How does SPN with Kerberos works

28.3k views Asked by At

As I understand it,

  • SPN is an authenticating tool for windows services.
  • Kerberos is a user authentication service
  • SPNEGO-GSSAPI is the third party API to be able to use those services.
  • SSPI : is the Neutral layer to send request from SPNEGO to SPN service.

Am I completely lost?

Trying to figure out how it works but information, is either too precise or not enough.

3

There are 3 answers

5
Arunav Sanyal On BEST ANSWER

Ok a more verbose answer:-

  1. SPN - Service Principal Name. It is an identifier associated with each account in a KDC implementation(AD, OpenLDAP etc). Basically if your account acts as a service to which a client authenticates, the client has to specify "who" it wants to communicate to. This "who" identifier is the SPN. This is the strict definition. Many people often call the client name (UPN - User Principal Name) of a service as SPN. This happens when the service itself may act as a client( google the delegation scenario ). This is not strictly correct but widely assumed true.

  2. Kerberos is a protocol for authentication. It is a name for a framework. It involves a third party server(called KDC or Key Distribution Centre) and involves a series of steps of acquiring tickets(tokens of authentication). It is really complicated so http://en.wikipedia.org/wiki/Kerberos_(protocol)

  3. To some extent you got this right. GSSAPI is an API but SPNEGO is not. GSSAPI is technically agnostic to the auth mechanism you use, but most folks use it for kerberos authentication. SPNEGO is a pseudo mechanism, in the sense it declares an RFC for authentication based communication in HTTP domain. Strictly speaking SPNEGO is a specification but most folks also consider it as an implementation. For instance, Sun and IBM JDK provides "mechanism providers" for SPNEGO token generation but GSSAPI is used to actually call it. This is done in many projects(Tomcat as a Server is and example that come to the top of my head and one of the folks who answered this question developed it).

  4. SSPI is an analogue to GSSAPI in windows. Its a different API which ends up doing something very similar to GSSAPI.

0
Michael-O On

Almost all of your understandings are wrong.

Here it goes:

  1. SPN: A specific service-class is bound to a specific account, e.g. HTTP to www.stackoverflow.com => HTTP/[email protected]
  2. Yes 3./4. GSS-API (Unix)/SSPI (Windows): Mechanism neutral API to interact with. E.g, Kerberos 5, NTLM, SPNEGO, etc.
  3. SPNEGO: It is one of many mechnisms supported by GSS-API/SSPI. It is actually a pseudo-mech.
0
schlenk On

Not quite.

SPN simply means 'Server Principal Name' and is the AD or Kerberos slang for the service you try to authenticate against.

Kerberos is a user authentication service, more or less yes. It also provides security for network messages and calls between services.

SPNEGO-GSSAPI* is a kind of strange beast. GSSAPI (Generic Security Service Application Program Interface) is an API to (in principle) different authentication services, it provides negotiation of the mechanisms used. Often the only mechanism available will be Kerberos though. It is the usual API to attach 3rd party programs to Kerberos when you are on Unix (defined in various RFCs, for example RFC 2743 )

On the windows platform SSPI is the generic layer, so it compares to GSSAPI.

SPNEGO is kind of a strange hybrid. It is a mechanism to be used in SSPI, HTTP Auth or GSSAPI which negotiates another auth protocol (for example Kerberos or NTLM if you are on Windows), so it basically does the same thing GSSAPI does again in a different way.

Typical uses of SPNEGO are HTTP authentication to a windows domain, for example IIS uses it if you use 'Integrated windows authentication'. It is also used when you select the 'Negotiate' options for SSPI. See for example RFC 4559