security feature "Extended Protection for Authentication"

Sep 17, 2010 at 4:13 PM
Edited Sep 17, 2010 at 4:21 PM

Hello,

Last tuesday Microsoft distributed an "update to implement Extended Protection for Authentication for Outlook Express..." see http://support.microsoft.com/?kbid=2141007

At the website there is a link to http://www.microsoft.com/technet/security/advisory/973811.mspx , where it is explained that a new feature for "Extended Protection for Authentication" can be enabled. "This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA)."

Now I am wondering, if it has an impact for the use/function of "tomcatspnego" if this feature is activated for authentication with IE
(client side or server side).

What do you think about this?

Charly

Coordinator
Sep 19, 2010 at 5:41 PM
Edited Sep 19, 2010 at 6:31 PM

Hello,

Tomcatspnego does not use the "Extended Protection for Authentication". Before to change the code, I must test with the different Browsers with the windows authentication (IE, Firefox, Safari and Chrome) . A client can use it and can be authenticated via tomcatspnego.

To understand the interest of this extension: http://msdn.microsoft.com/en-us/library/dd767318.aspx and http://msdn.microsoft.com/en-us/library/dd582691(VS.100).aspx

When the client uses, in the url, a DNS name of the server (an entry A or an entry CNAME) , Kerberos will be used . The client requests, from a KDC, a ticket service encrypted with the key only known by the account used by the server. The client does not know this acccount. So the browser uses the Service Principal Name (HTTP/DNSnameoftheserver) in the request sent to the KDC.  This Service Principal Name is associated with an account in Active Directory. 

Then, the client send to the server this ticket. It can only be decrypted with the with the key only known by the account associated with this Service Principal Name. 

With HTTPS, the Service Principal Name will also HTTP/DNSnameoftheserver.

So there is only with NTLM, a risk of a man-in-the-middle (MITM) attack.

Dominique