Estimated reading time: 30 minutes

Why is Kerberos Terrible?

Tl;dr; It’s really not. Kerberos is showing its age, but it has served us well over the years. As we build new protocols we should remember all the things we got right with it, and account for all the things we got wrong.

Estimated reading time: 8 minutes

On Token Binding

If you haven’t heard we’re lighting up Token Binding on all our important services. Azure AD is one of the first to take advantage of this. Check out what Alex and Pamela have to say on the topic. One of the most important of these improvements is the Token Binding family of specifications which is now well on its way towards final ratification at the Internet Engineering Task Force (IETF). (If you want to learn more about token binding, watch this great presentation by Brian Campbell.) At Microsoft, we believe that the Token Binding can greatly improve the security of…

Estimated reading time: 12 minutes

Creating Custom Windows Credential Providers in .NET

If you’ve ever had an experience with Credential Providers in the past, you may think the title of this post is insane — it’s not. I recently came across an interesting Github project that showed it was theoretically possible. I wanted to see if I could replicate the results myself without digging too deeply into how they did it. As it happens, I could. I created a sample project that outlines how you can do it on Github: CredProvider.NET Historically, Credential Providers have been complex components to write because they’re COM-based, and because they have weird restrictions you have to…

Estimated reading time: 5 minutes

Enclave.NET: A Secure-ish Crypto Execution Module

There’s a common problem that many applications run in to when executing cryptographic operations, and that’s the fact that the keys they use tend to exist within the application itself. This is problematic because there’s no protection of the keys — the keys are recoverable if you get a dump of the application memory, or you’re able to execute arbitrary code within the application. The solution to this problem is relatively straightforward — keep the keys out of the application. In order for that to be effective you need to also move the crypto operations out of the application too….

Estimated reading time: 11 minutes

On Adding AES Support to Kerberos.NET

It’s been a few months since there’s been any public activity on the project but I’ve quietly been working on cleaning it up and there’s even been a PR from the community (thanks ZhongZhaofeng!). Part of that clean up process has been adding support for AES 128/256 tokens. At first glance you might think it’s fairly trivial to do — just run the encrypted data through an AES transform and you’re good to go — but let me tell you: it’s not that simple. On Securing Shared Secrets There’s primarily one big difference between how RC4 and AES are used in…

Estimated reading time: 7 minutes

Kerberos.NET: A Managed Ticket Validator

In my last post I talked about how Azure AD does Kerberos Single Sign-On. Conceptually it’s a simple process, but when you dig into the details of the implementation, there are some serious hurdles to overcome. The Active Directory side of things is straightforward — it’s just a matter of manually creating an SPN and keeping the secret in sync. It gets really complicated on the Azure AD side of things though. Consider the history of web-based Kerberos. IIS has supported this for decades by way of an ISAPI HTTP module that parses out the header and hands it off to the…

Estimated reading time: 7 minutes

A look at Azure AD Single Sign-On

Microsoft recently released the Azure AD Single Sign On preview feature, which is a way to support Kerberos authentication in to Azure AD. The neat thing about this is that you don’t need ADFS to have an SSO experience if you’ve already got AD infrastructure in place. It works the same way as in-domain authentication, via a Kerberos ticket granting scheme. This is a somewhat confounding feature for anyone who has experience with Kerberos in Windows because every party needs to be domain-joined for Kerberos to work. This doesn’t seem possible in the cloud considering its a) not your box, and b)…

Estimated reading time: 24 minutes

A Developer’s Guide to Networks Part 1: Wiring

Kate and I bought our first house a few months ago. This likely comes as a shock to us more than anyone else. The house was built in 2002, which means it has the benefit of being built to a more rigorous set of standards and codes than say a house built in 1972 and as such is theoretically safer and more energy efficient. The downside of a house built in 2002 is that it’s on the wrong side of the great technology upgrade divide. Most houses these days are wired with data in mind. The current standard is somewhere…

Estimated reading time: 5 minutes

Debugging JavaScript in Auth WebViews

There is a growing trend where authentication is occurring within browser controls in applications instead of through native UI. In general, this is good because it makes things like federation simpler, and lets you use different forms of authentication without requiring changes to native components. This means any application you build can rely on a single authentication service and support a multitude of credential types without having to do anything in your own native app. Microsoft is all in with this through Azure AD, and through the ADAL (Azure Active Directory Authentication Libraries). Of course, there are problems with that. Paramount…

Estimated reading time: 9 minutes

A Year in Review: South Bound and Down

The last year or so has been… busy. Around this time last year the company I work for got acquired by Kaseya and it was a reasonably smooth transition. I went from being the Identity Guy to Lead Member of Technical Staff, and from a small engineering team to, well, a lot more. Our products went from being somewhat silo’ed in nature to being the secure foundation for Kaseya’s new next generation platform. As such my team has spent the last year building some pretty cool things that everyone will see in the coming months. We made amazing progress over this…