Windows NTWindows NT®® Single Single Sign On Sign On Cross Platform Applications (Part II)Cross Platform Applications (Part II)

John BrezakJohn BrezakProgram Manager Program Manager Windows NT SecurityWindows NT SecurityMicrosoft CorporationMicrosoft Corporation

TopicsTopics

Multiple account logon strategiesMultiple account logon strategies Single account logon with Single account logon with

Kerberos v5 interoperabilityKerberos v5 interoperability Secure three-tier cross Secure three-tier cross

platform applicationsplatform applications

Single Sign-On ProblemSingle Sign-On Problem

Multiple authentication Multiple authentication authoritiesauthorities Users have multiple logons Users have multiple logons

and passwordsand passwords

Admin functions Admin functions for management for management and synchronizationand synchronization

Better to have a Better to have a singlesingle account domain! account domain!

Logon StrategiesLogon Strategies

Accommodating multiple logonsAccommodating multiple logons Custom GINACustom GINA Network ProviderNetwork Provider

Credential Manager/ Credential Manager/ Authentication PackageAuthentication Package

Single account domainSingle account domain Public Key InfrastructurePublic Key Infrastructure Kerberos v5Kerberos v5

WinlogonWinlogon

GINAGINA NPNPNPNP

Extendable Winlogon Extendable Winlogon ArchitectureArchitecture WinlogonWinlogon Graphical Identification Graphical Identification

and Authentication and Authentication (GINA) DLL(GINA) DLL

Customize for Customize for integrated multiintegrated multi-logon capability-logon capability

Network providersNetwork providers

Anatomy Of A Anatomy Of A Network ProviderNetwork Provider

Credential Manager sub-set (APIs)Credential Manager sub-set (APIs) LogonNotifyLogonNotify PasswordChangeNotifyPasswordChangeNotify

Authentication packageAuthentication package LogonTerminatedLogonTerminated

Example: Network ProviderExample: Network Provider

Code walk-through of a simple Code walk-through of a simple Credential ManagerCredential Manager

Issues With Issues With Multiple AccountsMultiple Accounts Passwords need to stay in syncPasswords need to stay in sync Need to manage each Need to manage each

account separatelyaccount separately Still need to be careful about Still need to be careful about

passwords in the clearpasswords in the clear Better to have a single account domainBetter to have a single account domain

SSPISSPI

Kerberos SSPKerberos SSP

Application protocolApplication protocol

Windows NT5Windows NT5 Workstation Workstation

Application protocolApplication protocol

GSS KerberosGSS Kerberosmechanismmechanism

GSS-APIGSS-API

UnixUnixServerServer

Windows NT5 Windows NT5 KDCKDC

TICKETTICKET

Single Account DomainSingle Account Domain

Common cross-platform Common cross-platform Kerberos v5 domainKerberos v5 domain

Kerberos v5 Interop GoalsKerberos v5 Interop Goals

Cross-platform protocol interoperabilityCross-platform protocol interoperability AuthenticationAuthentication Message integrity (sign/verify)Message integrity (sign/verify) Confidentiality (seal/unseal)Confidentiality (seal/unseal)

Single user account storeSingle user account store Scalability and ease of administrationScalability and ease of administration

Use existing authorization mechanismsUse existing authorization mechanisms Name-based authorizationName-based authorization Integrated Windows NTIntegrated Windows NT®® authorization authorization

Cross-Platform InteropCross-Platform Interop

Based on Kerberos v5 protocolBased on Kerberos v5 protocol RFC 1510 and RFC 1964 token format RFC 1510 and RFC 1964 token format

Windows NT hosts the KDCWindows NT hosts the KDC UNIX clients to Unix ServersUNIX clients to Unix Servers UNIX clients to NT ServersUNIX clients to NT Servers NT clients to UNIX ServersNT clients to UNIX Servers

Simple cross-realm authenticationSimple cross-realm authentication UNIX realm to NT domainUNIX realm to NT domain

Not DCE compatibleNot DCE compatible

SSPI And GSSAPISSPI And GSSAPI

Security Support Provider InterfaceSecurity Support Provider Interface MicrosoftMicrosoft®® Win32 Win32®® API API

Generic Security Service - APIGeneric Security Service - API IETF RFC-1509IETF RFC-1509 Kerberos mechanism type RFC-1964Kerberos mechanism type RFC-1964

SSPI is semantically similar to GSS-APISSPI is semantically similar to GSS-API Another alternative: native Krb5 Another alternative: native Krb5

AP requestsAP requests

Get outboundGet outbound credentialscredentials

AcquireCredentialsHandleAcquireCredentialsHandle

Get authnGet authn tokentoken

InitializeSecurityContextInitializeSecurityContextConstructConstructMessageMessage

Wait forWait forReplyReply

ReceiveReceiveParseParse

Reply MsgReply Msg

Connection EstablishedConnection Established

ContinueContinueNeeded?Needed?

SendSend

Get inboundGet inbound credentialscredentials

Gss_import_nameGss_import_name

Listen forListen forrequestsrequests

Gss_accept_sec_contextGss_accept_sec_context

ReceiveReceiveParseParse

Reply MsgReply Msg

ConstructConstructMessageMessage

SendSend

ContinueContinueNeeded?Needed?

