Kerberos PKINIT: User authentication with PKI certificates
Kerberos
PKINIT: User authentication with PKI certificatesThe
BlackBerry Dynamics SDK
supports Kerberos
PKINIT for user authentication using PKI certificates.No programming is required to use
Kerberos
PKINIT.Kerberos
PKINIT is distinct from Kerberos
Constrained Delegation (KCD). PKINIT relies on the Key Distribution Center (KDC), which should
not be confused with "KCD".Kerberos PKINIT | Kerberos Constrained Delegation |
|---|---|
Kerberos PKINIT authentication is between the BlackBerry
Dynamics app and the
Windows Key Distribution Center (KDC), which communicate directly, and
user authentication is based on certificates issued by Microsoft Active
Directory Certificate Services. | For PKINIT, Kerberos Constrained Delegation must not be enabled.If Kerberos Constrained Delegation has been configured, a BlackBerry
Dynamics app does not
use Kerberos PKINIT to access the defined KCD realms. Instead, when Kerberos Constrained Delegation is used, a trust relation has been
previously established between BlackBerry Control and the Key Distribution Center, and BlackBerry Control communicates
with the service on behalf of the app. Kerberos Constrained Delegation takes precedence over Kerberos PKINIT, even if the user has a valid certificate. |
Key requirements for PKINIT
Organizations that want to use
Kerberos
for
BlackBerry
Dynamics
apps must make sure
the following requirements are met. Servers
- KerberosConstrained Delegation must not be enabled.
- WindowsKey Distribution Center (KDC) services for KDC server certificates issued by a Certificate Authority (CA) via the Active Directory Certificate Services must come only from the followingWindows Serverversions. No other server versions are supported.
- Internet Information Server withWindows Server2008 R2
- Internet Information Server withWindows Server2012 R2
- InBlackBerry Control:
- The KDC hosts must be in the Allowed Domains of the Connectivity Profile applied to the affected users' policy sets.
- Valid KDC service certificates must be located either in theBlackBerry DynamicsCertificate Store or the Device Certificate Store.
Client certificates
- The minimum keylength for the certificates must be 2,048 bytes.
- Client certificates must include the User Principal Name (UPN) (for example, user@domain.com) in the Subject Alternative Name (SAN) of object ID (OID) szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3, as specified by Microsoft. See Microsoft Support: Object IDs associated with Microsoft cryptography.
- The domain of the UPN must match the name of the realm of the Windows Key Distribution Center (KDC) service.
- The Extended Key Usage (EKU) property of the certificate must beMicrosoftSmart Card logon (1.3.6.1.4.1.311.20.2.2).
- Certificates must be valid. Validate them against the servers listed above.
Client applications
- InBlackBerry Work, to allow the use of client certificates, you must enable theuseEASAuthCertsetting.
- Apps must not send any password in the HTTP/HTTPS request.
- Apps must either set the HTTP/HTTPS headerWWW-Authenticate: Negotiate, or not set any authorization method in the HTTP or HTTPS request, to which the server has responded with 401WWWAuthenticate: Negotiate. For more information, see SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows.
Key points
The following are key points to note when integrating
BlackBerry
Dynamics
and Kerberos
infrastructure: - The KDC host must be in the Allowed Domains of the Connectivity Profile applied to the affected users' policy sets inBlackBerry Control.
- The KDC host must be listening on TCP port 88 (Kerberosdefault port).
- BlackBerry Dynamicsdoes not support KDC over UDP.
- BlackBerry Dynamicsdoes not use Domain Name System (DNS) records such asSRV,CNAME, orTXTto locate the correct KDC. That is, the KDC must have anArecord (IPv4) orAAAArecord (IPv6) in your DNS.
- BlackBerry Dynamicsdoes not useKerberosconfiguration files (such askrb5.conf) to locate the correct KDC.
- The KDC can refer the client to another KDC host.BlackBerry Dynamicswill follow the referral, as long as the KDC host that is referred to can be reached byBlackBerry Dynamics. This setting is defined in theAllowed Domainsof the Connectivity Profile that is applied to the affected users' policy sets inBlackBerry Control.
- The KDC can obtain the TGT transparently toBlackBerry Dynamicsfrom another KDC host.
Background on PKINIT, with FAQ
Consider the interactions in this KDC diagram.
Kerberos PKINIT authentication requires the client (in the drawing, the
human John, running a
BlackBerry
Dynamics
-enabled application) to be able to contact:- When initializing the user session, the user's Key Distribution Center (KDC) Authentication Service (AS) to obtain a Ticket-Granting Ticket (TGT)
- When establishing a connection to a resource (in the drawing, Service "A"), the resource’s KDC Ticket-Granting Service (TGS)
In a large organization users and resources might belong to various realms
and there may be many KDCs, so how does
BlackBerry
Dynamics
find the right one?- How does the client locate the user’s KDC Authentication Service when initializing the user’s session?
- Password-based authenticationThe realm in the user name must contain the host name of the KDC AS. For example:User:user@MY.REALM.COMPassword:myPassword
- Certificate-based authentication: This is PKINIT.The realm in the UPN of the user’s certificate must contain the host name of the KDC AS. For example:UPN (OID 1.3.6.1.4.1.311.20.2.3): user@MY.REALM.COM
- How does the client locate the resource's KDC Ticket-Granting Service (TGS) when retrieving the resource?BlackBerry Dynamicsattempts to obtain a TGS from the host in the domain of the resources URL. For example:URL: http://resource.myrealm.com/index.htmlThe client will connect to KDC TGS running on host myrealm.com on TCP port 88.