I have gone through many blogs which are telling that if Kerberos fails then it automatically falls back to NTLM.Is it true?
Yes it is, if you configured Kerberos through central administration.
In IIS metabase, you should have "Negociate, NTLM".
I think the client decides what to send and the server simply accepts or rejects. Meaning, based on what the server is asking for, the client may or may not be able to comply. So if the server says Negotiate, the client can send either an NTLM token or a Kerberos token...?
If you are writing a server that needs to authenticate clients via Kerberos, then you will be able to specify if you want to accept or reject the token, or have the client retry using some other scheme... like Basic (not recommended).
If you are writing a client, simply send which ever token you want (NTLM or Kerberos) and the server will tell you what to do next (if anything, server may accept).
Take a look at this open source project http://spnego.sourceforge.net The project implements a SPNEGO Http Servlet Filter as well as a SpnegoHttpURLConnection object.
Actually, this is a pretty big gotcha with Kerberos. Yes, Negotiate will pick between Kerberos and NTLM, but this is a one time choice. It is not failover authentication. So if the Kerberos Authentication fails, the server won't specifically send a new NTLM authentication to the client.
Related
I am writing an android app that connects to my server with a POST request. So far, I am using SHA-256 to hash and salt epoch time and use that as a third parameter alongside the username and password to make sure that the authentication is done from the app. However, an attacker could decompile the apk and figure out the salt that I am adding to epoch time, allowing them to make a POST request from wherever.
I am wondering if there is a way to make sure the POST request is being made from my app. Note that I cannot change the authentication method of the server from POST.
Thanks in advance.
HTTP Client authentication is an open process to allow vendors to implement different authentication schemes.
Apart from SSL (when run under HTTP protocol) having is own authentication mechanism (for servers and/or clients) the authentication task on HTTP protocol is managed by the WWW-Authenticate header in the HTTP header protocol. That field reflects if the server demands some kind of authentication and how the peer is going to be authenticated.
This allows peer protocol authentication (not only for the client, but also the server can be authenticated) but it makes HTTP method agnostic, as the authentication procedure is orthogonal to the method used to request information. You can use authentication with any (or all) the http methods (GET, POST, CONNECT, HEAD, PUT, DELETE, etc)
You need to read the RFC's docs: 7230, 7231, 7232, 7233, 7234 and 7235.
The more interesting to you is 7234 (it describes protocol authentication), and the documentation of the web server you are requesting to, and how the service has been configured, to get an idea of the authentication methods it supports or the credentials you must provide to authenticate the client.
Normally, the process is as follows:
the client makes a unauthenticated request of info for the target url.
The server denies the request, signalling authentication must be used, and proposes an authentication method and challenge.
The client redoes the request, but providing the requested credentials from the server.
The server accepts the request or denies it again.
To note is that, depending on the authentication method to use (e.g. BASIC is a simple username/password scheme, while DIGEST forces the user to produce a digest, based on used credentials and some server provided info) you can need more than one roundtrip to the server (the server can force you, while not common, to use two of these in chain to grant you access to the resources)
In the case of Java, probably a good source of documentation is the Apache HttpClient class, and it has some tutorials from Apache that show you how to make authenticated requests. A good reference is this.
JNDI LDAP auth requires a cleartext password to be passed (Context.SECURITY_CREDENTIALS) to almost all security mechanisms (or at least how I understand it). It looks like to be designed in a way, that the password originates from the current JVM. But what about a password, that has to be sent from another machine? This approach forces it to be sent in a recoverable fashion (the most simple is cleartext) with little security.
To be more specific, let's consider a 3-tier setup: client, java server and an LDAP server. The user enters the username and password in the client which is sent to the java server. Then the java server communicates with an LDAP server in order to authorize these credentials. Is there a way to make the transmission from the client to the java server secure?
I understand, that we can use SSL or another way to secure the channel itself, but it's still no good that we have to send the password in a recoverable fashion through this (even secure) channel.
I tried to search for an answer, but it looks like most of them consider a 2-tier setup. There were also some 3d party java libraries recommendations (instead of JNDI), but it wasn't clear, if that they can handle my task. If they actually do so, could you please give an example utilizing them for my task?
My target platforms are Delphi XE3 Client, Java SE 6 Server and an AD LDAP. But I'm also interested in a more theoretical discussion not restricted to these concrete client and LDAP.
This approach forces it to be sent in a recoverable fashion (the most simple is cleartext) with little security.
The approach requires you to use SSL. It's as simple as that.
We found the answer and actually made it work on a production system.
The correct path is to use the Kerberos protocol http://en.wikipedia.org/wiki/Kerberos_(protocol).
In my setup the following happens:
1) The client obtains a ticket to the server service in the AD and sends it to the server. This is done via classes near TSSPIWinNTCredentials class in Indy, but I think it's quite possible to do so without difficulties using Windows functions directly.
2) The server logins to the AD as a service. This is done via LoginContext class using correct AppConfigurationEntry with keys.
3) The server authenticates the client in the AD using client's ticket, obtaining client's username. This is done via Subject.doAs method and classes near GSSManager class.
