First of all: This is not an in-depth Kerberos how-to, nor is this tutorial about the different aspects of web application testing. This tutorial is just to give support in testing Kerberos authenticated web applications. The goal is to hand over the right tools and steps to be able to perform the configuration and be able to test the application.
When to use it?
When there is a 401 server response with the header “WWW-Authenticate: Negotiate”. This can either mean Kerberos or NTLM authentication is needed. It is possible to distinguish them by looking at valid authenticated client traffic. As a simple reminder: The NTLM Authorization header will always start with the value “TlRM…”, the Kerberos Authorization header will always start with “YII…”. For further information this link is recommend.
In this tutorial the term “Kerberos authentication” will be used. There are other terms sometimes used like SPNEGO, SSO or integrated authentication.
What Software is needed?
First of all a Kerberos implementation that is able to talk to the KDC (Key Distribution Center) is needed. The python based proxy “proxpy” will be used as the outgoing proxy. Furthermore, the python library PyKerberos will be used.
Gather the information about the domain
To be able to write the Kerberos configuration, first of all, the information needs to be extracted form a Microsoft Windows domain member. There are many different ways to get this information; only one of the possibilities via the command line is shown here.
First the domain name is necessary. This can be acquired by running “systeminfo”.
Since the domain name is known, it is possible to use nltest to query the domain for further information.
After gathering the necessary information, it is now possible to write the Kerberos configuration. A sample configuration could look like this:
For further information see the krb5 documentation
After writing the Kerberos configuration, it is necessary to test it. For this purpose kinit is used. kinit is used to obtain and cache Kerberos ticket-granting tickets. A valid set of domain credentials is needed to authenticate against the KDC.
To view the local ticket cache after successful authentication, klist is used.
The output shows that there is currently one Kerberos ticket-granting ticket (krbtgt).
To delete all tickets kdestory can be used without options.
Using Firefox to test the current settings
At this point it is possible to use e.g. Mozilla Firefox to visit the Kerberos authenticated web application. To configure Firefox it is necessary to go to about:config and search for negotiate
After this configuration step, Firefox can authenticate against the web application.
For this step there should be a working Kerberos configuration and a valid TGT. Then from this point on, all that is needed is a proxy that adds a Kerberos ticket into the HTTP header on every authentication failure. The tool proxpy with an own Kerberos plugin will be used. The plugin code looks as follows and is pretty self-explanatory.
To start the proxpy use a command line similar to this:
After using the web application (either with Firefox or with the proxy), the ticket cache looks as follows
Everything works as expected and the common tools can be used. proxpy just needs to be setup as the last proxy to ensure every request gets authenticated.
Happy testing of Kerberos authenticated web applications.