Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Storing Kerberos authentication for later impersonation

Tags:

c#

.net

authentication

active-directory

kerberos

Is it possible to store a Kerberos ticket to later use it to impersonate the user?

I have the scenario where a user directly invokes an external system to process some data. The external system relies on the user being impersonated/authenticated correctly in the AD.

Now the calling system has to change so that a queue sits between the user and the external system and work from the queue is handed over to the external system from that queue by a Windows service. This service needs to impersonate the user in order for the external system to correctly handle user-rights.

Given that I can't change the external system and can not store the username and password in the queue, can I save a Kerberos ticket when the user adds new work items to the queue and later impersonate the user by the service when it hands over the data to the external system. How would I do that in C#?

like image 274
GaussZ Avatar asked Dec 15 '11 14:12

GaussZ

People also ask

How long does Kerberos authentication last?

For security, Kerberos tickets expire pretty frequently — every 9 hours. When the ticket expires you can no longer read or write to Kerberos authenticated directories like your home directory or research share. If this happens, you can just run “kinit”.

Where Kerberos tickets are stored?

Whenever you go to a service that uses Kerberos, you show that master ticket to the Kerberos server and get a ticket specifically for that service. Then, you show the ticket just for that service to the service to prove who you are. All of those tickets are stored on your local system in what is called a ticket cache.

Can Kerberos be hacked?

Can Kerberos Be Hacked? Yes. Because it is one of the most widely used authentication protocols, hackers have developed several ways to crack into Kerberos. Most of these hacks take advantage of a vulnerability, weak passwords, or malware – sometimes a combination of all three.

1 Answers

  • Edit: This is the closest I can get to your actual question: Can you start a separate thread under impersonation, make the request from there, however long it takes? Under the covers this will do what is needed (unless the service process is terminated of course).

As a microsoft guy once told us "security is the thing which stops your application working when you deploy it". (His point was to test with a realistic security setup).

The ticket may have a lifetime of 10 hours but that is the time from when it was issued. It may only have a fraction of that left by the time the user makes the request.

I suggest you simply solve the underlying problem in a different way.

What is the reason why you now need to queue? Simply because the external service is choked at peak times?

  • Can you beef up or scale out the hardware? Usually the cheapest way.
  • Do you actually have completely separate permissions or do the users slot into a finite number of roles? If roles you could record the role the user was in, and use specially created usernames to access the external service, one for each role.
  • Is the external service yours? Can you add a "pretend to be Bob" option that doesn't rely on Windows Impersonation?
  • Can you start a separate thread under impersonation, make the request from there, however long it takes? Then mail it back to the user? (yes this will under the covers be doing what you ask)
  • Finally you could place the user in a browser "ration queue". I.e. issue them with a number, then have the browser refresh every 10 seconds (or use Ajax) to tell them how many people ahead of them in the queue. When it is their turn, make the actual request under impersonation. (This requires them to keep the browser window open while waiting in the queue, and also requires you to keep track of outstanding requests and active browsers vs. gone-away browsers). Nasty, but will work.

Without knowing the actual problem, it is hard to advise, other than to say don't do it this way - too many gotchas.

like image 118
Ben Avatar answered Nov 09 '22 01:11

Ben
Sign in to Comment

Related questions

How can I find all references to fields defined by a C# 9 record?
Extend C# file based resource manager
How mature is dblinq?
Build Environment setup - Using .net, java, hudson, and ruby - Could really use a critique
SSRS: Get list of all reports and parameters in a single web service call?
Entity Framework 4 Conventions
Encode URL with dot
Unit testing a rendered View in ASP.NET MVC
Supply Assembly to CompilerParameters ReferencedAssemblies from memory and not disk?
Custom Shaped Aero Windows in C#? Like THESE!
Is it possible to create routes dynamically in .NET 4?
Possible to download a file via WebKit browser in C# using webkitdotnet?
How do I determine why Enyim memcache is returning false when storing an item?
How to create an evaluated Custom Parameter in a VSTemplate
How do I force ScriptManager to serve CDN scripts over SSL

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!