What is Kerberos?

Article #: Product Castle
3484 Authentication Any

Summary

The following write up is geared to gaining a further understanding of what Kerberos authentication is, what it’s used for, and how to make use of proprietary authentication deployment tools for user authentication with Smoothwall.

Problem

Authentication of Users incurs errors, are not authenticated at all, or authentication is not running optimally. Possibly some applications are not responding to proxy requests for authentication.

How Does It Work?

Authenticate user identity. When a user wants to gain access to a server, the server needs to verify the user’s identity. Since access to resources is based on identity and associated permissions, the server must be sure the user really has the identity it claims.

Securely package the user’s name. The user’s name — that is, the User Principal Name (UPN): Alice@tailspintoys.com, for example — and the user’s credentials are packaged in a data structure called a ticket.

Securely deliver user credentials. After the ticket is encrypted, messages are used to transport user credentials along the network

Furthermore, the Kerberos authentication protocol provides a mechanism for mutual authentication between a client and a server before a network connection is opened between them. The protocol assumes that initial transactions between clients and servers take place on an open network — an environment where most clients and many servers are not physically secure and packets traveling along the network can be monitored and modified at will. In other words, the protocol is designed for an environment that is much like today's Internet, where an attacker can easily pose as either a client or a server and can readily eavesdrop on or tamper with communications between legitimate clients and servers.

The Smoothwall Kerberos logon scripts are triggered by logon events that are enforced by Group Policy for Windows domain-joined PC's and via MDM (Mobile Device Management) for OSX.

Background Logon file - This file is saved under the NETLOGON share of a local domain and is enforced via group policy as a logon script. Once the GPO has been pushed, the script runs on the local machine as a wscript.exe file and calls on the secondary script named the Logon Loop.

Logon Loop file - This script is a consecutive loop that runs every 120 seconds (2 minutes) to send the local machine's Kerberos ticket information (AD user information) to the Smoothwall until activity falls idle or the user logs off.

Solution

Windows

If you’re currently using group policy in your Microsoft active directory environment, you can enforce a logon policy to make use of our Kerberos scripts for single sign on.

Order of operations for deployment in Windows environment:

  1. Install both script files into the domain's netlogon share via GPO manager.
  2. Set background_logon.vbs as a logon script in group policy. This share is replicated between all domain controllers, ensuring the script is always available. Items in blue will need to be altered to match the target network.
  3. Open the Background_logon.vbs file in order to insert the FQDN your active directory users are joined to:

Dim shell Set shell = WScript.CreateObject("WScript.Shell")

Add the correct domain name to the next line.

shell.Run "//Smoothwall.local/netlogon/logon_loop.vbs", 0, False

  1. Open the Logon_loop.vbs file to add the Smoothwall's FQDN:

On Error Resume Next

Dim winhttp

Set winhttp = CreateObject("WinHttp.WinHttpRequest.5.1")

Do While (True)

' Add the correct host name to the next line

winhttp.Open "GET", "http://Smoothwall.FQDN.(org.net.com.local):814 /" winhttp.SetAutoLogonPolicy(0)

winhttp.Send

WScript.Sleep 120000

Loop


Mac OS X

If you manage Mac OS X devices via Meraki, Casper, Apple configurator, or any other form of mobile device management, you can follow the following instructions to test out single sign-on for those users joined to your active directory.

Due to Apple’s System Integrity Protection, (SIP) the following will have to be followed in order to change the permissions on an account for authentication / ident with Smoothwall

  1. Move plist file into a folder like /Library/LaunchAgents

It needs the following permissions rw_-r_-r_ root wheel

  1. Move macclient file into /Library/ folder

It needs the following permissions rw_-r_x-r_x root wheel

You will now have to alter the permissions on the local account by performing the following:

Changing the permissions:

  1. Terminal login as su (requires root pw for the mac)
  1. sudo chown root:wheel /Library/LaunchAgents/<PLIST NAME>
  1. sudo chmod 644 /Library/LaunchAgents/<PLIST NAME>
  1. sudo chown root:wheel /Library/<MAC CLIENT>
  1. sudo chmod 755 /Library/<MAC CLIENT>
  1. Reboot the Mac and login as a domain user to test.

Test permissions:

  1. Terminal login as su
  1. ls -al /Library/<MAC CLIENT>
  1. ls -al /Library/LaunchAgents/<MAC CLIENT>
  1. Reboot and check user activity for login
  1. Log back into Smoothwall UI
  1. Check Services >> Authentication >> User Activity in order to verify if user was authenticated by Smoothwall
  1. Check that the user has been dumped into the respected group the user is a member of in your Active directory
  1. Verify that the IP address matches the user’s current login

Attribution:

Last updated: Author: Contributions by:
27 October 2017 Craig Fearnsides