Kerberos based User Authentication and SSO in Web Application
The authentication in web application can be implemented in various ways. In organizations where there are multiple internal applications to be used by employees and internal stakeholders who are working from same domain. To understand it better consider the scenario: there is an organization which has multiple web applications used by employees in their day-by-day work e.g. HR portal, Leave Portal, Timesheet portal, Travel Portal and so on. If we implement the conventional authentication mechanism, an employee has to login again-and-again to visit these internal portal. So best option is to provide the authentication with Single-Sign-On.
If we take a look how organizations maintains the user identity for the internal users / employees, we can see the they often maintains it via Active Directory and most the services are connecting to same Active Directory to get list of the users’ identity via LDAP protocol.
Let’s evaluate and understand the applicability of Kerberos bases authentication and SSO with these scenarios in subsequent sections.
It is common requirement to have authentication and SSO implementation as number of web applications are growing day-by-day.
Based upon the need, available infrastructure, security methodologies one can choose the best fit approach for authentication and SSO for the organization.
Let’s form the business needs which support the Kerberos based authentication and SSO implementation:
- Organization have one or more web applications and single user need to use multiple application which is used from same domain
- Organization maintains Kerberos supported infrastructure e.g. Domain Controller and Active Directory
- Need to implement Web SSO
This article discuss about the Kerberos based authentication and Single-Sign-On (SSO) in web application. Thus, it touches the technologies which are required to setup and test the Kerberos authentication:
- Windows Server with Domain Controller and Active Directory Setup
- Alternatively, Minikdc
- Spring Boot framework, Spring Web and Spring Web Security
- Kerberos, MIT Kerberos ticket Manager
- SPNEGO and GSS API
Kerberos is widely accepted Network Authentication protocol and used by most of the operating system including Linux, Windows and Mac. Therefore, it can be implemented with web application developed by using different programming languages e.g. It can be integrated with IIS, apache servers. Please reference section to refer the details information on it.
The article is touching and discussing about the web application authentication and SSO with Kerberos based authentication mechanism. Here, Kerberos is evaluated for web application authentication from its implementation perspective and therefore, this article will be useful for developers, architects and product owners who wanted to explore Kerberos based authentication authentication and SSO.
Authentication is common need for web applications and SSO is required as number of web applications are increasing day-by-day due to increasing automation and moving life to electronic bases from paper base.
Suppose, an organization has following needs:
- Kerberos supported infrastructure is used for user and identity storage
- Users are accessing web applications from same domain on which application hosted
- User does not need to login with credential
- Need highly secure authentication mechanism
If we analyze these requirements, these looks very basic and common for web applications but these points are very important in taking decisions about authentication technique selection.
Kerberos vs NTLM
Both Kerberos and NTLM are Network Security Protocol used for User Authentication while accessing device or server. Both can be used for Web Application authentication and SSO implementation in web application. Below are the major differences between Kerberos and NTLM:
- NTLM is Microsoft proprietary technology whereas Kerberos is MIT and open technology
- NTLM is based upon challenge, and user password is hashed and send for authentication and verification happens one side only. In Kerberos, authentication performed on TGS generated tickets and both side verification performed means, client verifies server and server verifies client.
- NTLM only supports impersonation while Kerberos supports both impersonation and delegation
- NTLM does not support two factor authentication while Kerberos supports two factor authentication with Smart Card logon
- NTLM uses password travel over network and one side verification happens so it is considered less secure and vulnerable than Kerberos
- NTLM is only supported by Microsoft while Kerberos is supported widely. Even Microsoft support Kerberos by default
Based upon above points given above, Kerberos is recommended as it highly secure and reliable.
Although, Kerberos was introduced by MIT, now it is by default supported by Microsoft.
Based upon the problem statement defined in ‘Problem’ section, there are two options which is much suitable for enterprises web application and users are accessing application from same domain:
- NTLM based web authentication
- Kerberos based web authentication
As compared ‘NTLM and Kerberos’ (in previous section), Kerberos is strong contender for implementation.
Now, let’s understand Kerberos and Kerberos based authentication in web application.
Kerberos is a Network Authentication Protocol and server to which provides authentication for trusted hosts on untrusted network. In Kerberos, users’ password never travel over network, stored on client machine for long time, not stored unencrypted, user asked password once per-work-session. It provides mutual authentication where client validates server identity and server validates client identity.
Below are terminologies used in Kerberos:
- Realm — The realm refers to the authentication administrative domain in which users are created. It can be understood as organization.
- Principal — A principal is the name used to refer user/service in authentication server database.
- Ticket — A ticket refers a data which a client presents to an application server do showcase the authenticity of its identity.
