ntlmv2 & Kerberos (General questions)
Do you have any plans on adding NTLMv2 and/or Kerberos as authentication protocol to the HTTPDLX component?
Re: ntlmv2 & Kerberos
Hi Dirk,
We already have NTLM Authentication support implemented into the component. You can set component to use it by setting Authentication property to AuthNTLM.
As for Kerberos, I'll have to check with our programmers to see if we have any plans on implementing this feature.
I'll inform you as soon as I have news on this.
Regards,
Damba
Re: ntlmv2 & Kerberos
there is ntlmv1 not v2
Re: ntlmv2 & Kerberos
Dirk,
do you have server we could test this with? I will install Vista but it could speed things up if we have access to one.
Kreso
Re: ntlmv2 & Kerberos
Dirk,
do you have server we could test this with? I will install Vista but it could speed things up if we have access to one.
Kreso
No I don't have one for the moment.
It's just a question from one of my customers. They are mostly interested in the Kerberos part. I'll ask them if they could give us access to it.
dirk
Re: ntlmv2 & Kerberos
I just checked with my customer and his servers are all on his intranet, and not accessible from the internet. So those can't be used for testing.
Re: ntlmv2 & Kerberos
Dirk,
do you have server we could test this with? I will install Vista but it could speed things up if we have access to one.
Kreso
What are the next step(s) now?
Re: ntlmv2 & Kerberos
Dirk,
I can't make promise to go into this direction now, since I don't have a place to test. I tried to install it locally but didn't have much luck.
Kreso
Re: ntlmv2 & Kerberos
Dirk,
I can't make promise to go into this direction now, since I don't have a place to test. I tried to install it locally but didn't have much luck.
Kreso
What part did give you a problem when trying to install?
dirk.
Re: ntlmv2 & Kerberos
All of it :) I couldn't find docs that explain how it works, and what kind of server (except for IIS) do I need, or where to find it. It always seemed it refers to 3rd party server I would need to connect to.
Kreso
Re: ntlmv2 & Kerberos
This is the install info I got from the customer:
For instructions I guess it’s something like the following:
- Install plain Microsoft Windows 2003 Server
- Install Active Directory and DNS
- Upgrade Active Directory to Native mode
- Disable Anonymous login in IIS and make sure that only Windows Integrated Login is selected
- Install Servers Alive
- Create an Active Directory user for Servers Alive to use
- Install a Windows 2003 Server as a domain member server
- Install IIS
- Create a testfile under the Default Website directory
- Grant rights to read the file provided by IIS using the normal NTFS file system file properties, make sure that Everyone or Domain Users do not have access
- Add a DNS alias for the member server named intranet
- Create a Kerberos SPN fÃ
r the DNS alias using the command “setspn –a HTTP/intranet <computername>â€
- Configure Servers Alive to do a HTTP check using the specified account and URL via DNS alias
- Test the Servers Alive control
Our system is a bit complex, but I think that would provide you with enough infrastructure to make tests. We also do the following that could have an impact…
- Disable NTLMv1 on domain controllers
- Run Microsoft Sharepoint Portal 2007 as a IIS application under a specified service account who has the Kerberos SPN registered
- Run over HTTPS and using Host headers
- Security policies (GPO) as below, the ones most probably causing troubles in this case marked red (please don’t distribute this info, since it might be considered sensitive even if it’s standard Microsoft stuff):
o Accounts: Limit local account use of blank passwords to console logon only Enabled
o Audit: Audit the access of global system objects Disabled
o Audit: Audit the use of Backup and Restore privilege Disabled
o Audit: Shut down system immediately if unable to log security audits Enabled
o Devices: Allow undock without having to log on Disabled
o Devices: Allowed to format and eject removable media Administrators
o Devices: Prevent users from installing printer drivers Enabled
o Devices: Restrict CD-ROM access to locally logged-on user only Disabled
o Devices: Restrict floppy access to locally logged-on user only Disabled
o Devices: Unsigned driver installation behavior Warn but allow installation
o Domain controller: Allow server operators to schedule tasks Disabled
o Domain controller: LDAP server signing requirements Require signing
o Domain controller: Refuse machine account password changes Disabled
o Domain member: Digitally encrypt or sign secure channel data (always) Enabled
o Domain member: Digitally encrypt secure channel data (when possible) Enabled
o Domain member: Digitally sign secure channel data (when possible) Enabled
o Domain member: Disable machine account password changes Disabled
o Domain member: Maximum machine account password age 30 days
o Domain member: Require strong (Windows 2000 or later) session key Enabled
o Interactive logon: Display user information when the session is locked User display name, domain and user names
o Interactive logon: Do not display last user name Enabled
o Interactive logon: Do not require CTRL+ALT+DEL Disabled
o Interactive logon: Message text for users attempting to log on This is a Swedish Armed Forces device.,Only authorized users are entitled to connect or log in to this device.,If you are not sure whether you are authorized or not then you are NOT and should DISCONNECT IMMEDIATELY!,Audit trail is activated and offenders of this policy will be prosecuted!
