Marc Lognoul's IT Infrastructure Blog

Cloudy with a Chance of On-Prem

IIS: Web applications and Kerberos

Leave a comment

Since Windows 2000 reached the shelves there has been a lot said over the fact that applications is general and web applications in particular should be « Kerberized » (made Kerberos aware).
Unfortunately, making such a step is not that easy may introduce unexpected result that are not always well known by IT pro’s.

In a nutshell, Kerberos has the following pro’s ad con’s:

Pro’s:

  • “Said to be more secure”. Usually true, because the way to encrypt information is better, because security-sensitive information less often travel over the wire and because it includes additional protection measures such as pre-authentication. Why “said to by”? Because it was demonstrated already long ago that under some circumstances, all those security measures can be cracked relatively easily using the appropriate tools and enough processing power. See http://www.securiteam.com/windowsntfocus/5BP0H0A6KM.html for more information.
  • “Said to increase interoperability”. Because Kerberos is a standard, it is interoperable between platforms. And it works! Why “said to” then? Because Microsoft introduced some customization that are not part of the standard. Therefore they are not usable by other platforms unless those extensions are ported adequately (never seen).. See http://msdn.microsoft.com/en-us/library/aa302203.aspx for more information
  • “Said to decrease the load on domain controllers and improve performances”. Well, it actually depends. If the client systems is a Windows system member of the same domain as the IIS and the domain controller or I there are Kerberos trusts between domains each party belong to, then it will work fine, if not, IIS will contact a DC like it does for NTLM or Basic, for example.
  • Allows a server to pass the security context of a user to another system. This is known as “delegation”. This requires extra configuration, which may be complex to setup. But in some scenario’s, it’s really worth it because it opens doors to rich experience in secure distributed computing!

Con’s

  • Depending on the environment, the Kerberization may involve a (very very) complex configuration: on servers, in AD and on clients as well in some cases
  • Using a load balancer will involve this complex configuration anyway!
    Using Kerberos between a client and IIS while both are member of the same AD domain or members of domains trusted using a Kerberos-based trust, the size of an HTTP request will increased depending on the group membership of the user and optionally, the size of SID History.
  • Since Kerberos is based on names (host names), it will never work if a web service is accessed by its IP
  • There is no way, up to my knowledge, to enforce Kerberos and therefore make sure NTLM is never used. This is caused by the fact that Microsoft always plans for offering a fallback in case Kerberos would not work.
  • Finally, Kerberos requires AD and Windows. Moreover, it requires IIS to work with Integrated Windows Security. For example, this means that it is not possible to Kerberize an application using form-based authentication.

In coming posts, I’ll discuss in details how to configure Kerberos with IIS-based web application, identify some gotcha’s but also when it can save the day, with sharePoint in particular!

And cut!

Advertisements

Author: Marc Lognoul

Relentless cloud professional. Restless rider. Happy husband. Proud father. Opinions are my own.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s