Kerb-001 - what's and why a Kerberos constrained configuration?

Publié le par Laurent Carcs

For my first publication, I propose to describe the technical pre-requisites, architecture, applications and environment settings to design properly a Microsoft BI architecture in a Kerberos constrained configuration.

 

 

 

First of all, what's and why a Kerberos constrained configuration?



 

You’ll find a lot a technical description on Internet that define what is Kerberos protocol as for example Wikipedia (http://en.wikipedia.org/wiki/Kerberos_(protocol)).

These definitions will explain you how run the protocol but not what’s a Kerberos constraint environment an why you must implement it.


 

I’ll try to explain my comprehension about it with an image.



 

Please imagine a “basketball” game where players can’t move but only pass and catch the ball to shoot the basketball.

Before to play, players have just been authorized to enter the field and play. They will score easily.

 


Imagine now, another “basketball” game where players can’t move but can’t also do anything until they’ve received a personal authorisation to pass or catch the ball to a specific player including the player himself. What a nightmare isn’t it?

 

 


With a lot of imagination, I agree, users and servers could be the players and Kerberos ticket could be the ball and the field could be your active directory environment

 


The first game could be a very simple description of a “trust any service” Kerberos configuration and the second game could be a very simple description of a Constrained Kerberos configuration.

 


Then why don’t we play with the “full trusted” configuration as explained in

http://technet.microsoft.com/en-us/library/cc738491(WS.10).aspx and in http://technet.microsoft.com/en-us/library/cc739474(WS.10).aspx.

 


Because, it will create a critical security flaw!  When a computer is "trusted for delegation," it can impersonate a user to any service of the server…

 


In fact, the constrained configuration isn’t an option but the only one strongly recommended way of configuration in a real production environment.

 

 

 

You’ll find more serious technical information on following links

 

http://technet.microsoft.com/en-us/library/cc738207(WS.10).aspx

 

 

or also in this excellent book link:

 

http://searchwindowsserver.techtarget.com/generic/0,295582,sid68_gci1050149,00.html

 

 

 

Publié dans Microsoft BI applications

Pour être informé des derniers articles, inscrivez vous :
Vous aimerez aussi :
Kerb-008 Register Service Provider Name and set delegations
Kerb-008 Register Service Provider Name and set delegations
Kerb-007 draft of the SPN and delegations configuration between the different accounts
Kerb-007 draft of the SPN and delegations configuration between the different accounts
Kerb-006 IIS DCOM pre-requisites
Kerb-006 IIS DCOM pre-requisites
Kerb-005 Kerberos windows servers modification
Kerb-005 Kerberos windows servers modification
Welcome on my Blog
Kerb-002 Servers architecture design
Commenter cet article