What’s New in Kerberos Authentication What’s New in Kerberos Authentication

Область применения: Windows Server 2016 и Windows 10 Applies To: Windows Server 2016 and Windows 10

Поддержка KDC для проверки подлинности клиента на основе открытого ключа KDC support for Public Key Trust-based client authentication

Начиная с Windows Server 2016, Кдкс поддерживает способ сопоставления открытого ключа. Beginning with Windows Server 2016, KDCs support a way of public key mapping. Если для учетной записи подготавливается открытый ключ, KDC поддерживает протокол Kerberos PKInit явным образом с помощью этого ключа. If the public key is provisioned for an account, then the KDC supports Kerberos PKInit explicitly using that key. Поскольку проверка сертификата не выполняется, поддерживаются самозаверяющие сертификаты, и механизм проверки подлинности не поддерживается. Since there is no certificate validation, self-signed certificates are supported and authentication mechanism assurance is not supported.

Ключ доверия рекомендуется использовать при настройке учетной записи независимо от значения параметра Усесубжекталтнаме. Key Trust is preferred when configured for an account regardless of the UseSubjectAltName setting.

Поддержка клиента Kerberos и KDC для расширения свежести RFC 8070 PKInit Kerberos client and KDC support for RFC 8070 PKInit Freshness Extension

Начиная с Windows 10, версии 1607 и Windows Server 2016, клиенты Kerberos пытаются попытаться установить свежее расширение RFC 8070 PKInit для входа на основе открытых ключей. Beginning with Windows 10, version 1607 and Windows Server 2016, Kerberos clients attempt the RFC 8070 PKInit freshness extension for public key based sign-ons.

Начиная с Windows Server 2016, Кдкс может поддерживать свежее расширение PKInit. Beginning with Windows Server 2016, KDCs can support the PKInit freshness extension. По умолчанию Кдкс не предлагают расширение обновления PKInit. By default, KDCs do not offer the PKInit freshness extension. Чтобы включить его, используйте новую поддержку KDC для расширения обновления безопасности с помощью административного шаблона KDC для всех контроллеров домена в домене. To enable it, use the new KDC support for PKInit Freshness Extension KDC administrative template policy setting on all the DCs in the domain. При настройке поддерживаются следующие параметры, если домен является режимом работы домена Windows Server 2016 (ДФЛ): When configured, the following options are supported when the domain is Windows Server 2016 domain functional level (DFL):

• Отключено. KDC никогда не предлагает расширение актуальности PKInit и принимает допустимые запросы проверки подлинности без проверки на актуальность. Disabled: The KDC never offers the PKInit Freshness Extension and accepts valid authentication requests without checking for freshness. Пользователи никогда не получат новый идентификатор безопасности удостоверения открытого ключа. Users will never receive the fresh public key identity SID.
• Поддерживается: расширение обновления PKInit поддерживается по запросу. Supported: PKInit Freshness Extension is supported on request. Клиенты Kerberos, успешно прошедшие проверку подлинности с помощью расширения PKInit, получают новый идентификатор безопасности удостоверения открытого ключа. Kerberos clients successfully authenticating with the PKInit Freshness Extension receive the fresh public key identity SID.
• Обязательно. для успешной проверки подлинности требуется расширение обновления PKInit. Required: PKInit Freshness Extension is required for successful authentication. Клиенты Kerberos, которые не поддерживают расширение PKInit, всегда будут завершаться ошибкой при использовании учетных данных открытого ключа. Kerberos clients that do not support the PKInit Freshness Extension will always fail when using public key credentials.

Поддержка устройства, присоединенного к домену, для проверки подлинности с помощью открытого ключа Domain-joined device support for authentication using public key

Начиная с Windows 10 версии 1507 и Windows Server 2016, если устройство, присоединенное к домену, может зарегистрировать свой открытый ключ в контроллере домена Windows Server 2016, устройство может пройти проверку подлинности с помощью открытого ключа, используя проверку подлинности Kerberos на контроллере домена Windows Server 2016. Beginning with Windows 10 version 1507 and Windows Server 2016, if a domain-joined device is able to register its bound public key with a Windows Server 2016 domain controller (DC), then the device can authenticate with the public key using Kerberos authentication to a Windows Server 2016 DC. Дополнительные сведения см. в статье Аутентификация с помощью открытого ключа устройства, присоединенного к домену . For more information, see Domain-joined Device Public Key Authentication

Клиенты Kerberos разрешают адреса узлов IPv4 и IPv6 в именах субъектов-служб (SPN). Kerberos clients allow IPv4 and IPv6 address hostnames in Service Principal Names (SPNs)

Начиная с Windows 10 версии 1507 и Windows Server 2016, клиенты Kerberos можно настроить для поддержки имен узлов IPv4 и IPv6 в именах участников-служб. Beginning with Windows 10 version 1507 and Windows Server 2016, Kerberos clients can be configured to support IPv4 and IPv6 hostnames in SPNs.

