Professional Documents
Culture Documents
SCOTT KIESTER
Authentication Architect
April 2014
AGENDA
Credentials
SG credential cache
Credential types (Basic, NTLM, Kerberos, etc.)
Surrogate credentials
What are they and why use them?
Authentication modes
Virtual URL
IWA
Realms: IWA-Direct / IWA-BCAAA
Joining an Active Directory domain
Group authorization
AGENDA
IWA / NTLM
How it works
Potential scalability problems and solutions
New IWA-Direct features in SGOS 6.5.2
IWA / Kerberos
How it works
Why it scales well
Configuration in IWA-BCAAA and IWA-Direct
AUTHENTICATION BASICS
AUTHENTICATION REALMS
Authorization Data
Group memberships and user attributes
Split authorization (using a different realm for authorization)
Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.
10
11
SURROGATE CREDENTIALS
Lifetime is configurable
12
Explicit Proxy
The SG issues proxy challenges (HTTP 407)
Browser may initiate 10 or more concurrent connections to the proxy
server
The SG must authenticate every connection
Transparent Proxy
The SG issues origin-style challenges (HTTP 401)
13
AUTHENTICATION MODES
Mode types:
Origin / Form
Can be used with transparent or explicit clients
Proxy
Explicit clients only
IP (IP surrogate)
Cookie (cookie surrogate)
Redirect (redirect to virtual URL for credential challenge)
Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.
14
PROXY MODE
15
VIRTUAL URL
Can be HTTPS
Use an HTTPS Reverse Proxy service
Protects Basic credentials
Certificate realms MUST use an HTTPS virtual URL
Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.
16
ORIGIN-COOKIE-REDIRECT MODE
17
COOKIE SURROGATE
18
IP SURROGATE
Authentication Modes
Proxy-IP, [origin|form]-IP, [origin|form]-IP-redirect
Disadvantages
Insecure
Will not work for multi-user systems (Citrix) or clients behind a NAT
device
19
AUTHORIZATION
20
IWA
IWA-BCAAA
SG talks to a service running on a Windows server, which relies on
Windows API calls to validate credentials
21
IWA-DIRECT
22
MACHINE ACCOUNT
(IWA-DIRECT)
The machine account has a password
Randomly-generated by the SG and sent to the DC in an encrypted
RPC
The SG logs in to the DCs using its machine account credential
Password is stored encrypted on the SG
SG silently changes the password every 15 days
23
MACHINE ACCOUNT
(IWA-BCAAA)
BCAAA typically runs on a member server
It can also run on a DC, but consider the security implications of
running a network service on a DC
24
MULTI-TENANCY
(IWA-DIRECT)
SGOS 6.4 and later are multi-tenant
meaning that the SG may join more than one AD domain at the
same time
This feature is NOT required to authenticate users from trusted
domains
25
GROUPS-OF-INTEREST
26
GROUP MEMBERSHIPS
27
NTLM
28
NTLM AUTHENTICATION
29
NETLOGON / SCHANNEL
30
NTLM THROUGHPUT
31
CHOOSING A DC
(IWA-DIRECT / IWA-BCAAA)
A list of DCs from the local domain is obtained via DNS
The server issues an LDAP Ping to the DCs and selects
the first one to respond
An LDAP Ping is a small LDAP-over-UDP packet that is sent to see if
the DC is alive
32
33
IWA-Direct
Solution provided in SGOS 6.5.2
34
PREFERRED / ALTERNATE DC
(IWA-DIRECT)
Specify preferred and alternate DCs in Windows
Domain configuration (6.5.2 and later)
Those names were chosen to avoid confusion with Primary Domain
Controller and Backup Domain Controller
35
PREFERRED / ALTERNATE DC
(IWA-DIRECT)
A background thread checks to see when the preferred DC
comes back online, and automatically switches over
Allows each SG in a datacenter to use its own, dedicated
DC
Prevent the SGs from all connecting to the same DC
36
37
On the DC:
Controls the number of threads in the Netlogon service that process
NTLM requests
38
39
40
READ-ONLY DC (RODC)
41
TRUSTED DOMAINS
42
43
KERBEROS
44
KERBEROS
45
KERBEROS
(IWA-DIRECT)
SGs Service Principal Name (SPN) must resolve in DNS
The SPN in this example is HTTP/sg.example.com. The hostname
portion (sg.example.com) must resolve in DNS.
46
KERBEROS
Transparent mode:
Same as explicit mode, but authentication challenge is issued from
the realms virtual URL
In the example on the previous slide, virtual URL would be
sg.example.com
47
KERBEROS
48
KERBEROS
(IWA-BCAAA)
BCAAA service must be configured to run under a
designated Kerberos user account
The account therefore needs the log on as a service privilege on
the BCAAA server
If running BCAAA 6.1 or later log on as a service is the only special
privilege that is required
No more need for act as part of the operating system
49
SETSPN
50
51
supportnewsletter@bluecoat.com
52
53