SPNEGO-based Kerberos Authentication

Introduction

Besides authentication with username and password, the edu-ID IdP supports SPNEGO-based Kerberos authentication for organisations operating a Microsoft Windows network with an Active Directory.

The SPNEGO-based Kerberos authentication (also known as Integrated Windows Authentication) enables users to seamlessly log in at the IdP with their Windows credentials, using Kerberos. This allows users to log into an application using their SWITCH edu-ID without having to enter username and password at the IdP.

This authentication method is supported for clients being members of the organisation's Windows domain. It's not supported for "road warrior" clients. the section Activation Conditions for Clients below explains how to select the clients that can use this authentication mechanism.

The SPNEGO-based Kerberos authentication of the SWITCH edu-ID is based on Kerberos Cross Realm Trust, as illustrated in the following picture:

Kerberos Cross Realm Trust:

20201201_SPNEGO-based_Kerberos_Authentication_Cross-Realm_Trust.png_1813971586

 

For detailed information, see the presentation SPNEGO-based Kerberos Authentication in SWITCH edu-ID.

Requirements

The SPNEGO-based Kerberos authentication can be supported by organisations fulfilling the following requirements:

  • The organisation operates a Microsoft Windows network with Microsoft AD servers.
  • The clients are joined to the Windows domain.
  • The organisation allows the edu-ID Kerberos realm to trust the organisation's Windows Kerberos realm.
  • The organisation populates / synchronizes the Kerberos Principal Names of all their users into the affiliations of the respective SWITCH edu-ID accounts (into the attribute extKerberosPrincipalName)
     

 

Supported server and client systems

Windows Server Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Desktop All windows desktop versions supported by Microsoft
Others macOS
Linux

 

Setup instructions for the organisation

The organisation needs to configure its environment as described in the following sections in order to support the SPNEGO-based Kerberos authentication.

Important settings for the SWITCH edu-ID Kerberos realm:

Kerberos realm EDUID.CH
KDC servers kdc1.eduid.ch
kdc2.eduid.ch
Service DNS names login.eduid.ch
*.login.eduid.ch

Some of the examples below use the example domain uni-demo.ch and the corresonding Kerberos realm UNI-DEMO.CH. You need to adapt the examples to match your environment.

Prerequisites

Negotiate a password for Kerberos Cross Realm trust with SWITCH

To configure Kerberos Cross Realm trust, both realms, the organisation's realm and the SWITCH edu-ID realm need to share a common principal krbtgt/EDUID.CH@UNI-DEMO.CH.

Since SWITCH needs to add the same principal to the @EDUID.CH realm, the organisation and SWITCH need to negotiate a shared password. Please contact the SWITCH edu-ID team to get this password and inform us about your REALM name. It will be used in the section Configure trust for the Kerberos realm EDUID.CH below.

Configuration required on the Windows AD server

Configure Kerberos Cross Realm Trust from the SWITCH edu-ID realm to the organisation's realm.

Overview:

  1. Configure trust for the Kerberos realm EDUID.CH
  2. Add a GPO to configure the Kerberos client settings for the realm EDUID.CH

All these steps are executed on the Windows AD server. Log in to the server as user with domain administration privileges.

1. Configure trust for the Kerberos realm EDUID.CH

  • Open the Server Manager
  • Open Tools / Active Directory Domains and Trusts
  • Select your domain and open Properties.
  • Change to the Trusts tab.
  • Click New Trust...
  • Follow the wizard and choose the following settings:
    • Trust Name: Name: EDUID.CH
    • Trust Type: Select Realm trust
    • Transitivity of Trust: Select Nontransitive
    • Direction of Trust: Select One-way: incoming
    • Trust Password: Enter the password negotiated with SWITCH (see Prerequisites above)
  • Select the new trust, open Properties and make sure that the checkbox The other domain supports Kerberos AES Encryption is checked.

Note: Alternatively, you can use the command netdom trust EDUID.CH /Domain:UNI-DEMO.CH /add /realm /passwordt:... in a terminal, but you need to pass the password as argument to the command. If you know of a better alternative using PowerShell, please let us know.

Validate the settings:

Run the following command in Power Shell (example for the domain unidemo.ch):

netdom query /Domain:uni-demo.ch trust

Make sure that you can see the configured domain trust.

2. Add a GPO to configure the Kerberos client settings for the realm EDUID.CH

  • Open the Server Manager
  • Open Group Policy Management
  • Expand Forest: <your domain> / Domains / <your domain> / Group Policy Objects
    (e.g. Forest: uni-demo.ch / Domains / uni-demo.ch / Group Policy Objects)
  • Create a new GPO named "Kerberos Realm EDUID.CH"
  • Select the new GPO and edit it (choose Edit...)
  • Expand Computer Configuration > Policies > Administrative Templates > System > Kerberos
  • Configure and enable the following settings in Kerberos:
    • Define Interoperable Kerberos V5 realm settings
      • Set to Enabled
      • Select Show... and enter:
        • Value name: EDUID.CH
        • Value: login.eduid.ch; .login.test.eduid.ch
    • Define host name-to-Kerberos realm mappings
      • Set to Enabled
      • Select Show... and enter:
        • Value name: EDUID.CH
        • Value: <f>0x2</f> <k>kdc1.eduid.ch; kdc2.eduid.ch</k>

 Note: This configuration may also be applied using appropriate commands in PowerShell.

Validate the settings:

Run the following commands in Power Shell:

get-gpregistryvalue -name "Kerberos Realm EDUID.CH" -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\MitRealms"
get-gpregistryvalue -name "Kerberos Realm EDUID.CH" -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\domain_realm"

Make sure that you can see the settings configured above.

Configuration required on the Windows clients

Apply the Kerberos settings configured via GPO on the server and configure the web browsers to support the SPNEGO/Kerberos login option.

Overview:

  1. Apply the Kerberos Group Policy configured on the server
  2. Configure the web browsers to support the SPNEGO/Kerberos login option

1. Apply the Kerberos Group Policy configured on the server

Restart the Windows clients or run gpupdate /force to update and apply the GPO.

2. Configure the web browsers to support the SPNEGO/Kerberos login option

Please refer to the instructions at Browser configuration for SPNEGO-based Kerberos authentication provided by the Shibboleth IdP documentation.

Note: Organisations may configure these settings using their central configuration management system.

Configuration required on other operating systems

macOS

Instructions will follow

Linux

Instructions will follow

Activation Conditions for Clients


The SPNEGO mechanism used for the Integrated Windows Authentication has some shortcoming that doesn't allow the IdP to check whether a client supports login via Kerberos or not. For users of Internet Explorer or Edge without specific configuration, this can lead to a situation where the Internet Explorer/Edge locally asks for username and password while falling back to the NTLM mechanism.

To avoid this confusing situation, the IdP allows to limit offering SPNEGO to a certain set of clients by configuring appropriate activation conditions. These conditions can be based on the client's IP address, the client's user agent identifier string, or other information available during the HTTP communication.

The organisation needs to define a suitable set of conditions that specify for which clients the IdP should enable Integrated Windows Authentication.

SWITCH will implement the conditions specified by the organisation on the edu-ID IdP.

Examples of activation conditions:

  • Based on the client's IP address: The clients are in a network with a dedicated IP range. All clients in this IP range are assumed to support Kerberos. The edu-ID IdP will offer the SPNEGO/Kerberos login to all clients in this IP range.
  • Based on the web browsers user agent identifier string: Organisations can configure the web browsers' user agent string to contain a certain keyword that allows the edu-ID IdP to recognise the browser to support Kerberos. For such browsers, the edu-ID IdP will offer the SPNEGO/Kerberos login.