Estimated reading time: 30 minutes

Why is Kerberos Terrible?

Tl;dr; It’s really not. Kerberos is showing its age, but it has served us well over the years. As we build new protocols we should remember all the things we got right with it, and account for all the things we got wrong.

Estimated reading time: 3 minutes

Setting Build Versions for Visual Studio Online

Earlier we looked at how to build and package and then deploy nuget packages. One thing (of many) I glossed over was that whole version thing. It turns out versioning is really difficult to do. It’s kind of like naming things. There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors. — Leon Bambrick (@secretGeek) January 1, 2010 I’m not going to go into the virtues of one method (like semantic versioning) over others, but really just going to show how I set it up so my silly little project always has an incrementing version…

Estimated reading time: 5 minutes

Automated Package Deployments using Visual Studio Online

Earlier we looked at the automated building and packaging of Kerberos.NET using VS Online. At this point the only thing we get out of it in this state is knowing the code compiles and any tests pass — which I suppose is actually quite a feat on it’s own considering I had no indicator of either when I started. We can, of course, do better! The last piece we need is automated publishing of the final nuget package to the feed for others to consume. As it turns out this is relatively straightforward to do. The process is: Defining artifacts…

Estimated reading time: 9 minutes

Automated Builds of Kerberos.NET Using Visual Studio Online

The next logical step for the Kerberos.NET project is setting up automated builds and releases. What exactly does this entail? Basically, I want a build to kick off any time changes are committed to the main repo, and automatically generate a production-ready Nuget package that is available to upload if deemed worthy of release. If you’ve done any sort of build automation or release management before, you’ve got a pretty good idea of how to make this work. For a given build service do the following: Observe changes to repo Pull down changes Build project(s) Package the packages Artifact the…

Estimated reading time: 7 minutes

Porting Kerberos.NET to .NET Core

I started the Kerberos.NET project with a simple intention: be able to securely parse Kerberos tickets for user authentication without requiring an Active Directory infrastructure. This had been relatively successful so far, but one major milestone that I hadn’t hit yet was making sure it worked with .NET Core. It now works with .NET Core. Porting a Project There is no automated way to port a project to .NET Core. This is because it’s a fundamentally different way of doing things in .NET and things are bound to break (I’m sure that’s not actually the reason). There is documentation available,…

Estimated reading time: 5 minutes

Active Directory Claims and Kerberos.NET

Active Directory has had the ability to issue claims for users and devices since Server 2012. Claims allow you to add additional values to a user’s kerberos ticket and then make access decisions based on those values at the client level. This is pretty cool because you normally can only make access decisions based on group membership, which is fairly static in nature. Claims can change based on any number of factors, but originate as attributes on the user or computer object in Active Directory. Not so coincidentally, this is exactly how claims on the web work via a federation…

Estimated reading time: 4 minutes

Kerberos.NET and the KeyTab File

Kerberos requires the use of shared secrets to validate tickets. These secrets need to be stored somewhere. Windows stores them in the registry — the Security hive specifically. Other platforms store them in keytab files. Keytab files are useful because they’re a well known construct and are supported by many platforms. What’s interesting about them is that they store the derived value used to encrypt the ticket, and not the real secret. This means you don’t need to worry about how the salt is derived, and can just use the value without having to know how to manipulate the underlying…

Estimated reading time: 11 minutes

On Adding AES Support to Kerberos.NET

It’s been a few months since there’s been any public activity on the project but I’ve quietly been working on cleaning it up and there’s even been a PR from the community (thanks ZhongZhaofeng!). Part of that clean up process has been adding support for AES 128/256 tokens. At first glance you might think it’s fairly trivial to do — just run the encrypted data through an AES transform and you’re good to go — but let me tell you: it’s not that simple. On Securing Shared Secrets There’s primarily one big difference between how RC4 and AES are used in…

Estimated reading time: 1 minute

Achievement Unlocked: Kerberos.NET Has a Nuget Package!

These days most developers won’t even consider third party libraries unless they’re available through nuget packages. I say this from experience — I will prefer a nuget’ed library over one where I have to manage the assembly manually. It saddens me a bit when I have to commit binaries to source control. Naturally this great new project of mine should therefore have it’s own nuget package! How do you use it? It’s quite easy; just pop open the Package Manager Console and add it! Package Manager Console Host Version Type ‘get-help NuGet’ to see all available NuGet commands. PM>…

Estimated reading time: 4 minutes

Windows Authentication in IIS with Kerberos.NET

The last few samples I created for Kerberos.NET were all run from a console application. This served a couple purposes. First, the samples are a lot more portable this way; second, IIS doesn’t get in the way. IIS supports kerberos authentication natively through the Windows Authentication mode. It does this via an ISAPI module that intercepts application response codes and does the negotiate dance on behalf of the application. This means as an application developer I can just say “return 401” and IIS appends a WWW-Authenticate header and processes any responses outside the sights of my application. This isn’t necessarily what…