切换应用程序以使用基于约束的kerberos [英] Switching application to use Constraint based kerberos
问题描述
我有一个旧的应用程序,我们使用基于委派的kerberos进行了设置.在我们在一台新的Windows 10计算机上对其进行尝试之前,该应用程序的所有功能均正常运行.
I have an old application that we setup with delegation based kerberos. Everything with the application worked fine till we tried it out on one of our new Windows 10 machines.
过了一会儿,我们终于弄清楚了凭证守卫在这个旧应用程序上的表现不佳.
After awhile, we finally figured out that Credential guard is not playing nice with this old application.
Kerberos注意事项
Kerberos Considerations
启用Windows Defender Credential Guard后,您将无法再 使用Kerberos无约束委派或DES加密.不受约束 委派可以允许攻击者从 隔离的LSA流程.使用受限或基于资源的Kerberos 代替.
When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
我们必须将实现切换为使用基于约束的Kerberos.我对如何做到这一点有些茫然.
We have to switch our implementation to use Constrained based Kerberos. I'm at a bit of a loss on how to do that.
针对Web应用程序名称设置了我们当前的SPN-(此链接中的方案2-
Our current SPN are set against the web application name - (Scenario 2 from this link - https://support.microsoft.com/en-ca/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on)
setspn -a http/WebSiteName webServerName
setspn -a http/WebSiteName.domain.com webServerName
该应用程序仅与Active Directory对话.不涉及数据库.该站点当前正在使用域帐户运行应用程序池.
The application only talks to Active Directory. No database is involved. The site is currently running the application pool with a domain account.
当我尝试类似的命令
$comp = Get-ADComputer DcOrAnotherComputer
Set-AdComputer -identity webServerName -PrincipalsAllowedToDelegateToAccount $comp
我收到以下Powershell错误.
I get the following powershell error.
Set-AdComputer : The attribute cannot be modified because it is owned by the system
At line:2 char:1
+ Set-AdComputer -identity hql-dmeds01 -PrincipalsAllowedToDelegateToAccount $comp
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (hql-dmeds01:ADComputer) [Set-ADComputer], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8369,Microsoft.ActiveDirectory.Management.Commands.SetADComputer
我将应用程序简化为一个示例,该示例适用于Win7/win2012,但不适用于具有证书保护功能的win10.
I've boiled down the application to an example that works on Win7/win2012 but not on win10 with credential guard.
<%@ Language=VBScript %>
<%
' Create the connection the AD
set con = createobject("ADODB.connection")
set Com = createobject("ADODB.command")
con.Provider = "ADsDSOObject"
con.Open "Active Directory Provider"
Set Com.ActiveConnection = con
dim ldapCall
ldapCall = "SELECT ADsPath, distinguishedname, displayName" &_
" FROM '" & "LDAP://DC=mydomain,DC=com' " &_
" WHERE objectClass = 'group' AND name = 'SomeTestGroupName'" & _
" ORDER BY displayName "
'response.write ldapCall
' Execute the search call
Com.CommandText = ldapCall
Set rs = Com.Execute
if not(rs.EOF) then
response.write "SomethingHappended<br />"
else
response.write "Why don't you work???"
end if
%>
更新1- 回答T-赫伦的问题 这是这样做的结果
Update 1 - Answer to T-Heron's question Here are the results of doing
setspn -q http/WebSiteName.domain.com -
Checking domain DC=Mydomain
no such SPN found.
如果我愿意
setspan -q http/WebSiteName- I get the following
Checking domain DC=Mydomain
CN=Webserver,OU=OuLocation,DC=MyDomain
http/WebSite.myDomain
http/WebSite
CmRcService/Webserver
CmRcService/Webserver.myDomain
WSMAN/Webserver.myDomain
TERMSRV/Webserver.myDomain
RestrictedKrbHost/Webserver.myDomain
HOST/Webserver
WSMAN/WSMAN/Webserver
TERMSRV/WSMAN/Webserver
RestrictedKrbHost/WSMAN/Webserver
HOST/Webserver
更新2- 更新1中的-q不起作用的原因是设置了spn 到 http/WebsiteName.domain.com 而不是http/WebsiteName.a.b.domain.com(这是我正在尝试的)
update 2- the reason the -q in update 1 didn't work was that the spn was set to http/WebsiteName.domain.com and not http/WebsiteName.a.b.domain.com (which is what i was trying)
因此,所有-q命令现在都可以使用.但是问题仍然存在
So all the -q commands work now. But the problem persists
这是委托"选项卡的屏幕快照.
Here's the screenshot of the delegation tab.
更新3-
这是委托"选项卡的新图片 在执行IISReset之后,我同时尝试了仅使用Kerberos"和使用任何身份验证协议",但都遇到了同样的问题. (当我按下添加"按钮时,我添加了网络服务器. 图片中, 红色框,其中带有webServername的条目 橙色框,其中带有spn设置的条目(在HTTP-服务类型旁边)
Here's a new picture of the delegate tab I tried it both with "Use Kerberos Only" and "Use any authentication protocol" after doing an IISReset, i get the same issue. (i added the webserver when I pressed the "add" button. in the picture, the red boxes where entries with the webServername the orange boxes where entries with the spn setup (beside HTTP - service type)
推荐答案
好,因此我能够获得上面的测试页以最终工作. T-Heron的评论很明确,我只是添加了错误的服务来委派.
Ok, so I was able to get the test page above to finally work. T-Heron's comments were on point, I just added the wrong services to delegate.
一旦我从域控制器添加了ldap服务,则测试页开始工作.
(我们的域控制器具有2个ldap服务.一个具有guid,一个具有域名.我选择了一个域.)
Once I added the ldap service from the domain controller then the test page started working.
(Our domain controllers had 2 ldap services. One with a guid and one with the domain name. I chose the domain one).
[]
更新1-解决方案的测试最初是在win2k8上完成的.在win2k12上执行相同操作无效.
Update 1- the testing for the solution was initially done on win2k8. Doing the same on win2k12 didn't work.
我最终不得不将我的应用程序池更改为内置的ApplicationPoolId(或本地系统),以使其正常工作.
I ended up having to change my application pool to the built-in ApplicationPoolId (or localsystem) to have it work.
这篇关于切换应用程序以使用基于约束的kerberos的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