o Interactive logon: Message title for users attempting to log on Warning!
o Interactive logon: Number of previous logons to cache (in case domain controller is not available) 0 logons
o Interactive logon: Pr
Re: ntlmv2 & Kerberos
Dirk,
Are you sure this is full list? I think some part is missing at end.
Can you please check that?
Drazen
Re: ntlmv2 & Kerberos
you're right there is a part missing:
o Interactive logon: Prompt user to change password before expiration 14 days
o Interactive logon: Require Domain Controller authentication to unlock workstation Enabled
o Interactive logon: Require smart card Disabled
o Interactive logon: Smart card removal behavior Lock Workstation
o Microsoft network client: Digitally sign communications (always) Enabled
o Microsoft network client: Digitally sign communications (if server agrees) Enabled
o Microsoft network client: Send unencrypted password to third-party SMB servers Disabled
o Microsoft network server: Amount of idle time required before suspending session 15 minutes
o Microsoft network server: Digitally sign communications (always) Enabled
o Microsoft network server: Digitally sign communications (if client agrees) Enabled
o Microsoft network server: Disconnect clients when logon hours expire Enabled
o Network access: Allow anonymous SID/Name translation Disabled
o Network access: Do not allow anonymous enumeration of SAM accounts Enabled
o Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
o Network access: Do not allow storage of credentials or .NET Passports for network authentication Enabled
o Network access: Let Everyone permissions apply to anonymous users Disabled
o Network access: Named Pipes that can be accessed anonymously COMNAP,COMNODE,SQLQUERY,SPOOLSS,BROWSER,netlogon,lsarpc,samr
o Network access: Remotely accessible registry paths SystemCurrentControlSetControlProductOptions,SystemCurrentControlSetControlServer Applications,SoftwareMicrosoftWindows NTCurrentVersion
o Network access: Remotely accessible registry paths and sub-paths SoftwareMicrosoftWindows NTCurrentVersionPrint,SoftwareMicrosoftWindows NTCurrentVersionWindows,SystemCurrentControlSetControlPrintPrinters,SystemCurrentControlSetServicesEventlog,SoftwareMicrosoftOLAP Server,SystemCurrentControlSetControlContentIndex,SystemCurrentControlSetControlTerminal Server,SystemCurrentControlSetControlTerminal ServerUserConfig,SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration,SoftwareMicrosoftWindows NTCurrentVersionPerflib,SystemCurrentControlSetServicesSysmonLog
o Network access: Restrict anonymous access to Named Pipes and Shares Enabled
o Network access: Sharing and security model for local accounts Classic - local users authenticate as themselves
o Network security: Do not store LAN Manager hash value on next password change Enabled
o Network security: Force logoff when logon hours expire Enabled
o Network security: LAN Manager authentication level Send NTLMv2 response only
efuse LM & NTLM
o Network security: LDAP client signing requirements Negotiate signing
o Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption
o Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption
o Recovery console: Allow automatic administrative logon Disabled
o Recovery console: Allow floppy copy and access to all drives and all folders Disabled
o Shutdown: Allow system to be shut down without having to log on Disabled
o Shutdown: Clear virtual memory pagefile Enabled
o System cryptography: Force strong key protection for user keys stored on the computer User must enter a password each tim
Re: ntlmv2 & Kerberos
Dirk,
I think there is even more missing. Can you please check?
Drazen
Re: ntlmv2 & Kerberos
o System cryptography: Force strong key protection for user keys stored on the computer User must enter a password each time they use a key
o System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Disabled
o System objects: Default owner for objects created by members of the Administrators group Object creator
o System objects: Require case insensitivity for non-Windows subsystems Enabled
o System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled
o System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Enabled
Re: ntlmv2 & Kerberos
Dirk,
I have to abandon this idea for the time. Drazen installed server correctly, but I was unable to find any working client that would return me correct response - except for IE, of course. All my attempts to connect failed. Documentation is very poor regarding the possible implementation (actually, all is undocummented) so I don't know where to turn to.
Even some ready-made libraries which I was able to download failed to connect.
So, sorry, but I can't proceed any further. I tried for last few weeks with many ideas and attempts but this just doesn't work.
Kreso