- Encryption — A methodology for data security where data is encrypted with a secret
- TGS — Ticket Granting Service (TGS), a service which generate tickets while Kerberos based authentication
- Authorization Server — Server which host the KDC which includes TGS and ticket validation mechanism used for user authentication
- Key Distribution Center (KDC)- Core of Kerberos server which includes TGS service and authorization server
- Session key — A session key is generated by KDC when a ticket is issued while requesting authentication from Client to server
- Keytab — Based upon information about domain, service / user principal and permission from KDC, a file is generated to link service application called Keytab. [Note: This file is required when web application configured for Kerberos authentication]
Let’s understand the flow of Kerberos authentication with below diagram:
[Note: SPNEGO and GSS API are Java libraries used into the web application to do protocol negotiation with browser and validate the authorization header. SPNEGO, negotiation the applicable protocol in sequence like, first try with Kerberos, then NTLM etc. And GSS API is used for parsing the token and validating with authorization server.]
Below are steps to configure Kerberos authentication with Web Server [these steps required when you wanted to configure Kerberos based authentication with real Kerberos infrastructure, not for minikdc]:
- Install Kerberos toolkit which contains tools like kadmin
- Create a service principal
kadmin -p service/admin -q "addprinc -randkey HTTP/www.mysite.com"
3. Create a keytab using service principal
kadmin -p service/admin -q "ktadd -k /opt/mykeytabs/mysite.keytab HTTP/www.mysite.com"
4. Optionally, If you want to verify keytab content, keytab can be verified as
kinit -k -t /opt/mykeytabs/mysite.keytab HTTP/www.mysite.com
It will list of contents of keytab.
5. Configure the keytab file into the web application configuration.
After configuration of Kerberos successfully with web application, when user opens the web resource on browser, the browser internally communicates with authentication server and get the ticket generated from TGS, and share the ticket in ‘Authorization’ header to backend resource. Once the authorization header reached to backend, if it is not compatible with Kerberos, SPNEGO will negotiate with browser and get actual ticket. Once actual ticket received, it is parsed by GSS API and internally communicated with Authorization server and validated the ticket. If ticket is valid, then resource allow access and requests processed. By following so, user does not need to provide password while access application and it will automatically authenticated with created session with Kerberos.
Kerberos is recommended option for web application authentication and SSO in case, there are multiple web applications available and users are accessing from same domain.
It is quite simple, easy and highly secure as it validate from both side e.g. client verifies server principal and server verifies client principal. The SPNEGO and GSS API will be the main APIs from Java side which does protocol negotiation and ticket parsing & validation.
Links of Work on GitHub
To demonstrate Kerberos based authentication and Web SSO with web application, have created two Spring Boot based projects:
- Authorization Server GitHub Link — https://github.com/siddhivinayak-sk/jwt-openid-oauth2.0-keycloak-kerberos-ntlm/tree/main/kerbores-server
- Web Client based upon Kerberos authentication GitHub Link — https://github.com/siddhivinayak-sk/jwt-openid-oauth2.0-keycloak-kerberos-ntlm/tree/main/kerbores-client
The Authorization Server contains two parts:
- minikdc — Setting up KDC requires Widows server, Domain Controller and Active Directory and join your machine with same domain controller. This may be little tough for developers. Therefore, to mimic the entire setup and run KDC, we can setup minikdc which actually behaves like actual KDC. When the Spring Boot project started, it internally run KDC and generate the KRB5 file which further will be referred in Web Application to protect web resource with Kerberos based authentication.
- Web Application — It is Spring Boot based project which expose the web resource/endpoint which is protected with Spring Web Security and authentication depends upon Kerberos based authentication targeting to own KDC setup.
Start the Spring Boot project, it will start minikdc and web resource application. Then start client Spring Boot project by pointing correct KRB5 / keytab file and then try making call to client, which internally makes call to Kerberos protected web resource.
Alternatively, if the you have infrastructure to setup Kerberos like you have Windows Server, Domain Controller and Active Directory running on that, then please follow Microsoft’s Kerberos policy setup from Global Policy configuration on Windows Server (refer link from reference). Once all setup correctly, verify services are running with telnet. Then generate keytab file by registering client and service principal and configure keytab with web resource application and do testing.
- MIT Kerberos — https://web.mit.edu/kerberos/
- Kerberos Org. — https://www.kerberos.org/software/tutorial.html
- Geeks Kerberos — https://www.geeksforgeeks.org/kerberos/
- Microsoft Kerberos Authentication — https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
- IBM Kerberos — https://www.ibm.com/docs/en/streams/4.2.1?topic=authentication-introduction-kerberos
- Fortinet Kerberos -https://www.fortinet.com/resources/cyberglossary/kerberos-authentication
- Tomcat with Kerberos — https://tomcat.apache.org/tomcat-8.5-doc/windows-auth-howto.html
- Kerberos with IIS — https://techcommunity.microsoft.com/t5/iis-support-blog/setting-up-kerberos-authentication-for-a-website-in-iis/ba-p/347882
- Kerberos with Apache Server — http://www.microhowto.info/howto/configure_apache_to_use_kerberos_authentication.html
About the Author
Sandeep Kumar holds Master of Computer Application degree working as Java developer having 10+ years of working experience. He has experience design and development of enterprises applications in domains like education, content, laboratory, and banking; got various appreciation for his solutions including spot appreciation for Glassfish to JBoss migration project. He secured Google Cloud Developer certificate and participated into OCI trainings. He is a part of HCL-ERS platform as Sr. Lead developer.