nickvandermeijd Absent Member.
Absent Member.
274 views

Kerberos authentication question


Hello,

Het 'documentation' (http://tinyurl.com/pgt25sx) about implementing
Kerberos in NAM states the following:

> 6.(Conditional) If you have users who are outside the firewall, they
> cannot use Kerberos. SPNEGO defaults first to NTLM, then to HTTPS basic
> authentication. Access Manager does not support NTLM, so the NTLM prompt
> for username and password fails. The user is then prompted for a
> username and password for HTTPS basic authentication, which succeeds if
> the credentials are valid.


Why is isn't it working when users are outside the firewall? When users
log-on to a member-server they have a Kerberos ticket right? Regardless
of the network.

Could someone explain this? 🙂


--
nickvandermeijde
------------------------------------------------------------------------
nickvandermeijde's Profile: https://forums.netiq.com/member.php?userid=8288
View this thread: https://forums.netiq.com/showthread.php?t=54448

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos authentication question

nickvandermeijde wrote:

>
> Hello,
>
> Het 'documentation' (http://tinyurl.com/pgt25sx) about implementing
> Kerberos in NAM states the following:
>
> > 6.(Conditional) If you have users who are outside the firewall, they
> > cannot use Kerberos. SPNEGO defaults first to NTLM, then to HTTPS
> > basic authentication. Access Manager does not support NTLM, so the
> > NTLM prompt for username and password fails. The user is then
> > prompted for a username and password for HTTPS basic
> > authentication, which succeeds if the credentials are valid.

>
> Why is isn't it working when users are outside the firewall? When
> users log-on to a member-server they have a Kerberos ticket right?
> Regardless of the network.


Not sure what the member-server has to do with being outside the
firewall to be honest but so be it.

From a very high level this is what happens. When you type in your user
credentials the Domain Controller you are authenticating to (your
workstation does that really) provides a ticket granting ticket (TGT).
When you try to obtain a service from a resource in the same domain
you'll need a ticket specific for this resource. The resource is
defined by its Service Provider Name (SPN). In order to obtain a ticket
for a specific service the TGT is send to a Domain Controller and it'll
send you a ticket back for that specific SPN. You can see on a
workstation with Win7 what tickets you have by typing 'klist tickets'
in a cmd.exe.

You can't authenticate to a member server as only Domain Controllers
can authenticate a user and issue Ticket Granting Tickets and tickets
for other resources in your domain (like the IDP).

> Could someone explain this? 🙂


In order to authenticate using kerberos users must be able to obtain a
ticket for your IDP. I guess what the document writers assumed is that
no KDC (Domain Controller) is available to users that are not the
internal network. Nothing will stop you from exposing a DC so users
working offsite can obtain kerberos tickets I guess but I don't think
it'll be a very good design from a security point of view.


--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.