|The name "Kerberos" is derived from Greek mythology. Cerberus is the Latin variant of Kerberos. Kerberos the three-headed watchdog that guards the entrance to the lower world or Hades. It is a child of the giant Typhon and Echidna, a monstrous creature herself, being half woman and half snake. Originally, the dog was portrayed having fifty or hundred heads but was later pictured with only three heads (and sometimes with the tail of a serpent). Cerberus permitted new spirits to enter the realm of dead, but allowed none of them to leave. Only a few ever managed to sneak past the creature, among which Orpheus, who lulled it to sleep by playing his lyre, and Heracles, who brought it to the land of the living for a while (being the last of his Twelve Labors.|
Like the mythical creature, the Kerberos security system guards electronic transmissions that are sent across the Internet.
Kerberos is a mature network authentication protocol designed to provide strong authentication for client/server applications by using shared secret-key cryptography.
|Kerberos authentication is a form of Windows Authentication that allows delegation of credentials through multiple application layers and across multiple servers - unlike NTLM, which will pass user credentials through one layer only. Therefore, if you have set up K2.net 2003, IIS and other 3rd party applications like SPS on multiple servers and need to pass user credentials throughout, you will have to make sure Kerberos authentication is working. Kerberos authentication can either be implemented in a constrained delegation model (i.e trusting specific user/service accounts for delegation and using these accounts to run the applications) or in a full delegation model (i.e trusting machines for delegation and using the Local System or Network Service accounts to run the applications). It is however, the responsibility of each individual client to determine the best delegation model, whether it is constrained delegation or full delegation, that will satisfy the needs and constraints for their respective organizations.|
|Note: The following article is a "How to" explanation on configuring Kerberos Authentication. Owing to the complexity and potential for incorrect configuration, we recommend that only senior technical staff be enlisted or at least consulted with while configuring this authentication model.|
|How or when would I know if my Kerberos configuration is not functioning as it should?|
|When the K2.net 2003 Workspace or the K2.net 2003 Server, running in console mode displays that an anonymous user logged in when you have specified a user, or a NULL users credentials set is passed to K2.net 2003 Server. This serves as the first sign that Kerberos is not configured to work with K2.net 2003 correctly.|
|Examples of common authentication errors relating to Kerberos and Delegation|
|K2.net Service Manager (Console Mode)|
- Anonymous login transactions
|Internet Explorer Web Pages|
- "401 - Access Denied"
- Service Unavailable
- Login displayed as "NT AUTHORITY \ ANONYMOUS LOGON"
- Multiple Login prompts when attempting to access the K2.net Workspace
|The errors indicate that the "Delegation" settings must be configured. By default, the system is not trusted for delegation.|
|Important: Making changes to the Authentication model for your network is the responsibility, and at the risk of each individual client. It is the client's responsibility to determine the best delegation model, whether it is constrained delegation or full delegation, which will satisfy the needs and constraints for their own company. This article merely provides the information required to implement the changes.|
Delegation is where a service is configured to impersonate either a user account or computer account which then gives the service access to resources on the network. The delegation may be set to be trusted for any service (Full Delegation) or for specific services (Constrained Delegation) only.
To configure the delegation option of your choice, follow the steps outlined in this article.
Back to Top
Configure Active Directory
|To implement Full Delegation, all systems in Active Directory running K2.net 2003 components need to be configured for "Trusted for Delegation" (This may also include the Domain Controller).|
The systems which would commonly require configuration include the IIS Server and the K2.net 2003 Server.
|Note: Depending on your network architecture you may also need to enable "Trusted for Delegation" on the SQL Server as well.|
To access this setting, open "Active Directory Users and Computers" and go to the "Computers" and "Domain Controller" sections. You can then right-click each computer and check the "Trusted for Delegation" option on the "Properties" dialog.
To implement Constrained Delegation, all Active Directory User / Service accounts that are used to run Services and Application Pools also need to be "Trusted for Delegation". ("Trust this user for delegation to any service (Kerberos only)").This setting is accessible from the "Account" tab of the user's properties in Active Directory. "Account is Sensitive and cannot be delegated" must NOT be enabled for any account used to run any service.
|Note: AD needs to replicate before changes can take effect - this may take some time. The default setting is every 3 hours. It is possible to force replication Active Directory by using the repadmin tool that is part of the Windows Server 2003 Support Tools or as part of frsdiag from Microsoft Downloads File Replication Service Diagnostics Tool (FRSDiag.exe)|
The Active Directory database must be replicated or shared between the domain controllers. The data replicated between controllers is also called the "Naming Context".
Active directory uses a multi-master model, so changes made on one controller are replicated on all controllers; when amendments are made to one of the domain controllers only the changes are replicated between controllers and not the entire database. The replication path in Active Directory forms a ring which adds reliability to the replication. To implement Kerberos authentication, a service must register its name. The registered name is called a Service Principal Name (SPN) and the name is registered under the account that the service is running under in Active Directory. For full delegation, Active Directory by default registers the NetBIOS, or computer name, and allows the NetworkService or LocalSystem account to use Kerberos and therefore, no SPN's need to be registered. If the K2.net 2003 Workspace Service or a WEB Service connecting to the K2.net 2003 Server are in an Application Pool that is running under a specific User / Service Account, (i.e. constrained delegation not using the Network Service/Local System accounts), that user/service account will require an SPN (Service Principal Name). If a host header is used, your site is referenced by a Windows Internet Name Service (WINS) or Domain Name System (DNS) and that name is not the same as the computer name of the server running IIS, or your application uses a port other than the default, an SPN needs to be registered.
|Follow the steps below:|
- Obtain the "Setspn" utility via internet download and install it on the Domain Controller. Use the URL specified below to obtain the utility.
Microsoft Download Center: Setspn.exe
- If you do not have internet access, the "Setspn" utility is also available from the Support Tools folder on a Windows 2003 Server installation CD
- Once you have installed the utility, open a command prompt window and navigate to the directory in which this tool has been installed.
|Note: Ensure that you are logged in as a domain administrator to add SPN's to AD. Alternatively, the command prompt must be run under a user with domain admin rights.|
|Enter one of the following commands, i.e. select only one option.|
|Option 1||Application Pool running under a specific user account and the web site not using Host Headers:|
| ||setspn -A HTTP/computer.domain.local Domain\User |
setspn -A HTTP/computername Domain\User Note: "computer.domain.local" is the fully qualified name "computername" or the NETBIOS name.
|Option 2||Application Pool running under a specific user, account with the web site using Host Headers:|
|setspn -A HTTP/hostheader.domain.local Domain\User |
setspn -A HTTP/ hostheader Domain\User
|Option 3||Application Pool NOT running under a specific user account and the web site using Host Headers:|
| ||setspn -A HTTP/hostheader.domain.local computername |
setspn -A HTTP/ hostheader computername
|Option 4||Application Pool NOT running under a specific user account and the web site not using Host Headers:|
| ||Do not use setspn|
Back to Top