Re: AW: Using a Kerberized application outside the Kerberos Realm - Kerberos

This is a discussion on Re: AW: Using a Kerberized application outside the Kerberos Realm - Kerberos ; Florian Frankenberger wrote: > Thank you, Mike. > > In my case, Alice isn't running in a domain at all. Do you mean DNS domain or Windows AD domain? Kerberos deals with realms. A service is in a realm if ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: AW: Using a Kerberized application outside the Kerberos Realm

  1. Re: AW: Using a Kerberized application outside the Kerberos Realm



    Florian Frankenberger wrote:
    > Thank you, Mike.
    >
    > In my case, Alice isn't running in a domain at all.


    Do you mean DNS domain or Windows AD domain? Kerberos deals with realms.
    A service is in a realm if there exists a principal for the service
    in the realm, and the service has a copy of the keytab file with the
    shared secret for the principal. A client can then request a service
    ticket from the KDC if in knows the principal name of the service.
    The service principal in usually of the form /@
    but the client and service agree on some other name that can work too.
    By convention the service ticket has the FQDN of the host, but that is
    really upto the client and server to agree.

    But is your service is tied to Active Directory i.e. it is a windows
    based service then it is using AD for more then Kerberos authentication.
    It using AD for authorization information too.

    With Unix there is normally a host/@ principal
    that represents the machine (usually for login) and this could be referred
    to as the machine is in the realm. But there is no requirement that
    there be such a principal. You could have you own XYZ/@
    principal representing your XYZ service running on that host,
    and that is the only Kerberos service running.

    Also note that a service could have multiple principals in different realms.
    and have these in the same keytab file. It could then accept service
    tickets from either realm.

    Mike was talking about cross realm, where two realms trust each other,
    say AI-AG.US and AI-AG.DE. The user@AI_AG.US can use cross realm to get
    a service ticket for service/host@AI-AG.US


    > That's why I have to implement the check for authenticity on Alice's side in my own way.
    > So what about the idea of having the service ticket encrypted with the symmetric key that
    > only the KDC and Alice know?


    But that is the definition of a service ticket!

    > Doesn't this mean a kind of secure proof of authentcity to Alice if the ticket passed
    > by Bob can be decrypted with the shared secret key? Or is it simply impossible
    > to get a service ticket for a service that doesn't exist in this or any other domain?
    >


    Again the use of existing in a domain. Its not clear what you mean.


    >
    > -----Ursprungliche Nachricht-----
    > Von: Michael B Allen [mailto:mba2000@ioplex.com]
    > Gesendet: Montag, 21. August 2006 20:49
    > An: Florian Frankenberger
    > Cc: kerberos@mit.edu
    > Betreff: Re: Using a Kerberized application outside the Kerberos Realm
    >
    >
    > On Mon, 21 Aug 2006 18:40:28 +0200
    > "Florian Frankenberger" wrote:
    >
    >
    >>My problem is that Alice is not in the domain in which the KDC is running.

    > To be more precise, the KDC and the service Alice are set up in different


    network environments and thus do not know each other.
    >>Is it possible to create a kerberized service that is not part of the


    Kerberos realm? If yes, what do I have to do?
    >
    >
    > Alice and Bob have to be in the same realm or in separate realms that
    > have a trust established between them. Otherwise the is no basis for
    > establishing trust between Alice and Bob. Kerberos is a "thrid party
    > authentication system" so there needs to be someone both principals trust.
    >
    >
    >>I thought of sharing the symmetric service key between the KDC and Alice. To do so, I tried to create the service Alice with ktpass, give the so created encryption key to Alice and let Alice decrypt the service tickets, that will be delivered by Bobs later.
    >>
    >>Is this procedure possibly in theory? Does anyone know how to obtain the service ticket by using JAAS? I only managed to get the TGT.

    >
    >
    > If Bob requests a ticket for ALICESVC/apps22.ai-ag.de@AI-AG.DE then
    > even if Bob is bob@AI-AG.US he should have no problem looking up the
    > KDC for AI-AG.DE using DNS and getting a ticket per usual. But a trust
    > relationship would be required between AI-AG.DE and AI-AG.US.
    >
    > Mike
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. AW: AW: Using a Kerberized application outside the Kerberos Realm