Connection EstablishedConnection Established

Gss_acquire_credGss_acquire_cred

SSPI Client To GSS ServerSSPI Client To GSS Server

Example: Windows NT Example: Windows NT Client CodeClient Code

Time for a code walk-through;Time for a code walk-through;this time the clientthis time the client

Example: Unix Server CodeExample: Unix Server Code

Now the serverNow the server

Demo: Simple Client ServerDemo: Simple Client Server

Demo a cross platform secure Demo a cross platform secure application using Windows NT application using Windows NT user credentialsuser credentials

Windows NT Windows NT User AuthenticationUser Authentication Windows NT logon obtains credentialsWindows NT logon obtains credentials

Creates initial TGT to domainCreates initial TGT to domain Klist ticketsKlist tickets

Cached Tickets:Cached Tickets: Server: krbtgt@NTDEV.MICROSOFT.COMServer: krbtgt@NTDEV.MICROSOFT.COM End Time: 10/11/1998 20:05:32End Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32Renew Time: 10/11/1998 20:05:32 Server: krbtgt/MIT.NTDEV. Server: krbtgt/MIT.NTDEV.

MICROSOFT.COM@NTDEV.MICROSOFT.COMMICROSOFT.COM@NTDEV.MICROSOFT.COM End Time: 10/11/1998 20:05:32End Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32Renew Time: 10/11/1998 20:05:32 Server: NTDSDC1$@NTDEV.MICROSOFT.COMServer: NTDSDC1$@NTDEV.MICROSOFT.COM End Time: 10/11/1998 20:05:32End Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32

Completing The ExampleCompleting The Example

Things to add for a real productThings to add for a real product Data integrityData integrity Data privacyData privacy Using authenticated identity Using authenticated identity

for authorizationfor authorization

Differences between the international Differences between the international and domestic versions and domestic versions of Windows NT 5.0of Windows NT 5.0

Http://server/service.dllHttp://server/service.dll

Internet ExplorerInternet Explorer

Internet Internet Information Information

ServerServer

Unix back-end Unix back-end serverserver

IISIISExtensionExtension

SSPI/KrbSSPI/Krb

AppAppServiceService

GSS/KrbGSS/Krb

IE5IE5

SSPI/KrbSSPI/Krb

HTTPHTTP TCPTCP

User: NTDEV\joebUser: NTDEV\joeb

User: NTDEV\joebUser: NTDEV\joebUser: NTDEV\joebUser: NTDEV\joeb

Three-Tier Cross Three-Tier Cross Platform ApplicationsPlatform Applications

Demo: 3-Tier ApplicationDemo: 3-Tier Application

CyberSafe CyberSafe CorporationCorporation

Cross Platform Security SolutionsCross Platform Security Solutions Unix, Windows, Tandem, MVSUnix, Windows, Tandem, MVS Clients, Servers, Developer ToolkitsClients, Servers, Developer Toolkits

Security ExpertiseSecurity Expertise Co-authors of Kerberos, PKINIT, PKCROSS, other Co-authors of Kerberos, PKINIT, PKCROSS, other

standards within the IETFstandards within the IETF Professional Services - Security Impact Analysis, Professional Services - Security Impact Analysis,

Security Architecture, Education/TrainingSecurity Architecture, Education/Training

R

WWW.CYBERSAFE.COMWWW.CYBERSAFE.COM

SummarySummary

Network Providers can unify Network Providers can unify a multiple logona multiple logon

Reserve the use of a GINA for more Reserve the use of a GINA for more complex logon scenarioscomplex logon scenarios

A Single Account domain using A Single Account domain using integrated Kerberos v5 integrated Kerberos v5

Kerberos authentication + delegation Kerberos authentication + delegation = secure three-tier applications= secure three-tier applications

Call To ActionCall To Action

Use Kerberos v5 as your cross-platform Use Kerberos v5 as your cross-platform authentication mechanismauthentication mechanism

Use the SSPI and GSSAPI as your Use the SSPI and GSSAPI as your cross-platform development cross-platform development security interfacessecurity interfaces

Use Network Providers to unify Use Network Providers to unify multiple logonsmultiple logons

For More InformationFor More Information

WhitepapersWhitepapers Microsoft Windows NT DistributedMicrosoft Windows NT Distributed

Security ServicesSecurity Services Microsoft Windows NT Security Support Microsoft Windows NT Security Support

Provider InterfaceProvider Interface http://www.microsoft.com/ntserverhttp://www.microsoft.com/ntserver http://www.microsoft.com/securityhttp://www.microsoft.com/security

Windows NT 5.0 Beta2 WalkthroughsWindows NT 5.0 Beta2 Walkthroughs http://ntbeta.microsoft.comhttp://ntbeta.microsoft.com

MIT Kerberos 5 InteroperabilityMIT Kerberos 5 Interoperability Kerberos for UnixKerberos for Unix

CyberSafe - http://www.cybersafe.comCyberSafe - http://www.cybersafe.com