Every time users log into a service by providing their credentials, they are potentially exposed to attacks, especially if they’re using unsafe network protocols. For instance, an attacker could use a simple packet sniffer to recover your user ID and password especially if they’re not encrypted. Show What does this mean? Every time I provide my credentials to a service, should I be afraid that they could be stolen? Potentially—however, there are many precautions that we should consider when accessing a service over the internet like:
To address potential insecurity when using authentication, new safe protocols have been created and one of them is Kerberos. What is Kerberos?Kerberos is the mythological three-headed Greek creature which is guarding the gates of underworld to prevent souls from escaping. With that as its inspiration, the Massachusetts Institute of Technology developed a protocol to protect its own projects in the late 1980s. The idea behind Kerberos is simple: authenticating users while avoiding sending passwords over the internet. This protocol can be easily adopted even on insecure networks as it is based on a strong cryptography and it’s developed on a client-server model. Enabling a service to use Kerberos authentication is referred to as making the service “Kerberos aware”. This is actually possible for the majority of software. How Kerberos WorksWhen authenticating, Kerberos uses symmetric encryption and a trusted third party which is called a Key Distribution Center (KDC). At the moment of the authentication, Kerberos stores a specific ticket for that session on the user’s machine and any Kerberos aware service will look for this ticket instead of prompting the user to authenticate through a password. Source: BMC SoftwareThese are the steps in Kerberos Authentication:
Kerberos integration is also supported by Remedy Single Sign On which is the main authentication module that is used for a great number of BMC products. In Remedy Single Sign On, it is possible to configure a Kerberos as the authentication service. In this case, Remedy Single Sign On validates the token that is sent from a client (e.g., a browser to give access to BMC Digital Workplace) together with a KDC and lets the user log into the application using her/his Windows credential. Advantages & disadvantages of KerberosLike many technical solutions, Kerberos has advantages as well as some weaknesses. The principal advantages in adopting Kerberos as an authentication service are:
The weaknesses of Kerberos are:
Installing & using KerberosWhen using Kerberos authentication in Remedy Single Sign On, you need to remember to enable Kerberos authentication for the browsers you’re using. It is not always enabled by default. Here’s how to do that for two commonly used web browsers. For Internet Explorer:
For Firefox:
As you can see, Kerberos provides another way to authenticate that thwarts bad actors who hope to steal passwords. Even further, it can be effectively utilized with applications that are Kerberos aware. While there are some downsides, it’s another tool to make single-sign-on run smoothly while keeping passwords safe. If you would like to utilize Kerberos with your BMC Remedy Single Sign On, please fill out our form and an expert will reach out to get you started. Related readingThese postings are my own and do not necessarily represent BMC's position, strategies, or opinion. See an error or have a suggestion? Please let us know by emailing .
This article helps you solve the problems of Kerberos authentication failure when a user belongs to many groups. Applies to: Windows 10 - all editions, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2 SymptomsA user who belongs to a large number of security groups has problems authenticating. When authenticating, the user may see a message such as HTTP 400 - Bad Request (Request Header too long). The user also has problems accessing resources, and the user's Group Policy settings may not update correctly. For more information about the context of the error, see HTTP 400 Bad Request (Request Header too long) responses to HTTP requests.
Note Under similar conditions, Windows NTLM authentication works as expected. You may not see the Kerberos authentication problem unless you analyze the Windows behavior. However, in such scenarios, Windows may not be able to update Group Policy settings. This behavior occurs in any of the currently supported Windows versions. For information about the currently supported versions of Windows, see Windows lifecycle fact sheet. CauseThe user cannot authenticate because the ticket that Kerberos builds to represent the user is not large enough to contain all of the user's group memberships. As part of the Authentication Service Exchange, Windows builds a token to represent the user for purposes of authorization. This token (also called an authorization context) includes the security identifiers (SID) of the user, and the SIDs of all of the groups that the user belongs to. It also includes any SIDs that are stored in the user account's sIDHistory attribute. Kerberos stores this token in the Privilege Attribute Certificate (PAC) data structure in the Kerberos Ticket-Getting Ticket (TGT). Starting with Windows Server 2012, Kerberos also stores the token in the Active Directory Claims information (Dynamic Access Control) data structure in the Kerberos ticket. If the user is a member of a large number of groups, and if there are many claims for the user or the device that is being used, these fields can occupy lots of spaces in the ticket. The token has a fixed maximum size (MaxTokenSize). Transport protocols such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication operations. MaxTokenSize has the following default value, depending on the version of Windows that builds the token:
Generally, if the user belongs to more than 120 universal groups, the default MaxTokenSize value does not create a large enough buffer to hold the information. The user cannot authenticate and may receive an out of memory message. Additionally, Windows may not be able to apply Group Policy settings for the user.
Note Other factors also affect the maximum number of groups. For example, SIDs for global and domain-local groups have smaller space requirements. Windows Server 2012 and later versions add claim information to the Kerberos ticket, and also compress resource SIDs. Both features change the space requirements. ResolutionTo resolve this problem, update the registry on each computer that participates in the Kerberos authentication process, including the client computers. We recommend that you update all of your Windows-based systems, especially if your users have to log on across multiple domains or forests. On each of these computers, set the MaxTokenSize registry entry to a larger value. You can find this entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters subkey. The computers have to restart after you make this change. For more information about determining a new value for MaxTokenSize, see the Calculating the maximum token size section of this article. For example, consider a user who is using a web application that relies on a SQL Server client. As part of the authentication process, the SQL Server client passes the user's token to a back-end SQL Server database. In this case, you would need to configure the MaxTokenSize registry entry on each of the following computers:
In Windows Server 2012 (and later versions), Windows can log an event (Event ID 31) if the token size passes a certain threshold. To enable this behavior, you have to configure the Group Policy setting Computer Configuration\Administrative Templates\System\KDC\Warning for large Kerberos tickets. Calculating the maximum token sizeUse the following formula to calculate the size of the token that Windows generates for a particular user. This calculation helps you determine whether you need to change MaxTokenSize. TokenSize = 1200 + 40d + 8s For Windows Server 2012 (and later versions), this formula defines its components as follows:
Windows Server 2008 R2 and earlier versions use the same formula. However, these versions consider the number of domain-local group memberships to be part of the d value instead of the s value. If you have a MaxTokenSize value of 0x0000FFFF (64K), you may be able to buffer approximately 1600 d-class SIDs or approximately 8000 s-class SIDs. However, a number of other factors influence the value that you can safely use for MaxTokenSize, including the following:
Known issues that affect MaxTokenSizeA MaxTokenSize value of 48,000 bytes should be sufficient for most implementations. This is the default value in Windows Server 2012 and later versions. However, if you decide to use a larger value, review the known issues in this section.
|