Excellent article! I did not know that each individual SPN had it's own encryption key. That was really a good piece of information that I cannot find in any other SPN explanation, yet it answers a number of mysterious questions I've always had about SPN. Thank you for that!
The complete disconnect between source code and the web.config file, in combination with having to paste entire sections of XML into the web.config just to get this working, not to mention the amount of troubleshooting that this might cause with few people that understand any of it, indicates to me that probably less than 1/10th of 1% of all Windows web services will ever use Kerberos.
I do hope Windows 2012 has made Kerberos implementation easier for web services.
hi, this is a great article.
I am just a beginning of Authentication.
can you please kindly tell me which part is about the single-sign-on on a workstation and the web application is autherticated?
Great post on a topic that doesn't get covered nearly enough. In big intranets domain controllers are constantly getting run into the ground with NTLM auth requests. Given how much more efficient Kerberos is it's wonderful to see it covered.
Thanks for an interesting article!
- I think here is a mistake: "Uses the session key to decrypt the authenticator (contains a time stamp and other information)". Should be "encrypt"
- The described creation process apllied to ASP Web Service application for both - Server and Client part. For Web Service application you really have web.config to write enabling WSE 3.0 settings there. In the example finally as Client you use a console application, should I write settings in a .exe.config instead of web.config? I think yes.
Still I can not realize, may be I miss something.
The aim of Kerberos is secure authentification to Web Service application using logged in (domain)users credentials. Could you please explain, how do I:
- 2 and more different (domain) users "automatically" authentificate to SINGLE Web Werice application. Which user in this case should have the Application Pool.
- on the Server inside WebMethod how do I get which user (domain/username) has been authentificated (or tried to do it).
Thanks Alexcool for this important post,
You are right about your first comment, and I have corrected it .
Also , your second comment is true and I have added a sample of app.config file that I used in my console application to write settings.
For your questions , I may investigate them by the weekend.
Wait my reply ..
The aim of Kerberos in this demo is not secureing authentication to Web Service. We used Kerberos here as a broker . The main target here is impleminting single sign on , In which once a client presents his credentials , authenticated himself and needs to access a web service , it doesn't have to present credentials again. It could be authenticated to the web service using some broker, this broker knows both client and the web service.
I hope this point is now clear
2 and more different (domain) users "automatically" authentificate to SINGLE Web Werice application. Which user in this case should have the Application Pool.
No user of them should have the application pool,
The reason of creating a new domain user for the application pool is: making a new master key for this application pool , so the service ticket that I got from the KDC is encrypted by this key, only web services run over this application pool can decrypt this ticket , but services runs over other application pool can't decrypt the ticket.
Look at the following code from the demo:
Console.WriteLine("(2) Token with first SPN and calling the secound service ");
1-I used the first policy so it requested a ticket with the the first service SPN.
2-The ticket is encrypted using the first service master key .
3-When requesting the second service it couldn't decrypt the ticket
4-Requesting the second service is failed and exception is occured.
so, the application pool user is different than the web service requesters