4) The server performs additional business level checks and grants the client a business session. This is business-specific of course.
At no point in this scenario any insecure communication is made, including sending passwords in a recoverable fashion, because it is the design goal of the Kerberos protocol itself.
The answer below is from this question;
The awarded answer doesn't actually address the question at all. It only mentions SSL in the context of data transfer and doesn't actually cover authentication.
You're really asking about securely authenticating REST API clients. Unless you're using TLS client authentication, SSL alone is NOT a viable authentication mechanism for a REST API. SSL without client authc only authenticates the server, which is irrelevant for most REST APIs.
If you don't use TLS client authentication you'll need to use something like a digest-based authentication scheme (like Amazon Web Service's custom scheme) or OAuth or even HTTP Basic authentication (but over SSL only).
So considering I will use HTTPS without client certification
my question here is poster says if we dont use client SSL certification server does not really know whom its talking to. What I understand here is if I use a authentication-token to access to authenticate the client against the server. Then server does not know whom is sending the token even if that token is paired with a user id in my servers database.
First of all
1-is this a real problem? If I especialy use Https?(without TLS client authentication)
2- and most important, assuming that is an important security flaw; How can Http basic authentication help here as poster mentioned? Http basic authentication just sends encoded username password in a header. So when client receives a token (in return after he sends his username password) then for the rest of his requests he will use this token in this header instead of password, and everything is fine all of a sudden?
Still Server does not know from where the request is coming from, maybe server has a valid token with a matched user in its database but unknown who reallysend it.
(while I still see this very hard that the token would be stolen over https and used by someone else!)
Whenever I bring this subject I get replies.."Well..you send a token but server does not know whom send the token, not very secure" so I understand this as the browser keeps a sort of auth-certification and server knows where the request is coming from the right place THEN I can be sure that the paired user with that token (checked from my DB)is "really correct"
Or maybe what am telling here is not correct
[the] poster says if we dont use client SSL certification server does not really know whom its talking to.
That's not what I said :) This is what I said:
Unless you're using TLS client authentication, SSL alone is NOT a viable authentication mechanism for a REST API.
alone being the key word here. Also:
If you don't use TLS client authentication, you'll need to use something like a digest-based authentication scheme (like Amazon Web Service's custom scheme) or OAuth or even HTTP Basic authentication (but over SSL only).
In other words, TLS client authentication is one way of authenticating a REST API client. Because the original SO question was about SSL specifically, I was mentioning that TLS client authc is the only 'built in' form of authentication if you're relying on TLS alone. Therefore, if you're using TLS, and you don't leverage TLS client authc, you must use another form of authentication to authenticate your client.
There are many ways to authenticate REST Clients. TLS client authc is just one of them (the only 'built in' one for TLS and usually very secure). However, TLS is a network-level protocol and is perceived by most to be too complicated for many end-users to configure. So most REST API offerings opt for an easier-to-use application-level protocol like HTTP because it is easier for most to use (e.g. just set an HTTP header).
So, if you're going the HTTP header route, you have to use a header value to authenticate a REST client.
In HTTP authentication, you have a header, Authorization, and its value (the header name is rather unfortunate because it is usually used for authentication and not as often for access control, aka authorization). The Authorization header value is what is used by the server to perform authentication, and it is composed (usually) of three tokens
An HTTP authentication scheme name, followed by
white space (almost always a space character), followed by
The scheme-specific text value.
One common HTTP authentication Scheme is the Basic scheme, which is very... well... basic :). The scheme-specific text value is simply the following computed value:
String concatenated = username + ":" + raw_password;
String schemeSpecificTextValue = base_64_encode(concatenated.toCharArray());
So you might see a corresponding header look like this:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
The server knows how to parse the value. It says "Hey, I know the Basic scheme, so I'm going to take the trailing text value, base64 decode it, and then I'll have the username and submitted password. Then I can see if those values match what I have stored."
And that's essentially Basic authentication. Because this scheme in particular includes the submitted raw password base64 encoded, it is not considered secure unless you use a TLS connection. TLS guarantees (mostly) that prying eyes can't intercept the headers (e.g. via packet inspection) and see what the password is. This is why you should always use TLS with HTTP Basic authentication. Even in company intranet environments.
There are other even more secure HTTP Authentication schemes of course. An example is any scheme that that uses digest-based authentication.
Digest-based authentication schemes are better because their scheme text value does not contain the submitted password. Instead, a password-based-hash of certain data (often other header fields and values) is calculated and the result is put in the Authorization header value. The server calculates the same password-based-hash using the password it has stored locally. If the server's computed value matches the request's header value, the server can consider the request authenticated.
Here's why this technique is more secure: only a hash is transmitted - not the raw password itself. That means this technique can be used to authenticate requests even over clear-text (non TLS) connections (but you would only want to do this if the request data itself is not sensitive of course).
Some digest-based authentication schemes:
OAuth 1.0a, aka RFC 5849.
HTTP Digest Access authentication (used by browsers natively).
