Idea ID: 2751729

Kerberos Authentication Support for SM Backend Application (Servlets) & Connect.It SM Connector

Status : Waiting for Votes
over 1 year ago

This idea is about to enhance the Service Manager Backend Application servlets & Connect.It ServiceManager Connector to support Kerberos Authentication.

We refer here to Service Manager 9.6x Codeless/Classic.

At a customer in Zurich the IT Security Architecture decided to deprecate NTLMv2 authentications with the intention to use and support Kerberos Authentication only.

Currently we have Single Sign On based on Kerberos configured and support for all users access Service Manager through the webtier.

But we are still operating several SM Servlets configured for LDAP Authentication to support for instance

- REST Webservices Integrations

- Connect.It Interfaces

The only option current offered by the Backend Application is TSO (Trusted Sign On). TSO is not an option at all since it requires to generate a certificate for each Client and import on the server into the trusted client keystore. This would creating a lot of maintenance efforts and will certainly not be accepted by the Webservice consumers (we are aware that a shared certificate could be used as well, but we do not consider this to be secure).

The current LDAP Authentication in SM is based on NTLMv2. NLTMv2 is quite an old technology and today not considered to be secure anymore.

Furhter Information why NTLMv2 should not be used anymore:

NTLMv1 hashes could be cracked in seconds with today’s computing since they are always the same length and are not salted.

NTLMv2 is a little better, since it variable length and salted hash, but not that much better. Even though hash it`s salted before it`s sent, it`s saved unsalted in a machine’s memory.
And off course, when we talk about NTLM, we talk about a challenge/response mechanism, which exposes its password to offline cracking when responding to the challenge.

Kerberos provides several advantages over NTLM:
- More secure: No password stored locally or sent over the net.
- Best performance: 
improved performance over NTLM authentication.
- Delegation support: 
Servers can impersonate clients and use the client's security context to access a resource.
- Simpler trust management: Avoids the need to have p2p trust relationships on multiple domains environment.

- Supports MFA (Multi Factor Authentication)