Kerberos Double Hop is a term used to describe a method of maintaining the client’s Kerberos authentication credentials over two or more connections. In this fashion we can retain the user’s credentials and act on behalf of the user in further connections to other servers.
Please make sure you read the previous Kerberos for the busy admin post as I will reference terms used in that blog frequently.
The Kerberos TGT is the user’s identity. When we pass this ticket along with the service ticket we can re-use the KrbTGT to request other service tickets to speak with our service resources on our network.
There are requirements for a service to be able to perform Kerberos double hop. The service account needs to be trusted for delegation. Meaning it must be trusted to act upon another user’s behalf. Source and target servers must be in the same forest or there must be a forest level trust between forests and the first level service account must be in the trusted forest root.
How it Works:
Step 1 – Client provides credentials and domain controller returns a Kerberos TGT to the client.
Step 2 – Client uses TGT to request a service ticket to connect to Server 1.
Step 3 – Client connects to Server 1 and provides both TGT and service ticket.
Step 4 – Server 1 uses the clients TGT to request a service ticket so Server 1 can connect to Server 2 .
Step 5 – Server 1 connects to Server 2 using the client’s credentials.
- Kerberos on IIS, http://support.microsoft.com/kb/326985 , is a good resource that goes discusses using IIS for the front end server.
- Kerberos on 2000 server clusters, http://support.microsoft.com/kb/235529
- Kerberos in SQL Server, http://support.microsoft.com/kb/319723
- Kerberos with network load balancing, http://support.microsoft.com/kb/325608
- Kerberos with SMS 2003, http://support.microsoft.com/kb/326985
- Kerberos RFC – http://www.ietf.org/rfc/rfc1510.txt
- Microsoft Kerberos Tech Ref – http://technet2.microsoft.com/windowsserver/en/library/b748fb3f-dbf0-4b01-9b22-be14a8b4ae101033.mspx?mfr=true
- Kerberos Double Hop webcast – http://support.microsoft.com/kb/887682
- Constrained Delegation –http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx
- Protocol Transition – http://technet2.microsoft.com/windowsserver/en/library/4c8b5ac7-368b-45b9-91d7-1ae7c5e0da311033.mspx?mfr=true