I have configured http service on IIS 7.5 for kerberos authentication. And it works fine.
I have checked from linux box
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
03/08/16 10:19:30 03/08/16 20:19:31 krbtgt/[email protected]
renew until 03/15/16 10:19:30
03/08/16 10:20:00 03/08/16 20:19:31 HTTP/[email protected]
renew until 03/15/16 10:19:30
Simple test
# curl --trace-ascii - --negotiate -u : http://www.example.net
Enter host password for user '[email protected]':
== Info: About to connect() to www.example.net port 80 (#0)
== Info: Trying 192.168.1.100... == Info: connected
== Info: Connected to www.example.net (192.168.1.100) port 80 (#0)
=> Send header, 178 bytes (0xb2)
0000: GET / HTTP/1.1
0010: User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
0050: NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
008c: Host: www.example.net
00a3: Accept: */*
00b0:
...
== Info: Connection #0 to host www.example.net left intact
== Info: Issue another request to this URL: 'http://www.example.net/'
== Info: Re-using existing connection! (#0) with host www.example.net
== Info: Connected to www.example.net (192.168.1.100) port 80 (#0)
== Info: Server auth using GSS-Negotiate with user ''
=> Send header, 1969 bytes (0x7b1)
0000: GET / HTTP/1.1
0010: Authorization: Negotiate YIIFJgYJKoZIhvcSAQICAQBuggUVMIIFEaADAgE
0050: FoQMCAQ6iBwMFAAAAAACjggQkYYIEIDCCBBygAwIBBaENGwtFWEFNUExFLk5FVKI
0090: iMCCgAwIBA6EZMBcbBEhUVFAbD2RjMS5leGFtcGxlLm5ldKOCA+AwggPcoAMCARK
...
070f: User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
074f: NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
078b: Host: www.example.net
07a2: Accept: */*
07af:
<= Recv header, 17 bytes (0x11)
0000: HTTP/1.1 200 OK
<= Recv header, 25 bytes (0x19)
0000: Content-Type: text/html
<= Recv header, 46 bytes (0x2e)
0000: Last-Modified: Sat, 05 Mar 2016 17:15:16 GMT
<= Recv header, 22 bytes (0x16)
0000: Accept-Ranges: bytes
...
Anonymous authentication has been disabled and Windows authentication has been enabled in the Authentication section for the site and for the whole server. I left only Negotiate:Kerberos in Providers section. Kernel-mode authentication has been disabled.
I have created SPN record for ftp service
> setspn.exe -a ftp/ftp.example.net dc1
Registering ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=example,DC=net
ftp/ftp.example.net
Updated object
And I can see newly created SPN record
> Setspn.exe -L DC1
Registered ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=example,DC=net:
ftp/ftp.example.net
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dc1.example.net
HOST/DC1/EXAMPLE
ldap/DC1/EXAMPLE
ldap/dc1.example.net/ForestDnsZones.example.net
ldap/dc1.example.net/DomainDnsZones.example.net
DNS/dc1.example.net
GC/dc1.example.net/example.net
RestrictedKrbHost/dc1.example.net
RestrictedKrbHost/DC1
HOST/dc1.example.net/EXAMPLE
HOST/DC1
HOST/dc1.example.net
HOST/dc1.example.net/example.net
ldap/dc1.example.net/EXAMPLE
ldap/DC1
ldap/dc1.example.net
ldap/dc1.example.net/example.net
E3514235-4B06-11D1-AB04-00C04FC2DCD2/f9c3624c-5f19-4e0a-8afa-d730b0bd4e6d/example.net
ldap/f9c3624c-5f19-4e0a-8afa-d730b0bd4e6d._msdcs.example.net
But when I trying connect to FTP service I get the following error
# curl --trace-ascii - --krb 5 -u : ftp://ftp.example.net
== Info: About to connect() to ftp.example.net port 21 (#0)
== Info: Trying 192.168.1.100... == Info: connected
== Info: Connected to ftp.example.net (192.168.1.100) port 21 (#0)
<= Recv header, 27 bytes (0x1b)
0000: 220 Microsoft FTP Service
== Info: Trying GSSAPI...
=> Send header, 13 bytes (0xd)
0000: AUTH GSSAPI
<= Recv header, 41 bytes (0x29)
0000: 504 Security mechanism not implemented.
== Info: GSSAPI is not supported by the server.
== Info: Logging in with password in cleartext!
...
I have read a lot of official documentations but couldn't find out is it possible to configure Kerberos authentication for FTP service.
So my questions are:
- Is it possible at all. If it is, what I have missed?
- If it is not possible, what FTP server I can use with kerberos authentication?
P.S. In advanced settings of Windows Authentication section there is an option - Kernel-mode authentication with the following description
By default, IIS enables kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity. As a best practice, do not disable this setting if Kerberos authentication is used in your environment and the application pool is configured to use a custom identity.
But when I check the box I get the following error
Did I miss something? Because on previous screen IIS has recommended do not disable kernel-mode authentication especially for kerberos authentication. So I'm a little bit confused.
Thanks in advance
0 Answers