Are port numbers supported in server principal names?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Are port numbers supported in server principal names?

Markus Kuhn
Microsoft's ODBC driver for SQLServer appends a port number
after a colon to the domain name in a service principal name,
as in

   MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
                               ^^^^^

and even relies on that port number to distinguish different
service instances on the same host:

  "For a TCP/IP connection the SPN is registered in the
   format MSSQLSvc/<FQDN>:<tcpport>. Both named instances
   and the default instance are registered as MSSQLSvc,
   relying on the <tcpport> value to differentiate the instances."

   https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections

Since Microsoft's ODBC Driver for SQL Server is now also available
for Linux and macOS

   https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/system-requirements

people like myself are now commonly using it with MIT's Kerberos
client libraries.

This driver requests tickets for service principal names such as

   MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@

i.e., with included port number:

   https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/known-issues-in-this-version-of-the-driver

I suspect that a lot of the mechanics in the MIT Kerberos
client libraries (e.g., to look up in DNS what
the realm associated with db0.ad.cl.cam.ac.uk or ad.cl.cam.ac.uk
is in a cross-realm environment) does not cope with the
presence of the colon and port number in the SPN (NT-SRV-HST).

For example, the above SPN works in kvno (krb5-1.13.2, Ubuntu 16.04)
only after I remove the port number (whereas both SPNs are registered
in our Active Directory KDC):

$ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
kvno: Server not found in Kerberos database while getting credentials for MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@

$ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk@
MSSQLSvc/db0.ad.cl.cam.ac.uk@: kvno = 2

I could not find any mention of port numbers on service principal names
in MIT Kerberos related documentation or RFC 4120, but Microsoft seems
to consider this an essential feature, at least in its ODBC driver
for SQLServer.

Is this a known problem?

Is there any chance that MIT Kerberos (implementation and spec)
could be extended in future to allow port numbers after a colon in SPNs?

At first glance, it seems a perfectly useful extension to me.

Best regards,

Markus


P.S.: I am aware of the syntactic ambiguity caused by the fact that
colons are already used in numeric IPv6 addresses. One solution for
that may be to follow the syntax proposed in

    https://tools.ietf.org/html/rfc2732

for numeric IPv6 addresses and port numbers in URLs, namely to
require square brackets around numeric IPv6 addresses in URLs,
which if applied to SPNs would then look like

   MSSQLSvc/[2001:630:212:228:6069:62ff:fedc:c05b]:1433@

--
Markus Kuhn, Computer Laboratory, University of Cambridge
http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Are port numbers supported in server principal names?

Greg Hudson
On 03/27/2018 11:02 AM, Markus Kuhn wrote:
> For example, the above SPN works in kvno (krb5-1.13.2, Ubuntu 16.04)
> only after I remove the port number (whereas both SPNs are registered
> in our Active Directory KDC):
>
> $ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
> kvno: Server not found in Kerberos database while getting credentials for MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
>
> $ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk@
> MSSQLSvc/db0.ad.cl.cam.ac.uk@: kvno = 2

In this usage the principal name is specified on the command line
(albeit with an empty realm, which has the special meaning of starting
with the local realm and possibly accepting a referral).  So kvno and
the library make no assumption that db0.ad.cl.cam.ac.uk (with or without
the port) is a hostname; they just pass the principal name off to the
KDC as-is.  I don't have any theories as to why the first command isn't
working.  You could try using "KRB5_TRACE=/dev/stdout kinit ..." to gain
more insight, or perhaps using Wireshark to verify that the correct
request is sent to the KDC.

> I could not find any mention of port numbers on service principal names
> in MIT Kerberos related documentation or RFC 4120, but Microsoft seems
> to consider this an essential feature, at least in its ODBC driver
> for SQLServer.

In release 1.13 we added support for port numbers in the hostname part
of a service-name-to-principal mapping operation (sometimes called
"sn2princ"), by removing the port number before canonicalizing the
hostname and then adding it back in afterwards.  But that's irrelevant
to the kvno invocations described above.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Are port numbers supported in server principal names?

Isaac Boukris
In reply to this post by Markus Kuhn
On Tue, Mar 27, 2018 at 6:02 PM, Markus Kuhn <[hidden email]> wrote:

> Microsoft's ODBC driver for SQLServer appends a port number
> after a colon to the domain name in a service principal name,
> as in
>
>    MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
>                                ^^^^^
>
> and even relies on that port number to distinguish different
> service instances on the same host:
>
>   "For a TCP/IP connection the SPN is registered in the
>    format MSSQLSvc/<FQDN>:<tcpport>. Both named instances
>    and the default instance are registered as MSSQLSvc,
>    relying on the <tcpport> value to differentiate the instances."
>
>    https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections
>
> Since Microsoft's ODBC Driver for SQL Server is now also available
> for Linux and macOS
>
>    https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/system-requirements
>
> people like myself are now commonly using it with MIT's Kerberos
> client libraries.
>
> This driver requests tickets for service principal names such as
>
>    MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
>
> i.e., with included port number:
>
>    https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/known-issues-in-this-version-of-the-driver
>
> I suspect that a lot of the mechanics in the MIT Kerberos
> client libraries (e.g., to look up in DNS what
> the realm associated with db0.ad.cl.cam.ac.uk or ad.cl.cam.ac.uk
> is in a cross-realm environment) does not cope with the
> presence of the colon and port number in the SPN (NT-SRV-HST).
>
> For example, the above SPN works in kvno (krb5-1.13.2, Ubuntu 16.04)
> only after I remove the port number (whereas both SPNs are registered
> in our Active Directory KDC):
>
> $ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
> kvno: Server not found in Kerberos database while getting credentials for MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@
>
> $ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk@
> MSSQLSvc/db0.ad.cl.cam.ac.uk@: kvno = 2


Note, I tried to simulate in lab, using version 1.15.2 (fedora), and
it seems to work ok.

On the DC I ran:
setspn -S MSSQLSvc/myhost.acme.com:1433 ACME\apache
setspn -S MSSQLSvc/myhost.acme.com:1444 ACME\tomcat
setspn -S MSSQLSvc/myhost.acme.com ACME\ngix

And then the above kvno gets a ticket to each.

See tshark traces at:
https://pastebin.com/Hb80rs6s
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos