10 February 2012

How to Enable Kerberos authentication on a TMG Array

With TMG SP2 came the ability to allow users to authenticate using Kerberos instead of NTLM when using an array NLB. To find out more about it check out:

From End to Edge and Beyond - Episode 11 round about 10 minutes in...

The reason you really want Kerberos is because it is far more efficient than NTLM, check Improving Web Proxy Client Authentication Performance

There are a number of steps to follow so read this whole article before you start...

Create the Service account to be used

You need to create a windows domain account that will be used to run the TMG firewall.  (The default is to use the network service account.)

There are some security guidelines for setting up and creating the account.  The suggestion is to use an account that is not a member of any domain groups. This account should also not be used for anything else.
  • Create a user account in AD 
  • Create a group in AD
  • Go to the properties of the user account.
  • Add the user account to the group you just created
  • Set it as the primary group
  • Now you can remove the domain users group

Configure the SPN
Since the SPN will be tied to the proxy host name it is probably a great idea to double check and verify that this is 100% correct.  This name should be the same DNS name as your NLB virtual IP.

  • Form the TMG admin console
  • Select the Array and view properties
  • Under the general tab look for the DNS Name: field

(Note this needs to correlate with the configuration used by the proxy clients, if they use another name or the IP address Kerberos will not be used)

To register the SPN with the Kerberos database you will need to use the setspn.exe utility from the command prompt.
  • setSPN -U -A http/<array_name> <account_name>

as in

  • setSPN -U -A http/proxyserver.domain.com domain\serviceaccount

The command should complete with "Object Updated"
To verify that it is completed correctly run a query
  • setSPN -Q http/proxyserv.domain.com

It should return the result and finish with "Existing SPN found!"

At this point I also added a SPN for just the host name to cover manual configurations that do not use the FQDN.  If you run the query again you will see two SPNs in the list

Change the Credential setting
Form the TMG console select the array you want to edit and view properties.  Note -  this will also affect reverse proxy scenarios.

  • Select the Credentials tab
  • In the Firewall Service account section select "Use this account"
  • Click on set account
  • Enter the account name as domain\servicesaccount (the one you created earlier)
  • Enter the password
  • Apply the setting and restart the services.

At this point do not panic!! The console will suddenly show Unable to retrieve data from: the array members.  This is because the firewall service now starts with a domain account and the console is still attempting to connect with the old one.

Give the array members a few minutes to come up and then close and re-open the console.

To confirm that everything started up ok:

  • Log onto the TMG array members.
  • Open the services console
  • You should now see that the Microsoft Forefront TMG Firewall service is running in the context of the service account.

Checking authentication
Using Wireshark you can spot the the authentication method used. Filter the source and destination ip to that of your NLB and search NTLM or Kerberos in the packet details. This is the NTLM authentication method.

You will see this when authenticating with NTLM.  This will still happen when:

  • Browser does not support Kerberos (IE6)
  • Using an IP address
  • Using a name that does not correspond with the SPN(s)
  • Using a proxy auto-configuration script

Below is the authentication using Kerberos

You can force this behavior in your browser by specifying the proxy server manually.  If however you go back to using your TMG generated auto detect script or wpad file you will switch back to using NTLM
This is because the configuration script explcitly specifies which IPs to connect to.

Here is the  portion of the wpad.dat file that covers that bit:

DirectNames=new MakeNames();
function MakeProxies(){
this[0]=new Node("",1409863761,1.000000);
this[1]=new Node("",3630121203,1.000000);

You will notice that it is single IP addresses for each node and not the NLB IP or name.
You can change this using just the NLB name which will allow for Kerberos authentication

DirectNames=new MakeNames();
function MakeProxies(){
this[0]=new Node("proxynlbname.domain.com",1409863761,1.000000);
It is now possible to get the performance advantages of using Kerberos for your NLB array.  Making the changes to TMG are relatively simple.  Ensuring that the clients are configured in a Kerberos supported method is the harder part.  At the very least you will now have to mange and update the wpad file.


No comments:

Post a Comment