    First of all thank you all for participating and sorry for being unclear.
    By saying that Alice is not in a domain I mean that
    Alice is not part of a Windows domain, thus not part of an AD and also is not
    part of a Kerberos Realm.
    The host on which Alice is running, is not reachable from the KDC and cannot
    reach the KDC directly. So what I was trying to ask is if there is a possibility
    to check a service ticket on authenticity by means of sharing secret key
    between Alice and the KDC once and then decrypting incoming service tickets by
    an own implementation, without establishing a connection between the KDC and
    Alice. To do so, I would have to know if it is possible to create a Kerberos
    service for a service that is not reachable, thus not really existing from the
    point of view of the KDC. I'd then have to extract the secret key after creating
    this - let's call it "virtual" - service. I'd have to pass it to Alice once and
    then let Alice check incoming service ticket for authenticity by decrypting them
    with the symmetric service key. Is this possible? I've been trying to do this
    for many days now but I am at a dead end.
    I tried to use those ktpass and kinit tools, but I simply don't know if I am
    doing right. As I understand, ktpass creates a principal in my AD for the
    service. This is my first problem. what do I pass ktpass about the host and
    the realm the service is running in? Is it possible to tell ktpass to create
    a principal for a service in a realm that doesn't really exist? If so, how can
    I get the secret key after that? And how can I get a service ticket for this
    service that is not really existing?
    I know that all this is quite unusual but any help is very appreciated. If
    someone has a completely different solution for my problem, please tell me.
    Thank you very much.

    Flo


    -----Ursprungliche Nachricht-----
    Von: Douglas E. Engert [mailto:deengert@anl.gov]
    Gesendet: Dienstag, 22. August 2006 20:58
    An: Florian Frankenberger
    Cc: Michael B Allen; kerberos@mit.edu
    Betreff: Re: AW: Using a Kerberized application outside the Kerberos
    Realm




    Florian Frankenberger wrote:
    > Thank you, Mike.
    >
    > In my case, Alice isn't running in a domain at all.


    Do you mean DNS domain or Windows AD domain? Kerberos deals with realms.
    A service is in a realm if there exists a principal for the service
    in the realm, and the service has a copy of the keytab file with the
    shared secret for the principal. A client can then request a service
    ticket from the KDC if in knows the principal name of the service.
    The service principal in usually of the form /@
    but the client and service agree on some other name that can work too.
    By convention the service ticket has the FQDN of the host, but that is
    really upto the client and server to agree.

    But is your service is tied to Active Directory i.e. it is a windows
    based service then it is using AD for more then Kerberos authentication.
    It using AD for authorization information too.

    With Unix there is normally a host/@ principal
    that represents the machine (usually for login) and this could be referred
    to as the machine is in the realm. But there is no requirement that
    there be such a principal. You could have you own XYZ/@
    principal representing your XYZ service running on that host,
    and that is the only Kerberos service running.

    Also note that a service could have multiple principals in different realms.
    and have these in the same keytab file. It could then accept service
    tickets from either realm.

    Mike was talking about cross realm, where two realms trust each other,
    say AI-AG.US and AI-AG.DE. The user@AI_AG.US can use cross realm to get
    a service ticket for service/host@AI-AG.US


    > That's why I have to implement the check for authenticity on Alice's side in my own way.
    > So what about the idea of having the service ticket encrypted with the symmetric key that
    > only the KDC and Alice know?


    But that is the definition of a service ticket!

    > Doesn't this mean a kind of secure proof of authentcity to Alice if the ticket passed
    > by Bob can be decrypted with the shared secret key? Or is it simply impossible
    > to get a service ticket for a service that doesn't exist in this or any other domain?
    >


    Again the use of existing in a domain. Its not clear what you mean.


    >
    > -----Ursprungliche Nachricht-----
    > Von: Michael B Allen [mailto:mba2000@ioplex.com]
    > Gesendet: Montag, 21. August 2006 20:49
    > An: Florian Frankenberger
    > Cc: kerberos@mit.edu
    > Betreff: Re: Using a Kerberized application outside the Kerberos Realm
    >
    >
    > On Mon, 21 Aug 2006 18:40:28 +0200
    > "Florian Frankenberger" wrote:
    >
    >
    >>My problem is that Alice is not in the domain in which the KDC is running.

    > To be more precise, the KDC and the service Alice are set up in different


    network environments and thus do not know each other.
    >>Is it possible to create a kerberized service that is not part of the


    Kerberos realm? If yes, what do I have to do?
    >
    >
    > Alice and Bob have to be in the same realm or in separate realms that
    > have a trust established between them. Otherwise the is no basis for
    > establishing trust between Alice and Bob. Kerberos is a "thrid party
    > authentication system" so there needs to be someone both principals trust.
    >
    >
    >>I thought of sharing the symmetric service key between the KDC and Alice. To do so, I tried to create the service Alice with ktpass, give the so created encryption key to Alice and let Alice decrypt the service tickets, that will be delivered by Bobs later.
    >>
    >>Is this procedure possibly in theory? Does anyone know how to obtain the service ticket by using JAAS? I only managed to get the TGT.

    >
    >
    > If Bob requests a ticket for ALICESVC/apps22.ai-ag.de@AI-AG.DE then
    > even if Bob is bob@AI-AG.US he should have no problem looking up the
    > KDC for AI-AG.DE using DNS and getting a ticket per usual. But a trust
    > relationship would be required between AI-AG.DE and AI-AG.US.
    >
    > Mike
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread