the important details of windows authentication
play

The Important Details Of Windows Authentication Stefan Metzmacher - PowerPoint PPT Presentation

Oct 14, 2022 •142 likes •497 views

The Important Details Of Windows Authentication Stefan Metzmacher <metze@samba.org> Samba Team / SerNet 2017-05-04 https://samba.org/~metze/presentations/2017/SambaXP/ Topics Windows Domains, Forests and Trusts Netlogon Secure

  1. The Important Details Of Windows Authentication Stefan Metzmacher <metze@samba.org> Samba Team / SerNet 2017-05-04 https://samba.org/~metze/presentations/2017/SambaXP/

  2. Topics ◮ Windows Domains, Forests and Trusts ◮ Netlogon Secure Channel ◮ Authentication Protocols ◮ Authorization Token ◮ Trust Routing Table ◮ New Kerberos Features ◮ Thanks! ◮ Questions? Windows Authentication Stefan Metzmacher (2/1)

  3. Layout of a single Windows Domain Windows Authentication Stefan Metzmacher (3/1)

  4. Layout of an Active Directory Forest (with one Tree) Windows Authentication Stefan Metzmacher (4/1)

  5. Forest Information (with one Tree) ◮ TOP LEVEL NAME: example.com ◮ TOP LEVEL NAME: example.private ◮ DOMAIN INFO: EXAMPLE; example.com; S-1-5-21-99-88-11 ◮ DOMAIN INFO: ASIA; asia.example.com; S-1-5-21-99-88-22 ◮ DOMAIN INFO: DEVEL; devel.asia.example.com; S-1-5-21-99-88-33 ◮ DOMAIN INFO: PRODUCT; product.asia.example.com; S-1-5-21-99-88-44 ◮ DOMAIN INFO: EUROPE; europe.example.com; S-1-5-21-99-88-44 Windows Authentication Stefan Metzmacher (5/1)

  6. Layout of an Active Directory Forest (with multiple Trees) Windows Authentication Stefan Metzmacher (6/1)

  7. Forest Information (with multiple Tree) ◮ TOP LEVEL NAME: corp1.private ◮ TOP LEVEL NAME: corp2.private ◮ DOMAIN INFO: CORP1; corp1.private; S-1-5-21-77-88-11 ◮ DOMAIN INFO: DEVEL; devel.corp1.private; S-1-5-21-77-88-22 ◮ DOMAIN INFO: PRODUCT; product.corp1.private; S-1-5-21-99-88-33 ◮ DOMAIN INFO: CORP2; corp2.private; S-1-5-21-99-88-44 ◮ DOMAIN INFO: SUPPORT; support.corp2.private; S-1-5-21-99-88-55 Windows Authentication Stefan Metzmacher (7/1)

  8. Trust Types (low level) ◮ LSA TRUST TYPE DOWNLEVEL ◮ This is used for NT4 Domains. ◮ It can only handle NTLMSSP. ◮ LSA TRUST TYPE UPLEVEL ◮ This is used for AD Domains. ◮ It supports NTLMSSP by default. ◮ It supports Kerberos, the Realm is the Dns-Domain-Name. ◮ LSA TRUST TYPE MIT ◮ This is used for trusts to RFC4120-compliant Kerberos. ◮ Unlikely to be implemented in Samba. ◮ LSA TRUST TYPE DCE ◮ Not used in Windows. Windows Authentication Stefan Metzmacher (8/1)

  9. Trust Directions ◮ Trusting vs. Trusted Domain ◮ Users of the ”trusted” domain can access resources of the ”trusting” domain. ◮ LSA TRUST DIRECTION INBOUND ◮ The local domain is the ”trusted” domain. ◮ The specified/remote domain is the ”trusting” domain. ◮ Also known as INCOMING. ◮ LSA TRUST DIRECTION OUTBOUND ◮ The local domain is the ”trusting” domain. ◮ The specified/remote domain is the ”trusted” domain. ◮ Also known as OUTGOING. Windows Authentication Stefan Metzmacher (9/1)

  10. Transitive vs. Non-Transitive Trusts ◮ Non-Transitive Trust ◮ This is just a trust between two single domains. ◮ Transitive Trust ◮ The trust between two single domains is expanded to indirect trusts. ◮ DOM1 trusts DOM2, while DOM2 trusts DOM3, so DOM1 implicitly trusts DOM3. ◮ In some situations a transitive trust is some kind of default route. Windows Authentication Stefan Metzmacher (10/1)

  11. Trust Types (high level, Part 1) ◮ Workstation (Domain Member) Trust ◮ LSA TRUST DIRECTION OUTBOUND to the primary domain. ◮ LSA TRUST TYPE DOWNLEVEL (NT4) or LSA TRUST TYPE UPLEVEL (AD). ◮ Transitive Trust as default route. ◮ computer account can only reliable access its primary domain. ◮ External Domain Trust ◮ LSA TRUST TYPE DOWNLEVEL (NT4) or LSA TRUST TYPE UPLEVEL (AD). ◮ Non-Transitive ◮ Forest Trust ◮ LSA TRUST TYPE UPLEVEL (AD) between two forest root domains. ◮ Transitive Trust (by default) between the two forests only. Windows Authentication Stefan Metzmacher (11/1)

  12. Trust Types (high level, Part 2 within Forests) ◮ Parent Child Trusts ◮ LSA TRUST DIRECTION INBOUND and LSA TRUST DIRECTION OUTBOUND ◮ LSA TRUST TYPE UPLEVEL (AD). ◮ LSA TRUST ATTRIBUTE WITHIN FOREST. ◮ The child is a DNS-subdomain of the parent ◮ Transitive Trust, on the parent with a route to the child and the related grandchildren. ◮ Transitive Trust, on the child as default route. ◮ Automatically created together with the child domain. ◮ Tree Root Trusts ◮ Similar to Parent Child Trust. ◮ The new tree root is not DNS-domain below the forest root. ◮ Transitive Trust, on the forest root with a route to the new tree root and the related grandchildren. ◮ Transitive Trust, on the child as default route. ◮ Automatically created together with the new tree root domain. Windows Authentication Stefan Metzmacher (12/1)

  13. Trust Types (high level, Part 3 within Forests) ◮ Shortcut Trust ◮ LSA TRUST DIRECTION INBOUND and/or LSA TRUST DIRECTION OUTBOUND ◮ LSA TRUST TYPE UPLEVEL (AD). ◮ LSA TRUST ATTRIBUTE WITHIN FOREST. ◮ Non-Transitive, acts as direct route to the specified domain. ◮ Created by an administrator for performance reasons. Windows Authentication Stefan Metzmacher (13/1)

  14. Trust Attributes (low level) The content of the trustAttributes attribute in Samba: typedef [public , bitmap32bit ] bitmap { LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001 , LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY = 0x00000002 , LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN = 0x00000004 , LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE = 0x00000008 , LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION = 0x00000010 , LSA_TRUST_ATTRIBUTE_WITHIN_FOREST = 0x00000020 , LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040 , LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION = 0x00000080 // TODO LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION = 0x00000200 // TODO LSA_TRUST_ATTRIBUTE_PIM_TRUST = 0x00000400 } lsa_TrustAttributes ; Windows Authentication Stefan Metzmacher (14/1)

  15. Forest (routing) Information ◮ The information about a forest: ◮ can be queried from the forest root of the ”trusted” forest by netr GetForestTrustInformation() constructed by the information under CN=Partitions,CN=Configuration,... ◮ is stored in the ”msDS-TrustForestTrustInfo” attribute in the root domain of the ”trusting” forest. ◮ It is an array of records of the following types: ◮ FOREST TRUST DOMAIN INFO includes Netbios-Name, DNS-Name and Domain-Sid. ◮ FOREST TRUST TOP LEVEL NAME includes a top level DNS-Name that part of the forest (including all DNS-subdomains). ◮ FOREST TRUST TOP LEVEL NAME EX includes a top level DNS-Name that is explicitly excluded from the forest (including all DNS-subdomains). ◮ Individual records will be disabled if conflicts with other trusts are detected. ◮ Individual records can also be disabled by the admin. Windows Authentication Stefan Metzmacher (15/1)

  16. Netlogon Secure Schannel (Part1) ◮ Having an LSA TRUST DIRECTION OUTBOUND Trust: ◮ Means the ”trusting” workstation/domain can establish a Netlogon Secure Channel to DCs of the ”trusted” domain using the computer/trust account. ◮ The NETLOGON protocol is bases on DCERPC, see [MS-NRPC]. ◮ Establishing a global session state with a ”trusted” DC: ◮ netr ServerReqChallenge() and netr ServerAuthenticate[2,3]() are used to do a challenge/response authentication ◮ The global session state is indexed by the computer name of the ”client”. ◮ The global session state contains the initial session key, a sequence number. ◮ Samba uses ’struct netlogon creds CredentialState’ for this state. ◮ This state is stored in netlogon creds cli.tdb (on the client) and schannel store.tdb (on the server). Windows Authentication Stefan Metzmacher (16/1)

  17. Netlogon Secure Schannel (Part2) ◮ A lot of functions operate on the global session state: ◮ netr LogonSamLogon[WithFlags](), netr ServerPasswordSet[2](), netr LogonGetDomainInfo(), netr GetForestTrustInformation() and others. ◮ All functions using ’netr Authenticator’ arguments. ◮ These functions do some rolling crypto on the global session state. ◮ These functions need to be strictly ordered (globally!) ◮ Some of them also encrypt some application level fields with the current global session key. Windows Authentication Stefan Metzmacher (17/1)

  18. Netlogon Secure Schannel (Part3) ◮ The NETLOGON protocol implements a custom DCERPC authentication type (auth type=68): ◮ The DCERPC Bind/AlterContext just passes the domain and computer names to the server. ◮ The server takes a copy of the current global session based on the provided computer name. ◮ This copy will be the session key for the lifetime of the DCERPC auth context. ◮ Client and server provide DCERPC AUTH LEVEL INTEGRITY or DCERPC AUTH LEVEL PRIVACY protection for the auth context. ◮ The connection doesn’t support concurrent multiplexing and only one request at a time. Windows Authentication Stefan Metzmacher (18/1)

  19. Netlogon Secure Schannel (Part4) ◮ Usage of DCERPC authentication type (auth type=68) ◮ It is typically used for a protected NETLOGON connection. ◮ It is also used for LSA connections and the lsa LookupNames4() and lsa LookupSids3() calls. ◮ Typically the ”trusting” side of the trust should only use these NETLOGON and LSA connections to communicate with the ”trusted” domain. Windows Authentication Stefan Metzmacher (19/1)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Roadmap for Section 4.5. Thread Scheduling Details Quantum Stretching CPU Starvation Avoidance

Roadmap for Section 4.5. Thread Scheduling Details Quantum Stretching CPU Starvation Avoidance

Unit OS4: Scheduling and Dispatch 4.5. Advanced Windows Thread Scheduling Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 4.5. Thread Scheduling Details Quantum Stretching

153 views • 14 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
MTA Signatures Proposal Brief Overview Proposal details available at:

MTA Signatures Proposal Brief Overview Proposal details available at:

60th IETF August 2004 - San Diego, CA Message Authentication and Signature Standards (MOSS) BOF MTA Signatures Proposal Brief Overview Proposal details available at: http://www.elan.net/~william/asrg/mta_signatures.htm Presentation and

335 views • 8 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
Windows NT Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP4631 - L20 1 Agenda

Windows NT Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP4631 - L20 1 Agenda

Windows NT Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP4631 - L20 1 Agenda Brief information about Windows NT Security architecture Identification and authentication Access control Administration C. Ding -

1.28k views • 52 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Fixed Points meet Lbs Rule Fefermans G2 plus Examples Uniform Albert Visser

Fixed Points meet Lbs Rule Fefermans G2 plus Examples Uniform Albert Visser

Fixed Points meet Lbs Rule Fefermans G2 plus Examples Uniform Albert Visser Semi-numerability The Henkin Calculus Philosophy, Faculty of Humanities, Utrecht University The -Calculus Proof Theory Virtual Seminar, November 18, 2020

575 views • 30 slides
Learning Provider Regional Service Review Forums 2019 FE Account Managers, Partner Services

Learning Provider Regional Service Review Forums 2019 FE Account Managers, Partner Services

Learning Provider Regional Service Review Forums 2019 FE Account Managers, Partner Services Agenda Statistics &amp; Application Trends Learning Provider Portal Enhancements GDPR Update Service Standards Expectations &amp;

560 views • 39 slides
Crossover Can Provably Speed Up Evolutionary Computation Benjamin Doerr, Edda Happ, Christian

Crossover Can Provably Speed Up Evolutionary Computation Benjamin Doerr, Edda Happ, Christian

Crossover Can Provably Speed Up Evolutionary Computation Benjamin Doerr, Edda Happ, Christian Klein January 29, 2008 mpi-logo State-of-the-Art Praxis Bio-inspired-ness: Use both mutation and crossover! Practise shows that often crossover

968 views • 81 slides
THEORETICAL RESULTS ON BET-AND-RUN AS AN INITIALISATION STRATEGY Andrei Lissovoi (UoS), Dirk

THEORETICAL RESULTS ON BET-AND-RUN AS AN INITIALISATION STRATEGY Andrei Lissovoi (UoS), Dirk

THEORETICAL RESULTS ON BET-AND-RUN AS AN INITIALISATION STRATEGY Andrei Lissovoi (UoS), Dirk Sudholt, (UoS) Markus Wagner (UoA), and Christine Zarges (AU) HOUSTON, WE HAVE A PROBLEM... Restarts to the rescue! BACKGROUND Restarted Search

256 views • 24 slides
Meeting of the Finance Committee November 13, 2014 Agen enda da I. ACTION ITEMS A. Medical

Meeting of the Finance Committee November 13, 2014 Agen enda da I. ACTION ITEMS A. Medical

Meeting of the Finance Committee November 13, 2014 Agen enda da I. ACTION ITEMS A. Medical Center Acquisition of 500 Ray C. Hunt Drive II. REPORTS A. Treasury Report B. University of Virginia Investment Management Company Report on the

832 views • 47 slides
Scheduling matches to allow shared transport; or, How to get free tickets to your local teams

Scheduling matches to allow shared transport; or, How to get free tickets to your local teams

Scheduling matches to allow shared transport; or, How to get free tickets to your local teams home games Christopher Tuffley Institute of Fundamental Sciences Massey University, Manawat u 2011 New Zealand Mathematics Colloquium

368 views • 24 slides
Abstract How do you ensure your applications meet the expectations of your key customers? In this

Abstract How do you ensure your applications meet the expectations of your key customers? In this

ACCEPTANCE TESTING APPLICATION BEHAVIOR Abstract How do you ensure your applications meet the expectations of your key customers? In this session we will explore using the FIT tool and Behavior Driven Design tools to do exactly this. Unit

843 views • 29 slides
1 7/20/2014 3D sensing: Kinect TM Kinect IR projection CMU Summer School 7.2014 Blake

1 7/20/2014 3D sensing: Kinect TM Kinect IR projection CMU Summer School 7.2014 Blake

7/20/2014 Virtual Fixtures in Robotic III. Intelligent Augmentation Surgery Hawkeye King, Sina Nia Kosari, Fredrik Ryden, Howard Chizeck Goals Sensor-based real-time guidance Shared human-machine control Improved safety CMU

259 views • 10 slides

More recommend