Путь реестра: Registry path:

Чтобы настроить поддержку имен узлов в именах участников-служб, создайте запись Трипспн. To configure support for IP address hostnames in SPNs, create a TryIPSPN entry. Эта запись не существует в реестре по умолчанию. This entry does not exist in the registry by default. После создания записи измените значение DWORD на 1. After you have created the entry, change the DWORD value to 1. Если значение не настроено, имена узлов IP-адресов не будут пытаться. If not configured, IP address hostnames are not attempted.

Если имя субъекта-службы зарегистрировано в Active Directory, проверка подлинности выполняется с помощью протокола Kerberos. If the SPN is registered in Active Directory, then authentication succeeds with Kerberos.

Дополнительные сведения см. в документе Настройка Kerberos для IP-адресов. For more information check out the document Configuring Kerberos for IP Addresses.

Поддержка KDC для сопоставления учетных записей доверия ключей KDC support for Key Trust account mapping

Начиная с Windows Server 2016, контроллеры домена поддерживают сопоставление учетных записей доверия ключей, а также откат к существующим AltSecID и имени участника-пользователя (UPN) в работе сети SAN. Beginning with Windows Server 2016, domain controllers have support for Key Trust account mapping as well as fallback to existing AltSecID and User Principal Name (UPN) in the SAN behavior. Если Усесубжекталтнаме имеет значение: When UseSubjectAltName is set to:

• 0: требуется явное сопоставление. 0: Explicit mapping is required. В этом случае должно быть одно из следующих: Then there must be either:
  • Доверительные отношения ключей (новое в Windows Server 2016) Key Trust (new with Windows Server 2016)
  • експлиЦиталтсеЦид ExplicitAltSecID
• 1: неявное сопоставление разрешено (по умолчанию): 1: Implicit mapping is allowed (default):
  1. Если для учетной записи настроено доверие ключа, то оно используется для сопоставления (новое в Windows Server 2016). If Key Trust is configured for account, then it is used for mapping (new with Windows Server 2016).
  2. Если в сети SAN нет имени участника-пользователя, AltSecID пытается выполнить сопоставление. If there is no UPN in the SAN, then AltSecID is attempted for mapping.
  3. Если в сети SAN есть имя участника-пользователя, предпринимается предпринятая подстановка имени участника-пользователя. If there is a UPN in the SAN, then UPN is attempted for mapping.

Using Kerberos integrated authentication to connect to SQL Server

Download JDBC Driver

Beginning in Microsoft JDBC Driver 4.0 for SQL Server, an application can use the authenticationScheme connection property to indicate that it wants to connect to a database using type 4 Kerberos integrated authentication. See Setting the Connection Properties for more information on connection properties. For more information on Kerberos, see Microsoft Kerberos.

When using integrated authentication with the Java Krb5LoginModule, you can configure the module using Class Krb5LoginModule.

The Microsoft JDBC Driver for SQL Server sets the following properties for IBM Java VMs:

• useDefaultCcache = true
• moduleBanner = false

The Microsoft JDBC Driver for SQL Server sets the following properties for all other Java VMs:

• useTicketCache = true
• doNotPrompt = true

Remarks

Prior to Microsoft JDBC Driver 4.0 for SQL Server, applications could specify integrated authentication (using Kerberos or NTLM, depending on which is available) by using the integratedSecurity connection property and by referencing mssql-jdbc_auth- -.dll, as described in Building the connection URL.

Beginning in Microsoft JDBC Driver 4.0 for SQL Server, an application can use the authenticationScheme connection property to indicate that it wants to connect to a database using Kerberos integrated authentication using the pure Java Kerberos implementation:

If you want integrated authentication using Krb5LoginModule, you must still specify the integratedSecurity=true connection property. You would then also specify the authenticationScheme=JavaKerberos connection property.

If you specify authenticationScheme=JavaKerberos but do not also specify integratedSecurity=true, the driver will ignore the authenticationScheme connection property and it will expect to find user name and password credentials in the connection string.

When using a datasource to create connections, you can programmatically set the authentication scheme using setAuthenticationScheme and (optionally) set the SPN for Kerberos connections using setServerSpn.

A new logger has been added to support Kerberos authentication: com.microsoft.sqlserver.jdbc.internals.KerbAuthentication. For more information, see Tracing driver operation.

