Mar 23, 2009

Authentication process: Kerberos or NTLM? and delegations

I ever post on how to register SPN. SPN is pretty much all needed for Kerberos authentication. The common misunderstanding is, authentication first try Kerberos, and if it fails, then try NTLM. Kerberos fallback to NTLM is referring selection process,not authentication itself. For example, when a client is trying to access server, NTLM will be selected if:
  • client such as IE has "Integrated window Authentication" unchecked (even if server IIS have NTAuthenticationProvider paramenter set to "Negotiate, NTLM": NTLM failback);
  • or server IIS have NTAuthenticationProvider paramenter set to "NTLM" (even if IE has "integrated window Authentication" enabled)
  • or SPN is not found from KDC
IIS 5 has default setting as "Negotiate, NTLM", in IIS 6 NTAuthenticationProvider paramenter is not set, but IIS 6 use "Negotiate, NTLM" as default just like IIS 5.

If both client and server support Kerberos (ie, server IIS has "Negotiate,NTLM" and IE support "Integrated window Authentication") kerberos will be selected.Negation starts: if client can get a ticket (SPN), it will send kerberos ticket, otherwise client will ask to use NTLMssp for authencation. if server doesn't have SPN, If client sends a wrong ticket, server will keep chanllenging client, and the result is: the authentication fail: server pop for password, but fail on any credentials. The authentication process can't fallback to NTLM at this point.

One of common cases that client could get wrong tickets is, the request uses Netbios name such as http://servername/, http/servername is not registered, but Host/servername always exists. The result is client keep sending ticket for HOST/servername while server expect HTTP/servername ticket.

Now it comes why we need delegation? You need delegation when you want to forward logon user's credential to another system. your ASP web needs to access resources in other server (double hop issue). This can happen when you have custom code to connect to anther SQL server, or you try to retrieve BDC data(other option for BDC is SSO), or you need to use Excel Service to display data from SQL report.

First, how to get logon user's credential?

  • System.Net.CredentialCache.DefaultCredentials when impersonate=true
  • User.Identity.Name when it is not anonymous
Second, how to hop?

  •  trust the server account (whatever it is, i.e, application pool, ssp service accout or mySite account etc) for delegation;
  • grant authenticated user (rather than service accounts) an access to target server/data.

Need to turst Computer Account for delegation? No, but only when your service is running under network service, local service or local system. When configuring computer account for delegation, 1) registering specific service (option 3) rather than all service (option 2), see here for insturction; 2)reboot server to make it effective.
Remember delegation has both timing and location constrains.

here is the checklist for kerberos delegation