Do tickets need to be refreshed if changes are made to delegation for a service account?
RussKahler1970 opened this issue · 28 comments
I am curious to what is all in the ticket for Kerberos and if I have a app running that has a cached token do I need to purge then when delegation changes are done or does the ticket only contain info for the user?
The forward bit is part of the ticket? do I need to request that set or is the based on the users delegation?
Maybe I can provide more information. I am getting a ticket and using it on an HTTP request to a site running in IIS that is setup to require windows authentication. the ticket is used and resolves my identity and allows the request to proceed. the issue I have is that this site is setup to force impersonation which should take the identity of the request and pass it into SQL. Kerberos should handle that but for some reason my sql login is failing as its falling back to NT AUTHORITY\ANONYMOUS LOGON which is what we see when Kerberos is not passed on the double hop.
So the ticket I am getting to make the web request is using spn= http/[host dns] but for SQL I need MSSQLSvc/[SQL instance] do I have to do something to provide that ticket with the first ticket to the web request?
how do I include this flag ( Negotiate delegate flag) to get GetServiceTiicket method? I don't see a setting for that? or in the Configuration on the client.
Thanks for your help?
I am a bit lost on how to request a delegable ticket. should I be requesting a different ticket type? When I login with an app that does connect properly I see these flags on my ticket. that is what I need to make my ticket work. How do I request or get those flags set on my ticket?
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
I think I need to set the flag OkAsDelegate but I cannot figure out how to set that on the client.
I am stuck at this point. I cannot generate a ticket that is delegable and could use some help if someone has some example or ideas as to what to do.
There's a command in the Bruce
tool that shows how this works: https://github.com/dotnet/Kerberos.NET/blob/3fd93b8f9628b611ed30fca422e533f3ee10c60f/Bruce/CommandLine/KerberosConstrainedDelegationCommand.cs
You can also set the Forwardable
bit on the request itself:
client.KdcOptions |= KdcOptions.Forwardable;
Not sure what is going wrong. I am still not getting the kerberos to delegate through to my sql login.
Here is how I am creating my client.
var clientArgs = new Krb5Config();
clientArgs.Defaults.Forwardable = true;
clientArgs.Defaults.EnforceOkAsDelegate = true;
clientArgs.Defaults.DnsLookupKdc = true;
clientArgs.Defaults.AllowWeakCrypto = true;
clientArgs.Defaults.KdcDefaultOptions |= KdcOptions.RenewableOk | KdcOptions.Forwardable;
_kClient = new KerberosClient(clientArgs, LoggerFactory);
Here is how I am requesting my ticket.
var args = new RequestServiceTicket
{
ServicePrincipalName = spn,
CacheTicket = true
};
args.KdcOptions |= KdcOptions.Forwardable;
var session = await KClient.GetServiceTicket(args).ConfigureAwait(false);
return session.ApReq;
Then I add to my httpclient header with.
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Negotiate", Convert.ToBase64String(ticket.EncodeGssApi().ToArray()));
using my logging on the server its says my identity in IIS is [domiain][service account] but when it tries to connect to SQL it tells me that Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
The same site if I connect with another app we use, connects and passes identity correctly with the Kerberos identity showing up as the user in SQL session.
I looked at the bruce command line file but that seems to be loading the krb5.conf so its not clear what I should all set in both create client and when I am getting the ticket.
Any help would be greatly apricated .
Also note my service account has delegation setup to allow delegation to any service.
You might try setting
args.ApOptions |= ApOptions.MutualRequired;
// OR
args.GssContextFlags |= GssContextEstablishmentFlag.GSS_C_DELEG_FLAG;
I vaguely recall we enforce some things with mutual auth so that might be a requirement. The deleg
flag isn't technically right, but I don't have the Windows behaviors in front of me at the moment to verify.
I tried args.ApOptions |= ApOptions.MutualRequired; and no different still not delegating the identity.
I tried args.GssContextFlags |= GssContextEstablishmentFlag.GSS_C_DELEG_FLAG; and the web site requiring windows authentication fails with a 401 error.
Any other thoughts on how to get the ticket to authenticate through delegation? I am a bit stuck at this point.
How do I get the secret from the server? I have access to all of them.
this is the event viewer error I am getting.
A Kerberos error message was received:
on logon session
Client Time:
Server Time: 22:59:16.0000 2/13/2024 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc000006e KLIN(0)
Client Realm:
Client Name:
Server Realm: SALELYTICS.LOCAL
Server Name: MSSQLSvc/sqlg1t.salelytics.local:1433
Target Name: MSSQLSvc/sqlg1t.salelytics.local:1433@SALELYTICS.LOCAL
Error Text:
File: onecore\ds\security\protocols\kerberos\client2\kerbtick.cxx
Line: 128c
Error Data is in record data.
Unfortunately the thing to check is in the EncryptedPart
which requires the service account password. Unfortunately I can't tell you how to get that password, though there are ways. Worst case you can run the bruce tool on that server as SYSTEM.
The error you posted above is certainly interesting. That is indicating the USER_NOT_DELEGATED
flag is set on the user account, which presents as the forwardable
flag not set on the ticket.
The other question is whether the user is from another forest. The library doesn't support it when acting as the middlebox, but it should support it as the client.
Is there anyway using the client that got the ticket to decode it?
Not sue how to move forward. I am using an account that connects with Kerberos to the same site and works to delegate through to SQL so it seems to me it has to be an issue with the ticket/token. From above ticket seems to have the flags set so it seems to be an issue with the encoding. Any help or ideas would be great. I am stuck at this point. I guess some help decoding the ticket might help. if I could see that the ticket was ok to delegate. then I might be able to consider other factors.
I bit more information. if I use my personal account it fails unless our other client app using the same site has recently used sql access that is using the same impersonation. I assume either the server is maintaining a ticket it its cache and that is why it worked. Anyway please let me know if there is more I can provide. the ticket I am getting/sending in the httpclient request is not working with delegation but the user is valid to delegate and the server and sql are all working with impersonation and delegation. Not sure if there is anything else we can do.
Turns out I had and spn issue in our domain so it was not able to delegate the ticket through. I have since resolved that and all is working fine. I am going to close this issue.
Issue was an spn issue not a ticket generation issue.