The following guidelines will help you to configure Kerberos:

1. Set AllowTgtSessionKey to 1 in the registry for Windows. For more information, see Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003.
2. Make sure that the Kerberos configuration (krb5.conf in UNIX environments), points to the correct realm and KDC for your environment.
3. Initialize the TGT cache by using kinit or logging into the domain.
4. When an application that uses authenticationScheme=JavaKerberos runs on the Windows Vista or Windows 7 operating systems, you should use a standard user account. However if you run the application under an administrator’s account, the application must run with administrator privileges.

The serverSpn connection attribute is only supported by Microsoft JDBC Drivers 4.2 and higher.

Service principal names

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service.

You can specify the SPN using the serverSpn connection property, or simply let the driver build it for you (the default). This property is in the form of: «MSSQLSvc/fqdn:port@REALM» where fqdn is the fully-qualified domain name, port is the port number, and REALM is the Kerberos realm of the SQL Server in upper-case letters. The realm portion of this property is optional if your Kerberos configuration’s default realm is the same realm as that of the Server and is not included by default. If you wish to support a cross-realm authentication scenario where the default realm in the Kerberos configuration is different than the realm of the Server, then you must set the SPN with the serverSpn property.

For example, your SPN might look like: «MSSQLSvc/some-server.zzz.corp.contoso.com:1433@ZZZZ.CORP.CONTOSO.COM»

For more information about service principal names (SPNs), see:

Before 6.2 release of JDBC driver, for proper use of Cross Realm Kerberos, you would need to explicitly set the serverSpn.

As of the 6.2 release, the driver will be able to build the serverSpn by default, even when using Cross Realm Kerberos. Although one can use serverSpn explicitly too.

Creating a login module configuration file

You can optionally specify a Kerberos configuration file. If a configuration file is not specified, the following settings are in effect:

Sun JVM
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;

IBM JVM
com.ibm.security.auth.module.Krb5LoginModule required useDefaultCcache = true;

If you decide to create a login module configuration file, the file must follow this format:

A login configuration file consists of one or more entries, each specifying which underlying authentication technology should be used for a particular application or applications. For example,

So, each login module configuration file entry consists of a name followed by one or more LoginModule-specific entries, where each LoginModule-specific entry is terminated by a semicolon and the entire group of LoginModule-specific entries is enclosed in braces. Each configuration file entry is terminated by a semicolon.

In addition to allowing the driver to acquire Kerberos credentials using the settings specified in the login module configuration file, the driver can use existing credentials. This can be useful when your application needs to create connections using more than one user’s credentials.

The driver will attempt to use existing credentials if they are available, before attempting to login using the specified login module. Thus, when using the Subject.doAs method for executing code under a specific context, a connection will be created with the credentials passed to the Subject.doAs call.

Beginning in Microsoft JDBC Driver 6.2, name of login module configuration file can optionally be passed using connection property jaasConfigurationName , this allows each connection to have its own login configuration.

Creating a Kerberos configuration file

For more information about Kerberos configuration files, see Kerberos Requirements.

This is a sample domain configuration file, where YYYY and ZZZZ are the domain names.

Enabling the domain configuration file and the login module configuration file

You can enable a domain configuration file with -Djava.security.krb5.conf. You can enable a login module configuration file with -Djava.security.auth.login.config.

For example, the following command can be used to start the application:

Verifying that SQL Server can be accessed via Kerberos

Run the following query in SQL Server Management Studio:

Make sure that you have the necessary permission to run this query.

Constrained delegation

Beginning in Microsoft JDBC Driver 6.2, the driver supports Kerberos Constrained Delegation. The delegated credential can be passed in as org.ietf.jgss.GSSCredential object, these credentials are used by driver to establish connection.

Kerberos connection using principal names and password

Beginning in Microsoft JDBC Driver 6.2, the driver can establish Kerberos connection using the Principal Name and Password passed in connection string.

The username property does not require REALM if user belongs to the default_realm set in krb5.conf file. When userName and password is set along with integratedSecurity=true; and authenticationScheme=JavaKerberos; property, the connection is established with value of userName as Kerberos Principal along with the password supplied.

Using Kerberos authentication from Unix Machines on the same domain

This guide assumes a working Kerberos setup already exists. Run the following code on a Windows machine with working Kerberos authentication to verify if the aforementioned is true. The code will print «Authentication Scheme: KERBEROS» to the console if successful. No additional run-time flags, dependencies, or driver settings are required outside of the ones provided. The same block of code can be run on Linux to verify successful connections.