As seen in other Kerberos-related articles, Kerberos authentication has some dependencies on DNS records and has some related names called Service Principal Names (SPNs). In this brief article, we’ll look at those requirements and the relationship between them. This applies to all Kerberos-enabled services, including the SMB I/O path for Hyper-V, SSO-aware REST API services and others.
A Kerberos-aware client needs to be able to perform three high-level operations in order to authenticate itself against a Kerberos-aware service:
- Request a service ticket to authenticate with the Kerberos-aware service
- Connect to the service over an IP network
- Present the service ticket to the service for authentication
The exact semantics differ from protocol to protocol — SMB 3.0 is wildly different from HTTP, which is different from SSH — but at a high level, that’s how they all work.
So what do we need to make all of this happen?
- A DNS name that maps to one or more IP addresses — for example vmstore01-data.vmlevel.com
- A Service Principal Name on the service’s computer account object in Active Directory that contains the same DNS name and the service name used by the Kerberos-aware service. An SMB 3.0 example would be: cifs/vmstore01-data.vmlevel.com
The DNS name is resolved to an IP address by the client when it wants to connect to the service over an IP network. In some cases, there may be some other related DNS lookups done against this name, but I’ll cover canonicalisation and validated writes another time. The primary use of the DNS record is to find an IP address to connect to.
This then is subject to the same constraints as any other DNS+IP case. If the name resolves to multiple IPs, the client will generally need connectivity to each of those. This complicates the VLAN case somewhat and we’ll take a look at that in a subsequent article.
The client requests a service ticket from the KDC (Active Directory domain controller) by SPN. The KDC will scan its database for an account with that SPN and form a ticket for that service on that account.
Things to remember for basic Kerberos authentication:
- Have a DNS name that resolves to the distinct IP address that the service is available on.
- Make sure that there is a Service Principal Name in the KDC’s database that matches the DNS name and the well-known service name.
Keep an eye out for future articles that expand on this and talk about canonicalisation and network segmentation through things like VLANs.