How does keytab work exactly?

Question

i have some questions on using keytab for Authentication hope the kind people here can enlightend me

Say, i have userA who is going to use a service running at port 1010. First, userA will login to Active Directory to authenticate himself.

enter image description here

After login, userA will try to connect to the server to use its service 1010. In order for the server to verify that UserA is who he is, I need to use setspn to register SPN at the Active Directory. eg

setspn -s service1010/mydomain.com serviceaccount1

Then need to generate ktab file at Active directory, eg

ktab -a serviceprincal1010/server.domain.com@DOMAIN.COM -k mykeytab.keytab

and then bring mykeytab.keytab to the server.

At the server, I would use JAAS with a login config to query the KDC eg

ServicePrincipalLoginContext
{
  com.sun.security.auth.module.Krb5LoginModule required    
  principal=serviceprincal1010/server.domain.com@DOMAIN.COM 
  doNotPrompt=true useKeyTab=true keyTab=mykeytab.keytab storeKey=true;

};

From this point on, I am confused. How does userA get verified (ie, userA is actually who he is? ).

Screenshot for ASCII art. Love it! – bacar Oct 22 '15 at 10:16 — bacar, Oct 22 '15 at 10:16

score 15 · Accepted Answer · answered Aug 12 '14 at 21:11

Your diagram is wrong. You have a basic misunderstanding about how kerberos works. ( It's fairly common by the way). A service that uses kerberos for authentication NEVER talks to the kdc. All it ever does is use it's secret key ( keytab ) to decrypt blobs that are presented by the user.

The only part of kerberos that ever talks to the KDC is the client or user side. When it attempts to access the service at port 1010, it first asks the KDC for a service ticket for that service. This is a blob encrypted with the service's secret key that has the user's identity inside it. ( plus a bunch of other protocol related stuff ).

If you have an GSS based api inside your service on port 1010, all you need to do is tell that API where the keytab is and then ask it what the userid is on the connection. You never need to make any other connections to external services. I am not familiar with the Java API's, but there should only be one or two calls required to verify the user credentials.

While this dialogue doesn't exactly match the version of Kerberos currently in use, it will help you understand the basic principals.

http://web.mit.edu/kerberos/dialogue.html

William F. Jameson · Answer 2 · 2014-08-07T13:16:13.340

8

To understand this, you must understand the basic principles of Kerberos, which is a "trusted third party" security system.

Your server will receive a "token" which the Ticket-Granting Service (TGS; basically, the Windows Domain Controller) has encrypted using the server's secret key, the one which is present in the keytab file. The server, naturally, will need access to that secret key in order to decrypt. If the decryption is successful, this is a guarantee to the server that the token is authentic because the secret key is known only to the TGS and the server—that's the secret these two parties share.

The phrase "trusted 3rd party" refers to the TGS because the server (party 1) allows the user (party 2) to be authenticated because it indirectly trusts the TGS (party 3).

edited Aug 07 '14 at 13:16

answered Aug 07 '14 at 13:02

William F. Jameson

1,833
9
14

hi. thanks. So do I need to do anything further at the server side (where the service 1010 is running)?. AFter executing "ServicePrincipalLoginContext" (the login config) , do i need to do some Java programming to verify the "token" that you mentioned? Is there a chance there might be Man in the middle attack ? – dorothy Aug 07 '14 at 14:00
The JGSS-API must take care of token decryption and parsing, you just need to configure the location of the keytab file. – William F. Jameson Aug 07 '14 at 14:01
The JGSS-API ? is that JAAS ? so I just define "ServicePrincipalLoginContext" that's all right? And the server will just trust the TGS that userA is the one authenticating.? What i am afraid of is some kind of MITM attack. would that be possible? – dorothy Aug 07 '14 at 14:03
Kerberos is a lot more complicated than I describe in the answer. It takes care of MITM, ticket replay, and many more. JGSS-API is the one which handles Kerberos, if I remember correctly it must be defined as the security provider. Details are fading, it has been 8 years since I have had to set this up on a project. – William F. Jameson Aug 07 '14 at 14:31

How does keytab work exactly?

2 Answers2

Linked