Amazon AWS's custom scheme.
Amazon's and others like it are more secure for REST than OAuth 1.0a because they always authenticate the entire request - including the request entity payload (i.e. all the stuff after the HTTP headers too). OAuth 1.0a only does this for application/x-www-form-urlencoded content which isn't relevant for REST APIs that use application/xml or application/json payloads (which are most REST APIs these days).
Interestingly, OAuth2 is not digest based - it uses something I consider less secure, called 'bearer tokens' (which are honestly fine in many scenarios but still not as good as the digest schemes used in banking, military, and government communication).
When we talk about "authenticating a user", what we really mean is "checking that the user knows something nobody else should know". That "something" might be a password, a certificate, a hardware security token or even the user's retinal pattern, but in all cases it's the access to that information that we're really checking, not the identity of the user (whatever that really means) as such.
The point is that, in principle, all these authenticators could be stolen and used to impersonate the user. A password could be logged, a certificate could be copied from the disk it's stored on, a hardware token could be stolen (and possibly reverse engineered and cloned) and even the user's retinal pattern could, in principle, be scanned, recorded and faked. the best we can do is, in each case, to try to make this as "very hard" as possible.
Maybe I'm misunderstanding the question.
The answer you have quoted says to me that if you don't use some form of authentication, whether it is client certificates, HTTP BASICAUTH, or something else, the server doesn't know with whom it is communicating.
(Maybe that's okay for your application, maybe it isn't, only you can answer that.)
Stated in other terms, if you do use some form of authentication, the server does know with whom it is communicating; it is communicating with the "person" to whom the authenticated credentials belong.
In this context, authentication is the process of establishing identity via some credentials.
Authentication does not guarantee that the credentials have not been stolen. SSL assures (I wouldn't go so far as to say it "guarantees") the credentials are secure in transit between client and server.
When you use GMail, you're using SSL, how does Google know it's talking to you?
When I access a HTTP server using the standard Java API (java.net.URLConnection), the credentials are "cached" after the first successful authentication, and subsequent calls to Authenticator.setDefault() have no effect. So, I need to restart the application in order to use different credentials.
I don't observe this effect when Basic Authentication is used. But I need to use NTLM for the server I'm accessing, and the Jakarta Commons HttpClient isn't an alternative either because it doesn't support NTLMv2 (see http://oaklandsoftware.com/papers/ntlm.html)
Looking at the packets using Wireshark, I also observe that before the first successful authentication, an authentication with the current Windows credentials is attempted first. But after succesful authentication, only the saved credentials are used.
Is there any way to reset or change the credentials java.net.Authenticator is using after a successful NTLM authentication?
Nope
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6626700
indicates this is an outstanding bug. An author in there suggests some nasty reflection magic to get past this. That's ok as long as this is in-house and documented as fragile and potentially breaking. Certainly not great
Would HttpClient 4.x + jCIFS 1.3.x be an alternative?
I've created a RESTful server app that sits and services requests at useful URLs such as www.site.com/get/someinfo. It's built in Spring.
However, these accesses are password protected. I'm now building a client app that will connect to this RESTful app and request data via a URL. How can I pass the credentials across? Currently, it just pops up the user/password box to the user, but I want the user to be able to type the username and password into a box on the client app, and have the client app give the credentials to the RESTful app when it requests data. The client is built using Struts.
Cheers
EDIT - I don't think I made the question clear enough. I'm already forcing HTTPS, my question is more, in-code, when I'm requesting data from www.site.com/get/someinfo, how do I pass my credentials alongside making the request?
You more or less have 3 choices:
HTTP Auth
Roll your own protocol, ideally HMAC challenge/response based
OAuth
OAuth is currently susceptible to a variation of a phishing attack, one that is largely undetectable to the target. As such I wouldn't recommend it until the protocol is modified.
OAuth should also be a lesson about how difficult it is to design secure protocols, and so I'm hesitant to reccomend the roll your own route.
That leaves HTTP auth, which is likely best if you can use it.
All that said, almost everything on the internet uses form based authentication, and many don't even bother with https for transport level security, so perhaps simply sending the password text in the clear is "good enough" for your purposes. Even still I'd encourage using https, as that at least reduces the dangers to a man in the middle attack.
If you can add HTTP headers to your requests you can just add the Authorization header:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
where you're using basic authentication and the QWxhZGRpbjpvcGVuIHNlc2FtZQ== bit is "username:password" base64 encoded (without the quotes). RFC 2617
Well, https has nothing to do with authentication, it's just transport-level encryption.
if you interact with an HTTP api, be it that it's https or not, and the dialog box pops up, it means its using HTTP authentication, either basic or digest. If your client instantiates an http client to read data from those "services", then you can pass those credentials when you instantiate the object.
If you use client-side script, XmlHttpRequest supports http authentication as well.
So in terms of code, how you pass the credentials to the RESTful services is dependent on the http client you're using (the object you instantiate to retrieve the data). You can simply collect such a username / password yourself from the client, and use it to call the other service.
look at existing solutions. In this case, oauth