GSSAPI and Firefox / Thunderbird for Windows pass-through authorization
Your machine is a Windows domain and you want to use a single authorization, for example, on a proxy and mail server. In order to enable the use of pass-through authorization in Firefox, you need to edit 2 keys on the about: config page.
If you want to use Kerberos for authorization on IIS, then it is enough to enable “integrated authorization”, but since When installing IIS, Windows does not create a service principal name (SPN), you have to create it yourself, otherwise Firefox will use NTLM via GSSAPI.
To edit principals you will need Windows Support tools and the setspn.exe utility. To add a new SPN, you will need to enter setspn -A HTTP / FQDN machine_name for which we create an SPN, where FQDN is the address of your IIS server.
You can also see a list of all SPNs, setspn -L machine_name. It is worth paying attention that you should contact the FQDN address, otherwise Kerberos will not find the SPN, the case of letters is important. Or you can do it manually using any LDAP editor, adsiedit.msc, AD explorer, ldap admin, etc. Just find the computer object for which you want to create SPN, CN = SERVER, OU = Domain Controllers, DC = inblock, DC = local and in its attributes you will find servicePrincipalName.
')
In the case of Thunderbird, you only need to specify the “use secure authentication” checkbox. The User name field is not required. At the moment, Firefox and Thunderbird do not show any errors in the event that Kerberos could not get a ticket for some reason, for example, because of the lack of an SPN. Therefore, you can only check using a sniffer, such as Wireshark.
Windows uses SSPI, a closed analog of GSSAPI, but the meaning is the same, so I call it GSSAPI everywhere.
Do you have a mail server on a UNIX machine? Create a user account (the password is not important) in AD with the name of the UNIX machine. Using the ktpass utility from the support tools suite, create a keytab file. ktpass -princ imap/debian.inblock.local@inblock.local -mapuser debian + rndpass -ptype KRB5_NT_SRV_HST -out imap.keytab. On a UNIX machine, do not forget to specify the DNS server domain of the controller. In /etc/krb5.conf
[libdefaults]
default_realm = INBLOCK.LOCAL
And check that we have the correct FQDN name of the machine - hostname -f. It remains only to configure the server itself to use GSSAPI for example, the instruction for Dovecot , it consists only in the inclusion of this mode.
GSSAPI, WTF ?!
GSSAPI is a set of interfaces that define a standard set of functions — request a ticket, extend a ticket, etc. GSSAPI is an intermediary between the Program and the KDC server, or the kerberos protocol, simply put.
It was designed to bring order. when it appeared there were different implementations of Kerberos (as now, MIT and Heimdal) they were incompatible with each other. GSSAPI can be used not only for Kerberos, although this is the most popular use of it. Suppose Microsoft develops a new UltraMegaMSsecure protocol and adds to it call mechanisms via GSSAPI (SSPI), any program that can work with GSSAPI can use this new protocol. This allows you to save the program developer in the first place to understand how authorization works, and secondly, his program will work even if a new version of Kerberos10 is released;).
For example, through GSSAPI (SSPI), Firefox uses NTLM authentication.
- network.negotiate-auth.delegation-uris = https: //, http: //
- network.negotiate-auth.trusted-uris = https: //, http: //
If you want to use Kerberos for authorization on IIS, then it is enough to enable “integrated authorization”, but since When installing IIS, Windows does not create a service principal name (SPN), you have to create it yourself, otherwise Firefox will use NTLM via GSSAPI.
To edit principals you will need Windows Support tools and the setspn.exe utility. To add a new SPN, you will need to enter setspn -A HTTP / FQDN machine_name for which we create an SPN, where FQDN is the address of your IIS server.
You can also see a list of all SPNs, setspn -L machine_name. It is worth paying attention that you should contact the FQDN address, otherwise Kerberos will not find the SPN, the case of letters is important. Or you can do it manually using any LDAP editor, adsiedit.msc, AD explorer, ldap admin, etc. Just find the computer object for which you want to create SPN, CN = SERVER, OU = Domain Controllers, DC = inblock, DC = local and in its attributes you will find servicePrincipalName.
')
In the case of Thunderbird, you only need to specify the “use secure authentication” checkbox. The User name field is not required. At the moment, Firefox and Thunderbird do not show any errors in the event that Kerberos could not get a ticket for some reason, for example, because of the lack of an SPN. Therefore, you can only check using a sniffer, such as Wireshark.
Windows uses SSPI, a closed analog of GSSAPI, but the meaning is the same, so I call it GSSAPI everywhere.
Do you have a mail server on a UNIX machine? Create a user account (the password is not important) in AD with the name of the UNIX machine. Using the ktpass utility from the support tools suite, create a keytab file. ktpass -princ imap/debian.inblock.local@inblock.local -mapuser debian + rndpass -ptype KRB5_NT_SRV_HST -out imap.keytab. On a UNIX machine, do not forget to specify the DNS server domain of the controller. In /etc/krb5.conf
[libdefaults]
default_realm = INBLOCK.LOCAL
And check that we have the correct FQDN name of the machine - hostname -f. It remains only to configure the server itself to use GSSAPI for example, the instruction for Dovecot , it consists only in the inclusion of this mode.
GSSAPI, WTF ?!
GSSAPI is a set of interfaces that define a standard set of functions — request a ticket, extend a ticket, etc. GSSAPI is an intermediary between the Program and the KDC server, or the kerberos protocol, simply put.
It was designed to bring order. when it appeared there were different implementations of Kerberos (as now, MIT and Heimdal) they were incompatible with each other. GSSAPI can be used not only for Kerberos, although this is the most popular use of it. Suppose Microsoft develops a new UltraMegaMSsecure protocol and adds to it call mechanisms via GSSAPI (SSPI), any program that can work with GSSAPI can use this new protocol. This allows you to save the program developer in the first place to understand how authorization works, and secondly, his program will work even if a new version of Kerberos10 is released;).
For example, through GSSAPI (SSPI), Firefox uses NTLM authentication.
Source: https://habr.com/ru/post/52337/
All Articles