From: Eric Chamberlain, CISSP (eric_at_uclink.berkeley.edu)
Date: Thu Aug 28 2003 - 13:44:42 PDT
Greg,
What you mention would be nice, but what I would like is the reverse, any
CalNet user can authenticate to IIS via AWS. Since their user account and
group membership is already in AD, I would like to create a windows user
token based on the successful AWS authentication. Basically, when IIS
gets the UID back from AWS, it would impersonate the user and request a
Kerberos ticket on their behalf.
Basically what is described in this article
http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/, using AWS.
--
Eric Chamberlain, CISSP
Campus Active Directory Architect
Central Computing Services
University of California, Berkeley
http://calnetad.berkeley.edu
> -----Original Message-----
> From: Greg Small [mailto:gts_at_uclink.berkeley.edu]
> Sent: Thursday, August 28, 2003 1:25 PM
> To: eric_at_uclink.berkeley.edu; rmeans_at_law.berkeley.edu
> Cc: 'Mike Friedman'; micronet-list_at_uclink.berkeley.edu;
> calnet-tech_at_uclink.berkeley.edu
> Subject: RE: [Micronet] IIS coding question
>
>
> Eric,
>
> As I understand this, you want CalNet AD logged-in users to
> be able to access AWS authenticated applications without
> having to reenter their ID and
> passphrase.
> Essentially single sign-on.
>
> As Mike said, this must not involve capturing the CalNet ID
> and passphrase on your server, so this would need to use some
> form of true Kerberos. So:
>
> 1) If you want this ability only for your own web servers and
> those servers
> are IIS, then they can use AD Kerberos and LDAP ("Integrated
> Authentication"?).
> I would assume that this method is already available in
> IIS (just as NTLM
> was an IIS authentication method in earlier IIS's). The
> problem would be
> fall-back to regular AWS authentication.
>
> This could be done with a CGI script/program. This
> probably allows simpler
> fall-back to regular AWS.
>
> ISAPI filters are relatively straight forward for an
> experienced C++ or
> Virtual Basic programmer. There are several books with
> examples. I
> wrote an
> ISAPI filer for IIS 3.0 using Visual C++ for the initial
> SAFE Download
> Service
> in 1997. Unfortunately I cannot find the source.
>
> 2) If you want this ability for all AWS applications (and we
> do :-), then some
> enhancement of the AWS service would be necessary. The
> CalNet Kerberos KDC
> would have to grant AWS Kerberos tokens and the AWS would
> have to return a
> web token when presented with the AWS Kerberos token.
> This would require a
> web browser add-on as has been done by other universities
> that use Kerberos
> authentication (check with CMU about cmukweb).
>
> However this is done, it must be possible for certain AWS
> authenticated
> web services to require a full AWS authentication. This
> is necessary
> because many users will leave their workstations
> unattended. So blu, the
> CalNet Deputy services, etc. must be able to require full AWS
> authentication.
>
> Greg Small On a network,
> paranoia is
> Security Infrastructure Project just good thinking!
> Workstation Software Support WSS/IST Systems
> Programmer for 36
> University of California at Berkeley years and it's
> still fun!
> 0--------1---------2---------3---------4---------5---------6--
> -------7--
> The opinions or statements expressed herein should not be
> taken as a position or endorsement of the University of
> California, Berkeley.
> 0--------1---------2---------3---------4---------5---------6--
> -------7--
> "http://wssg.berkeley.edu/SecurityInfrastructure/"
> 0--------1---------2---------3---------4---------5---------6--
> -------7--
>
> At 11:43 AM 8/28/2003 -0700, Eric Chamberlain, CISSP wrote:
> >I've done some more research. It looks like it is possible
> to come up
> >with an ISAPI filter for IIS 6.0 that would use AWS for
> authentication
> >and then generate a windows token for the user. Then IIS can handle
> >the authentication instead of each individual application.
> IIS 6.0 can
> >actually get Kerberos tickets for the user, without ever
> receiving the
> >users password. My problem now is that I have never done any ISAPI
> >programming and need to find someone that could code the filter.
> >
> >In any case, I think someone needs to come up with a module
> soon, since
> >IIS 6.0 can natively act as a Kerberos proxy and bypass AWS.
> >
> >--
> >Eric Chamberlain, CISSP
> >Campus Active Directory Architect
> >Central Computing Services
> >University of California, Berkeley http://calnetad.berkeley.edu
> >
> >
> > > -----Original Message-----
> > > From: rmeans_at_law.berkeley.edu [mailto:rmeans_at_law.berkeley.edu]
> > > Sent: Thursday, August 28, 2003 10:36 AM
> > > To: eric_at_uclink.berkeley.edu
> > > Cc: Mike Friedman; micronet-list_at_uclink.berkeley.edu
> > > Subject: Re: [Micronet] IIS coding question
> > >
> > >
> > > I've also written an Apache module in mod_perl that authenticates
> > > the user with AWS and then authorizes them with AD groups. It's
> > > working quite well for use, except for those users that aren't in
> > > our OU yet (and others that never will be). I'm coming up with an
> > > alternate authentication method (AD binds, I'm thinking)
> for those
> > > folks. I'm sure that IIS can be set up in a similar way.
> > >
> > > Ryan
> > >
> > > Mike Friedman wrote:
> > >
> > > > On Tue Aug 26 17:27:44 2003, Eric Chamberlain, CISSP said:
> > > >>I have a website.
> > > >>What I want:
> > > >>Users connecting from a CalNetAD member machine can use
> Integrated
> > > >>Authentication and would not get prompted for a username
> > > and password.
> > > >>Users connecting from machines not in the domain, would get
> > > prompted to
> > > >>enter their CalNetID and Passphrase, via Basic
> > > Authentication, so I need
> > > >>SSL.
> > > >
> > > >
> > > > Eric,
> > > > It sounds like you're talking about receiving
> (non-domain) users'
> > > > CalNet passphrases in your own web server (you mention Basic
> > > > Authentication), which runs counter to the CalNet
> model. The main
> > > > reason for having a central AWS is so that users send their
> > > > passphrases only there and not to individual
> application servers.
> > > > Even if you use SSL to protect the passphrase in
> > > transmission, anyone
> > > > who gains access to your server could potentially capture the
> > > > passphrases, which is a risk to other applications as well.
> > > >
> > > >>Has anyone come up with a module for IIS to use AWS for
> > > >>authentication, instead of using Basic or Integrated
> > > Authentication?
> > > >>I'm looking for something that would generate a Windows
> credential
> > > >>token.
> > > > I understand that Ray Davis of ETS has an Apache plugin
> that may
> > > > be based on a similar concept. It allows the web
> server itself to
> > > > use the AWS and then maintain authentication state without the
> > > application
> > > > having to do this. (This is based on my meager
> > > understanding of the
> > > > thing, only knowing about it by hearsay). Clearly, you'd need
> > > > something different for IIS, but maybe this can be adapted (in
> > > > particular, to generate a Windows credential token).
> > > >
> > > > Mike
> > > >
> > > >
> > > --------------------------------------------------------------
> > > ----------------
> > > > Mike Friedman System and
> > > Network Security
> > > > mikef_at_ack.Berkeley.EDU 2484 Shattuck Avenue
> > > > 1-510-642-1410 University of
> > > California at Berkeley
> > > > http://ack.Berkeley.EDU/~mikef
> > > http://security.berkeley.edu
> > > >
> > > --
> > > Ryan L. Means
> > > Chief Technical Officer
> > > School of Law (Boalt Hall)
> > > University of California, Berkeley
> > >
>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Thu Aug 28 2003 - 13:49:26 PDT