Kerberos認証について理解を深める

Transcript

1. 2020/07/27 Enterprise Account 3 Associate Consultant Active Directoryで学ぶKerberos認証

2. Kerberos

3. Appendix 1. Kerberos Windows Active Directory 1. 2. Windows Active

   Directory 1. 2. 3. 4. 5. 6. OU(Organizational Unit) 7. 2. Kerberos 1. Kerberos 2. 3. 4. 1. 1. 2. 2. Kerberos 1. P2P 2. 3. Kerberos 1. 2. Kerberos 4. Kerberos Windows Active Directory 5. Agenda

4. 1. (Authentication) • • • Verifying the identity of a

   user, process, or device, often as a prerequisite to allowing access to resources in an information system.(*) (Authorization) • • The right or a permission that is granted to a system entity to access a system resource.(*) (*) HP https://csrc.nist.gov/glossary/term/authorization

5. 1 1. WHAT YOU ARE (inherence factor) • • 2.

   WHAT YOU HAVE (possession factor) • • 3. WHAT YOU KNOW (knowledge factor) • • 3 1.

6. 1. B A B A A B A

7. 1 1 2. Kerberos Kerberos RADIUS …

8. P2P 2. Kerberos P2P C D B A C D

   B A B BBB111 C CCC111 D DDD111 Alemopida232 A AAA222 B BBB222 D DDD223 Koud2341 A AAA112 C CCC114 D DDD112 Se329 A AAA112 B BBB928 C CCC722 ServPass A AAA112 B BBB114 C CCC112 D DDD A AAA111 B BBB222 C CCC333 D DDD444

9. 2. Kerberos C D B A C D B A

10. 3. Kerberos Key Distribution Center(KDC) Key Distribution Center(KDC) Client A

    Authentication Service (AS) Ticket Granting Service (TGS) TGS AS https://www.tv-asahi.co.jp/doraemon/cast/ Client Realm B A B

11. Kerberos - AS Client 3. Kerberos Key Distribution Center(KDC) Key

    Distribution Center(KDC) Client A Authentication Service (AS) Ticket Granting Service (TGS) https://www.tv-asahi.co.jp/doraemon/cast/ Realm B

12. Kerberos - AS Client ( ) 3. Kerberos Key Distribution

    Center(KDC) Key Distribution Center(KDC) Client A Authentication Service (AS) Ticket Granting Service (TGS) https://www.tv-asahi.co.jp/doraemon/cast/ Realm B ( ) ( )

13. Kerberos - AS Client (2 ) 3. Kerberos Key Distribution

    Center(KDC) Key Distribution Center(KDC) Client A Authentication Service (AS) Ticket Granting Service (TGS) https://www.tv-asahi.co.jp/doraemon/cast/ Realm B ID ⇒ ( )

14. Principal 3. Kerberos Key Distribution Center(KDC) Key Distribution Center(KDC) Client

    A Authentication Service (AS) Ticket Granting Service (TGS) Realm B KDC Principal KDC KDC Principal

15. 3. Kerberos Client Authentication Service (AS) Ticket Granting Service (TGS)

    A

16. – ( Realm ) 3. Kerberos Key Distribution Center(KDC) Key

    Distribution Center(KDC) Client Authentication Service (AS) Ticket Granting Service (TGS) ID TGT A A ID ID K A B TGT TGT ( ) K TGT ( ) TGT Token ( ) Token ( ) TGT ID/ TGT

17. – 2 ( Realm B ) 3. Kerberos Key Distribution

    Center(KDC) Key Distribution Center(KDC) Client Authentication Service (AS) Ticket Granting Service (TGS) B B ID A B AS TGT ( ) Token ( ) Token ( ) TGT TGT

18. Kerberos Windows Active Directory 4. Kerberos Windows Active Directory Microsoft

    Windows 2000 Active Directory Domain Services Active Directory Lightweight Directory Services Active Directory Certificate Services Active Directory Rights Management Services Active Directory Federation Services

19. Windows Active Directory Kerberos 3 5. Kerberos RADIUS …

20. Kerberos: The Definitive Guide Jason Garman , (O’Reilly) Active Directory

    Windows Server 2019 Inc. Yokota Lab ( BP) Web https://www.atmarkit.co.jp/ait/articles/1407/04/news012.html https://www.itmedia.co.jp/help/howto/win/win2000/0007trust/01/07.html https://qiita.com/yagiaoskywalker/items/4d3c1c682aba29f89056
21. None

22. Appendix

23. Active Directory Domain Services 1. Kerberos Windows Active Directory TLD

    DNS . com kohei tokyo tokyo.kohei.com kohei.com taro taro.local Sales OU ACC OU . com kohei osaka (DC) DC DC DC DC DC jp

24. (Kerberos Realm ) Active Directory Domain Service(AD DS) 1. Kerberos

    Windows Active Directory TLD DNS . com jp kohei japan DNS kohei.com Active Directory kohei.com DNS japan.kohei.com Active Directory japan.kohei.com

25. (Kerberos KDC ) 1. Kerberos Windows Active Directory DC DB

    DC DB DC DB DB

26. Active Directory 1. Kerberos Windows Active Directory kohei japan us

    sales hr sales hr Active Directory kohei.local japan.kohei.local us.kohei.local sales.japan.kohei.local hr.japan.kohei.local sales.us.kohei.local hr.us.kohei.local

27. 1. Kerberos Windows Active Directory kohei japan taro Active Directory

    kohei.local japan.kohei.local taro.local sales sales.taro.local sales hr sales.japan.kohei.local hr.japan.kohei.local

28. Kerberos 1. Kerberos Windows Active Directory kohei japan taro taro.local

    sales sales.taro.local sales sales.japan.kohei.local sale.japan.kohei.local sales.taro.local

29. OU(Organizational Unit) Active Directory 1. Kerberos Windows Active Directory Active

    Directory kohei.local Sales OU ACC OU

30. 1. Kerberos Windows Active Directory 15 1 3 1

31. Kerberos 2. Kerberos

32. ID/Password Keycloak 2. Kerberos Key Distribution Center(KDC) Key Distribution Center(KDC)

    Client Authentication Service (AS) Ticket Granting Service (TGS) B B ID/Password ID K AD ) Keycloak TGT /TGS TGT /TGS OCI GC3 5days

33. 2. Kerberos

34. Keycloak ID/Password 2. Kerberos