1

I have configured http service on IIS 7.5 for kerberos authentication. And it works fine.

I have checked from linux box

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: alex@EXAMPLE.NET

Valid starting     Expires            Service principal
03/08/16 10:19:30  03/08/16 20:19:31  krbtgt/EXAMPLE.NET@EXAMPLE.NET
        renew until 03/15/16 10:19:30
03/08/16 10:20:00  03/08/16 20:19:31  HTTP/dc1.example.net@EXAMPLE.NET
        renew until 03/15/16 10:19:30

Simple test

# curl --trace-ascii - --negotiate -u : http://www.example.net
Enter host password for user 'alex@example.net':
== Info: About to connect() to www.example.net port 80 (#0)
== Info:   Trying 192.168.1.100... == Info: connected
== Info: Connected to www.example.net (192.168.1.100) port 80 (#0)
=> Send header, 178 bytes (0xb2)
0000: GET / HTTP/1.1
0010: User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
0050:  NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
008c: Host: www.example.net
00a3: Accept: */*
00b0:
...
== Info: Connection #0 to host www.example.net left intact
== Info: Issue another request to this URL: 'http://www.example.net/'
== Info: Re-using existing connection! (#0) with host www.example.net
== Info: Connected to www.example.net (192.168.1.100) port 80 (#0)
== Info: Server auth using GSS-Negotiate with user ''
=> Send header, 1969 bytes (0x7b1)
0000: GET / HTTP/1.1
0010: Authorization: Negotiate YIIFJgYJKoZIhvcSAQICAQBuggUVMIIFEaADAgE
0050: FoQMCAQ6iBwMFAAAAAACjggQkYYIEIDCCBBygAwIBBaENGwtFWEFNUExFLk5FVKI
0090: iMCCgAwIBA6EZMBcbBEhUVFAbD2RjMS5leGFtcGxlLm5ldKOCA+AwggPcoAMCARK
...
070f: User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
074f:  NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
078b: Host: www.example.net
07a2: Accept: */*
07af:
<= Recv header, 17 bytes (0x11)
0000: HTTP/1.1 200 OK
<= Recv header, 25 bytes (0x19)
0000: Content-Type: text/html
<= Recv header, 46 bytes (0x2e)
0000: Last-Modified: Sat, 05 Mar 2016 17:15:16 GMT
<= Recv header, 22 bytes (0x16)
0000: Accept-Ranges: bytes
...

Anonymous authentication has been disabled and Windows authentication has been enabled in the Authentication section for the site and for the whole server. I left only Negotiate:Kerberos in Providers section. Kernel-mode authentication has been disabled.

I have created SPN record for ftp service

> setspn.exe -a ftp/ftp.example.net dc1
Registering ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=example,DC=net
        ftp/ftp.example.net
Updated object

And I can see newly created SPN record

> Setspn.exe -L DC1
Registered ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=example,DC=net:
        ftp/ftp.example.net
        Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dc1.example.net
        HOST/DC1/EXAMPLE
        ldap/DC1/EXAMPLE
        ldap/dc1.example.net/ForestDnsZones.example.net
        ldap/dc1.example.net/DomainDnsZones.example.net
        DNS/dc1.example.net
        GC/dc1.example.net/example.net
        RestrictedKrbHost/dc1.example.net
        RestrictedKrbHost/DC1
        HOST/dc1.example.net/EXAMPLE
        HOST/DC1
        HOST/dc1.example.net
        HOST/dc1.example.net/example.net
        ldap/dc1.example.net/EXAMPLE
        ldap/DC1
        ldap/dc1.example.net
        ldap/dc1.example.net/example.net
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/f9c3624c-5f19-4e0a-8afa-d730b0bd4e6d/example.net
        ldap/f9c3624c-5f19-4e0a-8afa-d730b0bd4e6d._msdcs.example.net

But when I trying connect to FTP service I get the following error

# curl --trace-ascii - --krb 5 -u : ftp://ftp.example.net
== Info: About to connect() to ftp.example.net port 21 (#0)
== Info:   Trying 192.168.1.100... == Info: connected
== Info: Connected to ftp.example.net (192.168.1.100) port 21 (#0)
<= Recv header, 27 bytes (0x1b)
0000: 220 Microsoft FTP Service
== Info: Trying GSSAPI...
=> Send header, 13 bytes (0xd)
0000: AUTH GSSAPI
<= Recv header, 41 bytes (0x29)
0000: 504 Security mechanism not implemented.
== Info: GSSAPI is not supported by the server.
== Info: Logging in with password in cleartext!
...

I have read a lot of official documentations but couldn't find out is it possible to configure Kerberos authentication for FTP service.

So my questions are:

  • Is it possible at all. If it is, what I have missed?
  • If it is not possible, what FTP server I can use with kerberos authentication?

P.S. In advanced settings of Windows Authentication section there is an option - Kernel-mode authentication with the following description

By default, IIS enables kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity. As a best practice, do not disable this setting if Kerberos authentication is used in your environment and the application pool is configured to use a custom identity.

But when I check the box I get the following error

enter image description here

Did I miss something? Because on previous screen IIS has recommended do not disable kernel-mode authentication especially for kerberos authentication. So I'm a little bit confused.

Thanks in advance

ALex_hha
  • 7,025
  • 1
  • 23
  • 39
  • check this: it's not about FTP in general, but it uses apppool identities which can be set up for FTP Service too (use an own apppool for FTP). http://geekswithblogs.net/Prasanna/archive/2013/06/04/kerberos---setup-on-iis-7-and-up.aspx check with fiddler if kerberos is used after completing the task. hope it is what you're looking for. – SimonS Mar 08 '16 at 12:21
  • Unfortunately the article is only about http and not ftp – ALex_hha Mar 08 '16 at 20:45

0 Answers0