Kerberos，委派以及如何正确执行此操作? [英] Kerberos, delegation and how to do this correctly?

问题描述

我有两个单独的自制应用程序，它们需要相互通信.一个是前端应用程序(实际上是asp.net)，另一个是会计应用程序的后端接口.后端接口不是专门为此前端创建的，它是许多其他应用程序用来与我们的产品集成的通用接口.

I've got two separate homemade applications that need to communicate among themselves. One is a frontend application (asp.net actually), the other is a backend interface to an accounting application. The backend interface was not created specifically for this frontend - it is a generic interface that many other applications use to integrate with our product.

为方便用户，我们希望在前端应用程序中提供Windows身份验证.但是，这意味着我们需要将凭据传递到必须对其进行检查的后端应用程序.

For the convenience of users we wish to provide a Windows Authentication in our frontend application. That means however that we need to pass the credentials on to the backend application which has to check them.

我们不希望将前端设置为后端的受信任"应用程序，该后端可以对任何用户进行身份验证.如果要对前端进行黑客攻击，那么它也将损害后端系统.

We do not wish to set up our frontend as a "trusted" application to the backend which can authenticate itself as any user. If the frontend was to be hacked, it would then also compromise the backend system.

据我了解，使用Windows身份验证的一种方法是Kerberos委派.但是，这需要为要委派的用户和执行委派的机器(具有我们前端的服务器)显式启用.默认情况下，这些选项在Active Directory中处于禁用状态，而且我怀疑许多系统管理员会保留为所有用户打开它们的权限.

As I understand it, one way to do it with Windows Authentication is Kerberos Delegation. However this requires to be explicitly enabled for the user that is to be delegated, and the machine which does the delegation (the server with our frontend). By default these options are disabled in Active Directory, and I suspect that many sysadmins will have their reservations about turning them on for all their users.

此外，我不太确定这是Kerberos委托的意思.我不需要我们的前端来冒充正在连接的用户.我只需要证明此用户已向我进行身份验证即可.

Also, I'm not really sure that this is what Kerberos Delegation was meant for. I don't need our frontend to impersonate the user that is connecting. I just need to prove that this user has authenticated itself to me.

您将如何做?

推荐答案

我不清楚您的用例可以做什么，也不能做什么，但是我可以回答 Kerberos委托的含义.

I'm not clear what you can and can't do with your use case but I can answer the question what Kerberos Delegation was meant for.

首先让我们谈谈在委派之前Kerberos所做的事情.重要的是要很好地理解这一部分，因为它很微妙.

First let's talk about what Kerberos does prior to delegation. It is important to understand this part well because it is subtle.

Kerberos验证网络中两个端点之间通信的 BOTH 端点的身份，这些端点可以是交互式用户或计算机上运行的服务.

Kerberos authenticates the identity of BOTH ends of a communication between two end-points across a network, those end-points can be interactive users or services running on a computer.

这是 strong身份验证，因此它不允许任何形式的中间人攻击.如果设置正确，端点可以保证它们不会受到损害.在服务名称级别(如果要连接到计算机上的II，则不同于连接到同一计算机上的SQL Server).它大量使用了现代加密技术，并需要使用安全证书.身份验证协议的细节很复杂，现在不值得介绍，但是它涉及到两个身份验证端点和身份验证服务器(在Windows中，域控制器是身份验证服务器)之间大约20个不同的确认步骤.

This is strong authentication so it will not allow a man-in-middle attack in any form. If set up correctly an end point can guarantee they won't be compromised. To the level of the service name (if you are connecting to IIs on a machine it is different than connecting to SQL Server on the same machine). It makes heavy use of modern encryption techniques and requires the use of secure certificates. The details of the authentication protocol are complicated and not worth going into now, but it involves about 20 different distinct steps of confirmation between the two authenticating end points and authentication server (in windows the Domain Controller is the authentication server).

那么委派到底是什么呢?

委托是对Kerberos标准的Microsoft扩展， 允许可信来源继续对另一个来源进行身份验证 终点.

Delegation is a Microsoft extension to the Kerberos standard which allows a trusted source to continue the authentication to another end-point.

这使您可以充当中间人"-但是必须显式设置许多设置，安装证书等才能使它起作用.这远非简单. (这是有关细节的另一个SO答案- https://stackoverflow.com/a/954154/215752 )

This allows you to act as a "man in the middle" -- however many settings have to be explicitly setup, certificates installed, etc to allow this to work. It is far from simple. ( Here is another SO answer on the details - https://stackoverflow.com/a/954154/215752)

例如，您可以让某人对网站进行身份验证，然后将.NET代码作为同一用户连接到SQL Server ，以读取具有该用户权限的数据.

So, for example, you could have someone authenticate to a website and then have the .NET code connect to an SQL Server AS THE SAME USER to read data with that user's rights.

现在回答您的问题，由于我不确定您要做什么，因此我提出了三种选择:

Now to answer your question, since I'm not sure what you want to do I present three choices:

1)您希望以与SAME用户相同的身份连接到后端系统，以在网站上进行身份验证.

1) You want to connect to the back end system as the SAME user as the one authenticating at the website.

• 在这种情况下，Kerberos委派是完美的-它可以完全满足您的要求.

2)您要以不同于用户身份的身份连接到后端系统，而不是在网站上进行身份验证的用户(例如，服务帐户).

2) You want to connect to the back end system as a DIFFERENT user than the one authenticating at the website (eg a service account).

• 在这种情况下，您不希望委派.网站使用Kerberos，后端使用Kerberos(作为其他用户)非常有用.

3)您想有时以SAME用户身份连接到后端系统，而有时又以不同用户身份连接到后端系统. (例如，您需要验证这是后端系统的合法用户，但希望其他时间作为系统帐户执行受信任的操作.(根据我的经验，这是最常见的用例.)

3) You want to connect to the back end system as the SAME user some of the time and as a DIFFERENT user other times. (For example, you need to validate this is a legal user for the back end system, but want to perform trusted actions as a system account other times. This is (in my experience) the most common use case.)

• 在这种情况下，您将两者同时使用.在需要系统对后端的访问时，委派需要验证用户身份然后又恢复为服务帐户身份的连接. (我的上一个问题是有关如何在.NET平台上还原为系统身份的详细信息，请参见.)

这篇关于Kerberos，委派以及如何正确执行此操作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！