不同服务之间的Kerberos委派 [英] Kerberos delegation between different services
问题描述
我们对httpd网络服务器进行了以下设置,如下所示:
We have the following setup with httpd webservers as shown below:
在此情况下: 服务器A 从浏览器获取请求,然后执行一些操作并创建一个新请求,并将其发送到服务器B . 用户X 已在服务器B 上进行了身份验证,但用户Y 未通过(并且不应这样做).由于A正在创建新请求,因此B认为Y已发送了该请求,因此拒绝了该请求.删除服务器A不是一个选择.我该如何解决.你能帮忙吗?
Heres the scenario: Server A takes the request from Browser does some operations and creates a new request and sends it to Server B. User X is authenticated on Server B, but User Y is not (and it is not supposed to). Since A is creating a new request, B is thinking that Y has sent the request and so denying it. Removing Server A is not an option. How do I solve this. Can you please help?
推荐答案
这可以通过委派来解决:服务器A在向服务器B发出请求时,应将自己身份验证为用户X.
This can be solved by delegation: server A should authenticate itself as user X while making request to server B.
委托:
- 服务器A收到来自浏览器的请求,其中包含TGS票证.
- 服务器A具有正确的用户名/密码组合(存储在代表服务的用户的Kerberos数据库中),因此它可以打开票证并对该用户进行身份验证
- 服务器A向KDC请求委托的票证,并附加了从用户处收到的票证.
- KDC(例如AD)检查是否可以进行委派(在Active Directory中,代表服务器A的用户必须被授予委派权.在ADC上使用ktpass命令生成密钥表文件后,该选项卡将变为可见. AD还检查用户帐户是否允许委派其票证-默认情况下已启用,可以对某些特殊的敏感用户禁用此功能)
- KDC为服务器A提供了委派的Kerberos票证.服务器A使用它登录到服务器B.
- 服务器B从服务器A接收到带有委托票证的请求,该请求表明是用户X登录.
- server A receives request from browser, containing TGS ticket.
- server A has correct username/password combination (as stored in Kerberos database in user representing service), so it can open the ticket and authenticate this user
- server A makes request to KDC for a delegated ticket, with ticket received from user attached.
- KDC (for example AD) checks if delegation is possible (in Active Directory user representing server A must be granted right to delegate. This tab becomes visible after you use command ktpass on ADC to generate keytab file. AD also checks if user account permits delegation of its ticket - it's enabled by default, can be disabled for some special, sensitive users)
- KDC gives server A a delegated Kerberos ticket. Server A uses it to log in to server B.
- server B receives request from server A with delegated ticket which says that it's the user X who logs in.
Kerberos delegation is sometimes called "a double hop": http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx
Active Directory管理员可能不喜欢授予服务委托票证的权利(即,以用户X身份登录到域中的任何其他服务)的想法.这就是几年前引入约束代表团"的原因.它使AD管理员可以让服务A仅以用户X的身份登录到服务器B.他们可以在代表服务A的activeDirectory帐户上进行设置.
Active Directory administrators might not like the idea of giving service A right to delegate tickets (i.e. logging in to any other service in domain as user X). That's why a "constrained delegation" was introduced few years ago. It enables AD administrators to let service A log in as user X only to server B. They can set that on activeDirectory account representing service A.
这篇关于不同服务之间的Kerberos委派的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
