect. Cannot generate SSPI context

I am struggling to get a SQL Server connection from machine A to machine B which is running the SQL Server. I have Googled extensively and all the things I have found have not worked. Nor do they lead you …

Read More