Radius Server as an Extra Auth Server

All replies

• 

  

  0

  Sign in to vote

  Hi All,

  I have a lab domain in which i have launched a website on IIS server win 2003. I have launched a website : www.dhruv.juniper

  When user inside my domain will access the website obviously they will be requiring TGS ( Kerberos Auth) , now just as a query.. if i want an extra authentication to be in place i am planning to launch a RADIUS Server, with NAS as SSL BOX ( IVE Juniper) and RADIUS Server as IAS in win 2003. 

   

  Now when client from external lan will access the website does it will be Kerberos authenticated or only RADIUS Authenticated or both ?

   

  Regards,

  Dhruv

  
  Hi Dhruv,

  RAIDUS (Remote Authentication Dial In User Service) is designed for RRAS (VPN/Dialup) connection methods, not IIS (web, FTP, etc).

  Now if your web app running on www.dhruv.juniper is using some sort of connection to AD such as using some sort of ASP, .Net, etc, that requires access to AD resources, then it will require AD authentication if it's meant for use by domain users. There are other options in a user account to loosen up AD authentication for web services, such allowing the user account to be delegated (in AD user account properties), but that is something not normally recommended due to weaker security.

  Also, FYI, when you are inside the infrastructure and you connect to a website using the FQDN (such as www.dhruv.com), it will always prompt you for credentials, which is how IIS works, however, if you use the webserver's actual internal NetBIOS name, such as http://servername, it will use the current logged on account for credentials. Please do keep this in mind while testing.

  Ace

   

  ---

  Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  Tuesday, August 3, 2010 9:25 PM
• 

  

  0

  Sign in to vote

  Hi Ace,

  Thanks again for the answer.. :-)

  1. you connect to a website using the FQDN (such as www.dhruv.com), it will always prompt you for credentials,

  However in my case it did not asked for credentials, as per best of my knowledge, in  IIS when we choose option " Windows Authentication" which is meant for NTLM, this will prompt for username and password. As windows default auth is kerberos then we will not be prompted for username and password.

  Further..

  We have main type of auth servers : RADIUS, TACAS, LDAP, Active Directory: I know this is very basic question but i am totally confused.. that how

  AD is auth server it is just a data base,

  LDAP is only a query mechanism ,

  What i will term kerberos and NTLM : authentication protocols right ?

   

  Kind Regards,

  Dhruv

   

  Wednesday, August 4, 2010 3:13 AM
• 

  

  0

  Sign in to vote

  Just to add something to what Ace mentioned. For users to be automatically authenticated on IIS, the site has to reside in intranet zone on IE on the user side. This will make IE push credentials to IIS and users are not prompted by the logon box.

  Alt. the setting can be configured manually in IE, Properties --> Security --> choose the relevant zone to configure the setting --> Press  custom level button --> Find User Authentication and choose "Automatic logon with current user name and password". This should work with netbios and FQDN addresses.

  Also in IIS authentication also depends on what you choose as the authentication scheme for the users connecting , and if the site is configured to run in an application pool using the pool user credentials for authentication. If Kerberos is prefered one has also to look into the whole SPN (Service Principal Name) affair.

  
  Also it kinda depends on what IIS you are running as IIS 6 and 7 are way different in how the authentication module works.

  This is just some high level rambling, it's much easier giving direct advice when you choose a scheme for accessing your IIS server.

   

  Regards
  Morten

  Wednesday, August 4, 2010 8:24 AM
• 

  

  0

  Sign in to vote

  So choosing "Windows Authentication" in IIS 6 (not the same inn IIS 7), you enable the use of Kerberos and NTLM. First the client will try to negotiate (actually first it will try no authentication, but this is beside the point) Kerberos authentication, if this fails the client will try to authenticate using NTLM.

  The difference between Kerberos and NTLM (note there are more, but just to give the broad strokes), is that NTLM transmits the user name and password over the wire and Kerberos does not. So for security Kerberos is allways prefered.

  
  Usually when it comes to IIS prompting user with a login box, one just have to put the site in the Intranet Zone on IE for IE to automatically try to push the users credentials to IIS.
  
  
  Hope this helps somewhat

  Regards
  Morten

  Wednesday, August 4, 2010 8:35 AM
• 

  

  0

  Sign in to vote

  Hi Morten,

   

  Thanks for your post, it indeed help me, just want to correct you regarding NTLM and Kerberos that you discussed in the last reply.

   

  In NTLM user name and password are not send in clear text, but a challenge  is send from server to the client and client encrypts that challenge with his password and send to the server, the server will take the same challenge and encrypt it using user's password ( which he can get from LSA). Now if both encrypted challenge matches then he can login.

   

  So i can summarize from your post when i check that option in IIS

  - Windows auth, it look for kerberos if could not find that it will fall back to NTLM.

  - We can even make changes in browser configuration that it can take your domain password everywhere where it is required for authentication. 

  Thanks Morten.

   

  But my question still prevails......

  How AD and LDAP is a Auth server ?  If LDAP is a Auth Server, but LDAP uses database of AD only.

