Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does SPN with Kerberos works

As I understand it,

  • SPN is an authenticating tool for windows services.
  • Kerberos is a user authentication service
  • SPNEGO-GSSAPI is the third party API to be able to use those services.
  • SSPI : is the Neutral layer to send request from SPNEGO to SPN service.

Am I completely lost?

Trying to figure out how it works but information, is either too precise or not enough.

like image 869
Jonathan L Avatar asked Dec 05 '13 19:12

Jonathan L


People also ask

Does Kerberos require SPN?

If you are using Kerberos-based authentication, you must configure a Service Principal Name (SPN) for Network Controller in Active Directory. The SPN is a unique identifier for the Network Controller service instance, which is used by Kerberos authentication to associate a service instance with a service login account.

How does Kerberos protocol work?

Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users' identities.

What is SPN Active Directory?

A Service Principal Name (SPN) is a name in Active Directory that a client uses to uniquely identify an instance of a service. An SPN combines a service name with a computer and user account to form a type of service ID.

What is the difference between UPN and SPN?

UPN: An entity performing client requests to some service. Entity may be human or machine. See here. SPN: An entity processing requests for a specific service, e.g., HTTP, LDAP, SSH, etc.


3 Answers

Ok a more verbose answer:-

  1. SPN - Service Principal Name. It is an identifier associated with each account in a KDC implementation(AD, OpenLDAP etc). Basically if your account acts as a service to which a client authenticates, the client has to specify "who" it wants to communicate to. This "who" identifier is the SPN. This is the strict definition. Many people often call the client name (UPN - User Principal Name) of a service as SPN. This happens when the service itself may act as a client( google the delegation scenario ). This is not strictly correct but widely assumed true.

  2. Kerberos is a protocol for authentication. It is a name for a framework. It involves a third party server(called KDC or Key Distribution Centre) and involves a series of steps of acquiring tickets(tokens of authentication). It is really complicated so http://en.wikipedia.org/wiki/Kerberos_(protocol)

  3. To some extent you got this right. GSSAPI is an API but SPNEGO is not. GSSAPI is technically agnostic to the auth mechanism you use, but most folks use it for kerberos authentication. SPNEGO is a pseudo mechanism, in the sense it declares an RFC for authentication based communication in HTTP domain. Strictly speaking SPNEGO is a specification but most folks also consider it as an implementation. For instance, Sun and IBM JDK provides "mechanism providers" for SPNEGO token generation but GSSAPI is used to actually call it. This is done in many projects(Tomcat as a Server is and example that come to the top of my head and one of the folks who answered this question developed it).

  4. SSPI is an analogue to GSSAPI in windows. Its a different API which ends up doing something very similar to GSSAPI.

like image 199
Arunav Sanyal Avatar answered Sep 17 '22 22:09

Arunav Sanyal


Not quite.

SPN simply means 'Server Principal Name' and is the AD or Kerberos slang for the service you try to authenticate against.

Kerberos is a user authentication service, more or less yes. It also provides security for network messages and calls between services.

SPNEGO-GSSAPI* is a kind of strange beast. GSSAPI (Generic Security Service Application Program Interface) is an API to (in principle) different authentication services, it provides negotiation of the mechanisms used. Often the only mechanism available will be Kerberos though. It is the usual API to attach 3rd party programs to Kerberos when you are on Unix (defined in various RFCs, for example RFC 2743 )

On the windows platform SSPI is the generic layer, so it compares to GSSAPI.

SPNEGO is kind of a strange hybrid. It is a mechanism to be used in SSPI, HTTP Auth or GSSAPI which negotiates another auth protocol (for example Kerberos or NTLM if you are on Windows), so it basically does the same thing GSSAPI does again in a different way.

Typical uses of SPNEGO are HTTP authentication to a windows domain, for example IIS uses it if you use 'Integrated windows authentication'. It is also used when you select the 'Negotiate' options for SSPI. See for example RFC 4559

like image 28
schlenk Avatar answered Sep 20 '22 22:09

schlenk


Almost all of your understandings are wrong.

Here it goes:

  1. SPN: A specific service-class is bound to a specific account, e.g. HTTP to www.stackoverflow.com => HTTP/[email protected]
  2. Yes 3./4. GSS-API (Unix)/SSPI (Windows): Mechanism neutral API to interact with. E.g, Kerberos 5, NTLM, SPNEGO, etc.
  3. SPNEGO: It is one of many mechnisms supported by GSS-API/SSPI. It is actually a pseudo-mech.
like image 34
Michael-O Avatar answered Sep 17 '22 22:09

Michael-O