1. Kerberos Survival Guide Presented by: JD Wade, SharePoint Consultant, MCITP Mail: jd.wade@hrizns.com Blog: http://wadingthrough.com LinkedIn: JD Wade Twitter: http://twitter.com/JDWade

3. Certified KnowledgeLake Partner

4. With Horizons since 2005

5. Member of SharePoint 2007 and 2010 TAP

6. Over 10 years of IT experience

7. Technical Editor forSharePoint 2010 Disaster Recovery http://tinyurl.com/SPDRBook2010

8. Loves anything related to sound

10. Logon Process

11. Accessing a Web Site

12. Troubleshooting Kerberos Demos

15. Dependencies SPN

16. Service Principal Name Service Class Host Name Port HTTP/website:80

17. Service Classes allowed by host alerter http policyagent scm appmgmt ias protectedstorage seclogon browser iisad rasman snmp cifs min remoteaccess spooler cisvc messenger replicator Tapisrv clipsrv msiserver rpc time dcom mcsvc rpclocator trksvr dhcp netdde rpcss trkwks dmserver netddedsm rsvp ups dns netlogon samss w3svc dnscache netman scardsvr wins eventlog nmagent scesrv www eventsystem oakley Schedule fax plugplay

19. Delegated Authentication

20. Interoperability

21. More Efficient Authentication

22. Mutual Authentication

23. IIS – Chatty by default

24. IIS6 – See MS KB 917557

26. KDC

27. KDC

28. KDC SPN

29. KDC

30. Access Web Site

31. 401

32. SPN

34. TroubleshootingKerberos Demos

35. Delegation

37. Demo

38. FBA Kerberos

39. Demo

41. What Is Kerberos Authentication?http://technet.microsoft.com/en-us/library/cc780469%28WS.10%29.aspx

42. How the Kerberos Version 5 Authentication Protocol Workshttp://technet.microsoft.com/en-us/library/cc772815%28WS.10%29.aspx

44. How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0http://msdn.microsoft.com/en-us/library/ff649317.aspx

46. Appendix

48. Authentication is the process of proving your identity to a remote system.

49. Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity.

50. User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded.

51. Service password is encrypted as the service key.

53. Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted

54. This is a Windows-centric Kerberos presentation

55. Load balanced solutions need service account

56. All web applications hosted using the same SPN have to be hosted with the same account

58. Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs.

59. KDC security account database – In Windows, it is Active Directory

60. Authorization Service (AS) – part of the KDC

61. Ticket Granting Service (TGS) – part of the KDC

63. A user's initial ticket from the authentication service

64. Used to request service tickets

65. Meant only for use by the ticket-granting service.

66. Service ticket for the KDC (service class = krbtgt)

67. Service Ticket

69. SetSPN

70. Windows Security Logs

71. Windows 2008 ADUC or ADSIEdit

72. Kerbtray or Klist

73. Netmon and Fiddler

74. IIS Logs and IIS7 Failed Request Tracing

75. LDP

76. Kerberos Logging

78. Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re-entered.

80. Missing SPN

81. Duplicate SPN

82. SPN assigned to wrong service account

83. Times are out of sync

84. Client TGT expired (7 days)

85. IE and non-default ports

91. Knowledge - Know your Forests, Domains, Trusts, Functional Levels…get a basic lay of the land.

92. Always test from a different machine than the web server or domain controller!

93. SetSPN

94. Windows Security Logs

95. Windows 2008 ADUC

96. Kerbtray

97. Netmon and Fiddler

98. IIS Logs and IIS7 Failed Request Tracing

99. Kerberos Logging

101. Missing SPN

102. Duplicate SPN

103. SPN assigned to wrong service account

104. IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383)

105. IIS 7 – remember Kernel mode authentication and check settings

106. Client TGT expired (7 days expiration – have user logon and logoff, no reboot required)

107. IE and non-default ports

108. Re-authentication makes it slow: see either MS KB 917557 (IIS6) or 958473 (IIS7)