5

I've tried to figure it out myself, but to no avail. Google offers many tutorials but I couldn't find any for the below case.

We have an external cooperating employee with VPN access to our LAN and he needs to access some of our web applications. His workstation operates under Windows 7 Professional. The web applications can only accept Kerberos-based SSO authentication - password auth is disabled due to security policy and it cannot be changed. Kerberos AS/KDC are provided by Windows Server 2008 R2-level domain, of which his workstation is not a member.

How can we configure Kerberos authentication from his workstation without adding it to the domain? Until now I only used to configure UNIX-based systems with Kerberos. Under Windows I can think of two different solutions:

  1. Install external Kerberos libraries (ie. MIT Kerberos for Windows) - I assume configuration process is similar to UNIX-based (ie. editing krb5.conf, set default realm and enable DNS-based KDC locating).

  2. Configure Windows built-in Kerberos client without adding the workstation to the domain - I'm not sure it is even possible.

We need to make SSO working in Mozilla Firefox. Provided that we use the first solution I assume we should set network.negotiate-auth.gsslib to external Kerberos DLL path. Can this setup work as expected? From the above options the latter is strongly preferred, as we'd like to avoid external dependencies and possible incompatibilities.

sam_pan_mariusz
  • 2,053
  • 1
  • 12
  • 15
  • 1
    That sounds way over-complicated and fragile. Why not setup a remote desktop server or a Windows 7 VM for remote user(s)? – Greg Askew Jan 08 '16 at 12:46
  • @GregAskew We've considered a similar solution (with Linux-based workstation though), but due to our policy it requires creating another VLAN and firewall zone to separate access and thus we consider it the last resort option. And I don't consider it "fragile" because Kerberos is a standardized and popular protocol. – sam_pan_mariusz Jan 08 '16 at 13:20
  • 1
    AD is, at its core, an MIT kerberos implementation. So 3rd party kerberos client should work with AD, though you will still need to have identity in AD for the user. On the same token, I think you can use ksetup.exe( a windows builtin kerberos tool) to make this machine a member of AD - it's an unusual setup where you treat AD as a realm rather than a native domain. I never test this myself but it should work. For question #2, no, you can't use built in kerberos client without joining into domain. – strongline Jan 14 '16 at 03:28
  • @strongline Thank you. If I make Windows client a member of AD Kerberos realm using *ksetup.exe*, what this means besides authentication? Will GPOs be processed? I assume a keytab will be created (in a file or registry), but what about periodic changing machine account password - is it gonna work? – sam_pan_mariusz Jan 14 '16 at 06:11
  • 1
    @sam_pan_mariusz, I don't think GPO will get applied. Machine password change is initiated by client. So for keytab file clients, I don't think it will do that, or it needs that. – strongline Jan 14 '16 at 15:00
  • A thought - could you use Web Application Proxy to proxy kerberos auth, assuming the application supports it? – Taz Jan 20 '16 at 02:46
  • There's a reverse proxy already. It doesn't matter much here if I configure SSO on proxy or application server - both are Apache httpd based. And authentication directly on app server is a more secure approach. – sam_pan_mariusz Jan 20 '16 at 06:04
  • I've tried the same scenario - use Kerberos over VPN from a non-domain computer. It looks like this is impossible to achieve: according to [this guide](https://www.garyhawkins.me.uk/non-domain-mit-kerberos-logins-on-windows-10/) a) you need to setup a principal on the AD/KDC server *for the computer*, b) you also need to logout and login *to Windows* with the domain account. Both points are pretty problematic to do. How can you do the login when you can connect to VPN (and see the KDC afterwards) only after you login to your local computer, for example? – Petr Bodnár Dec 14 '19 at 16:12
  • A related (yet also not quite answered) question: https://serverfault.com/questions/455793/kerberos-authentication-for-workstations-not-on-domain – Petr Bodnár Dec 14 '19 at 16:33

1 Answers1

1

I recently got KERBEROS working from a VPN-connected workstation that's not joined to the domain (an AWS-managed Server 2008R2 Active Directory). The key was adding the SRV and corresponding A records to public DNS so that the worksation could resolve _kerberos._tcp.dc._msdcs.mydomain.mydomain.com to the DC's local VPC address on port 88 (note mydomain twice is not a mistake).

Kerberos clients get tickets using the domain credentials stored in the Windows Credentials Manager. Adding the realm via ksetup wasn't necessary.

Gordy
  • 111
  • 3