Estimated reading time: 1 minute

Achievement Unlocked: Kerberos.NET Has a Nuget Package!

These days most developers won’t even consider third party libraries unless they’re available through nuget packages. I say this from experience — I will prefer a nuget’ed library over one where I have to manage the assembly manually. It saddens me a bit when I have to commit binaries to source control. Naturally this great new project of mine should therefore have it’s own nuget package! How do you use it? It’s quite easy; just pop open the Package Manager Console and add it! Package Manager Console Host Version 3.4.4.1321 Type ‘get-help NuGet’ to see all available NuGet commands. PM>…

Estimated reading time: 4 minutes

Windows Authentication in IIS with Kerberos.NET

The last few samples I created for Kerberos.NET were all run from a console application. This served a couple purposes. First, the samples are a lot more portable this way; second, IIS doesn’t get in the way. IIS supports kerberos authentication natively through the Windows Authentication mode. It does this via an ISAPI module that intercepts application response codes and does the negotiate dance on behalf of the application. This means as an application developer I can just say “return 401” and IIS appends a WWW-Authenticate header and processes any responses outside the sights of my application. This isn’t necessarily what…

Estimated reading time: 8 minutes

Configuring an SPN in Active Directory for Kerberos.NET

In my last post I talked about trying out the Kerberos.NET sample project and mentioned that hitting the endpoint from a browser isn’t going to work because Active Directory doesn’t know about the application. Let’s see what we can do to fix this. A Service Principal Name (SPN) is a unique identifier tied to an account in Active Directory. They exist in the form {service}/{identifier}, e.g. HTTP/foo.bar.com. They are used to uniquely identify a service that can receive Kerberos tickets. When a browser is prompted to Negotiate authentication it uses the requesting domain (minus scheme and port) to find an SPN…

Estimated reading time: 3 minutes

Authenticating Web Requests with Kerberos.NET

I recently committed a couple sample projects to the Kerberos.NET library that shows how you can authenticate a web-based Kerberos ticket. My choice of platform is OWIN middleware because it most closely resembles how things work in ASP.NET Core, without actually going full-core. The key class to look at is KerberosEndToEndMiddleware. It contains the necessary logic to handle detection and prompting for authentication: Keep in mind that this is rudimentary sample. It doesn’t detect or create sessions, so any unauthenticated requests will be prompted to authenticate. You can try the sample by just launching the KerberosMiddlewareEndToEndSample project. It’ll start a console app and begin…

Estimated reading time: 7 minutes

Kerberos.NET: A Managed Ticket Validator

In my last post I talked about how Azure AD does Kerberos Single Sign-On. Conceptually it’s a simple process, but when you dig into the details of the implementation, there are some serious hurdles to overcome. The Active Directory side of things is straightforward — it’s just a matter of manually creating an SPN and keeping the secret in sync. It gets really complicated on the Azure AD side of things though. Consider the history of web-based Kerberos. IIS has supported this for decades by way of an ISAPI HTTP module that parses out the header and hands it off to the…

Estimated reading time: 7 minutes

A look at Azure AD Single Sign-On

Microsoft recently released the Azure AD Single Sign On preview feature, which is a way to support Kerberos authentication in to Azure AD. The neat thing about this is that you don’t need ADFS to have an SSO experience if you’ve already got AD infrastructure in place. It works the same way as in-domain authentication, via a Kerberos ticket granting scheme. This is a somewhat confounding feature for anyone who has experience with Kerberos in Windows because every party needs to be domain-joined for Kerberos to work. This doesn’t seem possible in the cloud considering its a) not your box, and b)…

Estimated reading time: 76 minutes

Going Nuclear: Modeling Threats to Distributed Systems

It probably won’t come as a shock to you that as I was writing up my last post on IoT and my new Geiger counter I was mentally reviewing all the things that scared the crap out of me had me concerned security-wise. I don’t mean the apocalyptic visions of Fallout, but about the fact that I have a device I don’t necessarily trust sitting on my network constantly feeding data to a remote server without much control by me. I’m predictable like that. Upon further review I realized I wanted to write up my thoughts on how I would protect against such an unknown, but really……

Estimated reading time: 11 minutes

IoT is Weird: Or Why I now have a Network Connected Geiger Counter

Update I have a page of data here: http://syfuhs.net/my-rad-monitor/. It’s a bit weird to imagine everything with an IP address. I’m not entirely sure how I feel about this idea. My feelings about this aside though, this is becoming more and more prevalent with the advent of cheap and powerful processors available to anyone with an idea. It used to be that you needed a team of engineers to build embedded devices that can connect to the internet, but now all you need is an Arduino, a few components, a few hundred lines of code, and a few hours to build an internet connected device….

Estimated reading time: 16 minutes

Windows Azure Pack Tenant Public API Authentication Options

Web services, as we’ve learned throughout this series, are integral to the workings of Windows Azure Pack. Every UI exposed to the user connects to the backend via web service, every resource provider is managed by Windows Azure Pack through their own web services, and 3rd party functionality can be tied in through web services. It’s an SOA world. Last time we looked at the Tenant Public API and how it uses client certificates for authentication. Client certificates are paradoxically complex beasts while also being the easiest authentication method for 3rd parties to use. This is because you don’t really need to…

Estimated reading time: 15 minutes

Web Service Authentication in Windows Azure Pack

It’s been a couple months since we last looked at Windows Azure Pack so before we jump into the thick of it lets recap. Windows Azure Pack is an awesome on-premise private cloud platform The interactive portions are broken down into two sections: admin areas and tenant areas It relies on JWTs as bearer tokens to authenticate between UI surfaces and backend web services It uses federation to authenticate users at two separate Security Token Services using WS-Federation A JWT is used as the token in the WS-Fed protocol You can use your own STS or ADFS to authenticate users All coming back now? Good!…