  Regards,

  Dhruv

  • Edited by Dhruv.tech Thursday, August 5, 2010 5:01 AM

  Wednesday, August 4, 2010 3:43 PM
• 

  

  0

  Sign in to vote

  Hi Morten,

   

  Thanks for your post, it indeed help me, just want to correct you regarding NTLM and Kerberos that you discussed in the last reply.

   

  In NTLM user name and password are not send in clear text, but a challenge  is send from server to the client and client encrypts that challenge with his password and send to the server, the server will take the same challenge and encrypt it using user's password ( which he can get from LSA). Now if both encrypted challenge matches then he can login.

   

  So i can summarize from your post when i check that option in IIS - Windows auth, it look for kerberos if could not find that it will fall back to kerberos.

  Thanks Morten.

   

  But my question still prevails......

  How AD and LDAP is a Auth server ?  If LDAP is a Auth Server, but LDAP uses database of AD only.

  Regards,

  Dhruv

   

  
  Hi Dhruv,

  Morten provided some nice information.

  Regarding your question, AD can be used as an Auth server only through RADIUS, regarding your original concerns, which is only based on RRAS features. For example, if you set a Juniper, Cisco, etc, to use AD authentication, you have to provide one of the DCs as the server to send your authorization request to. Once that is configured, and one tries to logon using a RRAS protocol (VPN or dialup), the firewall sends the request using LDAP to the DC. In respects with IIS, that is not the case and is a direct communication from IIS using your configured authentication method in IIS (Kerb, NTLM, certificate, etc) to the DC.

  I hope that helps. :-)

  Ace

  ---

  Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  Wednesday, August 4, 2010 5:00 PM
• 

  

  0

  Sign in to vote

  Hi Morten,

   

  Thanks for your post, it indeed help me, just want to correct you regarding NTLM and Kerberos that you discussed in the last reply.

   

  In NTLM user name and password are not send in clear text, but a challenge  is send from server to the client and client encrypts that challenge with his password and send to the server, the server will take the same challenge and encrypt it using user's password ( which he can get from LSA). Now if both encrypted challenge matches then he can login.

   

  So i can summarize from your post when i check that option in IIS - Windows auth, it look for kerberos if could not find that it will fall back to kerberos.

  Thanks Morten.

   

  But my question still prevails......

  How AD and LDAP is a Auth server ?  If LDAP is a Auth Server, but LDAP uses database of AD only.

  Regards,

  Dhruv

   

  hehe, I know I gave a simplistic view of the two but still NTLM transmits user/password over the wire even if its only the hash. The hash is still a representation of the password and can be used to gain access to a server the same way the password can be :) That has been the major crux of NTLM and was one of the reasons Kerberos has taken over. But enough on that subject.

  So if you choose "Windows auth" in IIS you are telling IIS to negotiate an access method. IE usually starts with trying to access the site without any credentials, IIS will reject and depending if the IE setting to push user/password is sett tries to decide on a mechanism to use. Usually kerberoswill go first if that fails authentication falls back to NTLM.
  IIS is not integrated into AD, and you need to relate to the authentication scheme configured in IIS. So "Windows Auth" means that the user trying to access IIS must have an AD account (so IIS can verify the existence and correctness of user credentials), if the account can be verified the settings in IIS decide what that user can access (usually NTFS security rights on files and folders). Other methods are to use a predefined account to access the IIS resources (the same as an anonymous user accessing IIS resources in the context of that user). The last method is to use a certificate to map access to resources in IIS, and bypass authentication. This means that the calling entity (i.e RADIUS or some other intermediary) can use this certificate to gain access to IIS resources without using credentials. So if you could get the RADIUS to somehow authenticate on behalf of a user directly to IIS, maybe that would give what you are looking for?

  This might be a bit of a messy explanation, ACE puts it a bit more elegantly than my words can.

   

  Wednesday, August 4, 2010 6:04 PM
• 

  

  0

  Sign in to vote

  Hi Morten,

   

  Thanks for your post, it indeed help me, just want to correct you regarding NTLM and Kerberos that you discussed in the last reply.

   

  In NTLM user name and password are not send in clear text, but a challenge  is send from server to the client and client encrypts that challenge with his password and send to the server, the server will take the same challenge and encrypt it using user's password ( which he can get from LSA). Now if both encrypted challenge matches then he can login.

   

  So i can summarize from your post when i check that option in IIS - Windows auth, it look for kerberos if could not find that it will fall back to kerberos.

  Thanks Morten.

   

  But my question still prevails......

  How AD and LDAP is a Auth server ?  If LDAP is a Auth Server, but LDAP uses database of AD only.

  Regards,

  Dhruv

   

  hehe, I know I gave a simplistic view of the two but still NTLM transmits user/password over the wire even if its only the hash. The hash is still a representation of the password and can be used to gain access to a server the same way the password can be :) That has been the major crux of NTLM and was one of the reasons Kerberos has taken over. But enough on that subject.

  So if you choose "Windows auth" in IIS you are telling IIS to negotiate an access method. IE usually starts with trying to access the site without any credentials, IIS will reject and depending if the IE setting to push user/password is sett tries to decide on a mechanism to use. Usually kerberoswill go first if that fails authentication falls back to NTLM.
  IIS is not integrated into AD, and you need to relate to the authentication scheme configured in IIS. So "Windows Auth" means that the user trying to access IIS must have an AD account (so IIS can verify the existence and correctness of user credentials), if the account can be verified the settings in IIS decide what that user can access (usually NTFS security rights on files and folders). Other methods are to use a predefined account to access the IIS resources (the same as an anonymous user accessing IIS resources in the context of that user). The last method is to use a certificate to map access to resources in IIS, and bypass authentication. This means that the calling entity (i.e RADIUS or some other intermediary) can use this certificate to gain access to IIS resources without using credentials. So if you could get the RADIUS to somehow authenticate on behalf of a user directly to IIS, maybe that would give what you are looking for?

  This might be a bit of a messy explanation, ACE puts it a bit more elegantly than my words can.

   

  
  Hey Morten, you did a nice elegant job explaining it. :-)

  Just one question - Wouldn't the part of RADIUS and certs be the initial and a separate authentication allowing access to network resources and would be separate than access to IIS? I would assume it would be two separate things going on, the user connects in to the network using say, VPN, through RRAS that is configured to use RADIUS and certificates, then once in, they connect to the website and IIS is configured to use certificate authentication?

   

  ---

  Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  Wednesday, August 4, 2010 6:14 PM
• 

  

  0

  Sign in to vote

  Yes, I tried to stay away from RADIUS authentication. But I agree that this is two separate forms of authentication. First access to the network where IIS resides through RADIUS. Once in, the client has access to the IIS server and the user can use the browser to negotiate authentication with IIS ( IE is configured to push user and password for the site). I do assume that these clients connecting are domain joined and users are part of AD.

   

   

  Wednesday, August 4, 2010 6:32 PM
• 

  

  0

  Sign in to vote

  Hi Folks,

  Just to add to the point.. in RADIUS auth, user is not communicating with the server itself. User IE or user connects to NAS (Network Access Server) which is directly connected to resources. NAS on behalf of user connects to RADIUS.

  1. NAS take those credentials to RADIUS Server provided by IE. RADIUS server is attached to AD not IIS server.

  2. RADIUS allow the user with code 2: Access-Accept packet.

  3. Now user can access resources that is linked with NAS Server.

  4. user can open all intranet websites via VPN (say from home) as it is taking its original credentials approved by RADIUS as configured in IE.

  I hope i have written all the points correctly ?

  Regards,

  Dhruv

  Thursday, August 5, 2010 5:38 AM
• 

  

  0

  Sign in to vote

  Hi,

  Just a question,

  as you explained in above post that IE > Tools > Options > Security > custom > Automatic logon only intranet websites || Internet

  Does it mean if i enable the option for internet, if i login into gmail to check my email, it will by default take my login credentials ?

  Regards,

  Dhruv

  Thursday, August 5, 2010 5:46 AM
• 

  

  0

  Sign in to vote

  IE is its own beast, but basically the settings means that if the site you are accessing resides in the intranet zone IE will try to use the credentials of the logged on user to access the site (though I only think this means MS related products). When it comes to gmail I think you are talking about forms based authentication. You can get IE to push these credentials using autocomplete (Internet options --> Content --> Autocomplete Settings --> User names and password on forms)

  Try this, on a computer running W7 (Vista and XP should almost be the same) go to control panel --> User Accounts  --> user account --> Manage User Account
  Go to the Advanced tab and press Manage Passwords. Here you can administrate users to MS related products with credentials and IE will automatic log you inn. This is nice if you have different user/pasword (not the logged on user) and want to automatically access MS related products (IIS, Sharepoint and so on).

  Talking about IAS, you usually have to use certificates for the client and server. But you can also authenticate users (after computer auth is done) with user/cred or certificates. This is defined in the access policy (we just use computer authentication without checking user). Once authenticated you have access to the network as defined by how the network is configured for where the clients are coming through RADIUS.

  The default policy on IAS is set up to check if users are member of the Domain User group, this will prompt the IAS server to check with a DC. If this condition is removed only certificates are the authentication unit, and no requests are sent to the DC.

  When you are talking about NAS what product is this? I know NAP (Network Access protection) included in the 2008 OS line, and this is just a layer on top of the old IAS. Here more granular control can be exerted and you can also do VLAN switching in the policy.

  Regards
  Morten

  • Marked as answer by Dhruv.tech Thursday, August 5, 2010 12:24 PM

  Thursday, August 5, 2010 8:01 AM
• 

  

  0

  Sign in to vote

   

  Hi Morten,

  Indeed this is a nice discussion. I am using NAS as a IVE (Juniper) where users login into NAS  with their credentials and there credentials are tested with RADIUS.

   

  I heard that NAS can be configured on switches or router so different concepts will be running around :-).

   

  Regards,

  Dhruv

  Thursday, August 5, 2010 12:22 PM