I am developping one server service using the Kerberos and got the ticket from client, I can deciphered the ticket with the predefined keytab, now my question is how to use the PAC information in the ticket. Previously I use the LDAP procedure to query the user's group membership to get the authorization information.
Now the PAC's logon information include the membership, but it is group ID, but I need "DN" text based format (CN=xxx,OU=xxx, DC=xxx...).
I would like to know in general, how to use this authorization data in the ticket in the service server. Thanks!
If your application service is not running on Windows, you will not be able to read the PAC without jumping through some serious hoops. The PAC is built using Microsoft proprietary code, which is something Microsoft introduced into their flavor of Kerberos IAW RFC 1510 but their words, "slightly modified". Shortly after the release of Windows 2000 [Active Directory], Microsoft received some negative press attention because of the proprietary way they used the PAC field in a Kerberos ticket. [Microsoft] explicitly forbids the creation of software that implements the PAC as described in the specifications.
I spent a long time trying to find something open source and reliable which could read the PAC anyway, and I found that JAASLounge does this. It's an old article though (from 2010). Be aware that, it appears, based on my interpretation based on Microsoft's statement, to be a violation of their terms and conditions.
Anyway, I've also bookmarked two threads from right here in this forum by people who claim to have gotten JAASLounge this working, and some of the troubles they had to work through.
Decrypt kerberos ticket using Spnego
Malformed PAC logon info on new KerberosToken
In case you don't want to go down this route, and want to bypass the PAC to determine the AD user's group memberships, then you will have to resort to making an LDAP call back to the AD domain controller.
I'll close by saying that if you're running on a Windows-based application server such as IIS or SharePoint, Kerberos decoding of the PAC takes place automatically, so no special code, configuration, or keytab file is ever required.
Related
I've been tasked with implementing a Single Sign-On solution in an environment which uses Kerberos with an Active Directory server for the actual storing of the users and their groups. I understand that Kerberos does not support privileges/groups and that this is the reason to be forced to use a backing server like, for example, LDAP, or Active Directory. This is all fine and clear, but what I don't quite understand is why you would still be using Kerberos, when you could simply be connecting to LDAP or Active Directory directly instead and dropping the whole overhead of yet another server.
What am I missing here...? Please advise! Many thanks in advance!
Their is no overhead for another server. Active Directory combines all necessary services in one product.
Kerberos has tremendous benenfits:
One login for all systems
Transparent subsequent login
Ciphered ticket exchange, even full transport encryption is possible
Delegation of credential is supported out of the box
Implemented and well documented in Unix and Windows for almost two decades
I use Kerberos via AD for years in Java and C on Unix and Windows with great success. I wouldn't use anything else in a corporate environment.
I've recently been given the task at a school which runs a local domain to grab a copy of all the passwords when we reset them this week (students and staff).
The reasoning for this is because we wish to have them in sync with our local proxy server passwords and 3rd party user based applications.
I've had a look into passwdhk but haven't been able to get it running cleanly on our machines. We have 1x Windows Server 2008 RC2 machine and 1x Windows Server 2003 machine - we're running a 2003 domain because of this.
I'm wondering if anyone can help. I'm looking at something similar to passwdhk - some sort of custom password filter. However I'm not a higher level programmer and wouldn't be able to write this in C or C++. Can anyone point me in the direction of one I could easily modify or point out another solution?
The other option I was thinking of was to force all users to log into an intranet page with an ASP.NET backend that presented them with a form and sent it via a WSO or something - that way I'd have a plain text copy.
Your thoughts and input would be highly, highly appreciated!
Thanks!
You would need a custom password filter, or a password sync product. Forefront Identity Manager is one which can do this but you're not going to get this (or likely any solution) setup in a week.
A web based self service interface is pretty common, but, you won't be able to use the native Windows functionality to communicate password expiry.
We tried last night to build some code which would create a new public folder in Microsoft Exchange from within a .NET Winforms application.
Googling for code took us to a bunch of code samples involving http requests and WebDAV. We experienced all kinds of painfulness involving
The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel.
and
The remote server returned an error: (440) Login Timeout.
and had to call it a day.
This morning I remembered that we had some old VBA code which used the Outlook Object Model to deal with Exchange Public Folders. Dug it out, adapted it to .NET and, hey, it works. Really it's just a couple of lines.
Is there a reason to use http & WebDAV rather than OOM? Are the WebDAV examples basically for ASP.NET development? If we could have got the WebDAV code to work in our case would it have given us any extra power or flexibility (e.g. in cases where the user has restricted permissions)?
See http://www.infinitec.de/post/2008/11/26/ExchangeWebServices-WebDAV-and-untrusted-server-certificates.aspx for the SSL thingy and http://www.infinitec.de/post/2004/12/31/Access-the-Exchange-store-via-WebDAV-with-Form-Based-Authentication-turned-on-Updated.aspx for the Login-Timout.
If you use the OOM, you rely on Outlook being installed and property configured (which can be somewhat difficult you have multiple profiles).
WebDAV ist a HTTP protocol, meaning that you have very little prerequisites. That being said, WebDAV for Exchange is a rather cumbersome protocol. There are, however .NET wrappers available (I can send you one which is free - just ping me through my website) which makes it easier.
But know that WebDAV for Exchange is only supported in Exchange 2003 and 2007. Since Exchange 2007, WebServices are available and there is even a managed API:
EWS Managed API - Download: http://www.microsoft.com/download/en/details.aspx?id=13480
EWS Managed API - SDK: http://msdn.microsoft.com/en-us/library/dd633710(v=exchg.80).aspx
From within an Apex class, how can I detect the Edition (ie, Group, Professional, Enterprise, Unlimited). More specifically, is there an API to retrieve the capabilities (or lack thereof) for the user's edition?
The problem I am trying to solve is that from the Group/Professional edition, users cannot access the custom Web Services in my app, receiving the error LOGIN_OAUTH_API_DISABLED. Is there a way to detect whether this is going to work from within Apex?
You can use the following SOQL to determine the Organization's license type:
SELECT OrganizationType FROM Organization
For Professional it will return "Professional Edition". This is detailed on the Organization object page.
Are there any specific capabilities you're looking to discover? There's no way to determine the edition (and this would be mostly a red herring if you could). A lot of differences end up being reflected in the data model, and you can discover that using the describe features.
If you want to check from apex if your web services is enabled/available, then you could use apex callouts to try and make a call to it (and FWIW, the error code is from OAuth, and not from your apex web service)
Is there a simple way to determine what database is in use behind a website from an external HTTP request? i.e., I make an HTTP request, get back whatever data is going to come from the webserver - can I inspect any of that and reliably determine that DB in use? I am thinking not, but figured I would ask this group.
No. The same answer could come from a static file, a SQL database, or a martian telepath.
No and for a good reason. If there were it would be a security hole. Unless it is a part of the application functionality.
For most websites, the answer is no, however, you may find security holes which reveal this information. For example, it's possible to get this information if the site isn't coded against sql injection attacks. For example, try entering the following as your user name:
'; select version();
On shared hosting system, they often don't have a firewall protecting the database from external connections.
Try the following:
telnet localhost 3306
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
5
5.0.51a—Bjb-W
This tells you that the server is running MySQL version 5.0.51a. MSSQL and Sybase also identify their version number before the client attempts to login.
Probably the easiest way is just to ask the webmaster. If your not a hacker, and the site isn't a bank, they will likely tell you.