Tonight I’m going to dig through some authentication stuff. There are so many types of authentication from front end to back, from federated Kerberos to pass through using NTLM. There are so many options and to be honest the TechNet articles do a better job of confusing that explaining the scenarios and possibilities. I get that when your technical this is kind of funny but, darn it, I’m just not to that level yet. I guess I’ll watch one of those study guide videos on YouTube by such and such academy that totally prep you or order one of those books with the light houses on it. Any way lets get into the one question I’m posting and then a flurry of TechNet articles.
ok, lol so there are 5 listed and we still have to talk about pass-though auth and NTLM is at least worth mentioning. I’m sure there is more I could talk about but ill be sure and draw a diagram to insert with a real nice Spaghetti copter filled with Papas Promise!
So MeasureUp has ‘kindly’ provided us with 3 very specific scenarios related to the question which don’t really help to get a general idea of how authentication works. Thankfully I’ve come up with a (sarcastic) diagram
You know, to be honest its probably best to read everything in the network subheading of TechNet. At least for me because there is so much to know. Its kind of baffling to be honest.
Honestly though, if your looking for a good time, dig through there for some quality networking diagrams.
Im not sure if that looks like a robot or if its telling me that the remote requires two 9 volts in the side compartments and then 4 underneath it and then also due to the fact that this remote is so powerful it might be a good idea to use rechargeable batteries? I think that’s where its going anyway. Back to the task at hand, obviously I’m not going to go through every networking scenario and need to get back to the question but I will give the advice that its very worth while to be familiar with anything having to do with radius. At least it was in the past. Unclear on the deprecation factor at this point. May have to check back in on that. Anyway, lets read some stuff that isn’t the suggested Microsoft stuff that deals specifically with the topics at hand. At this point you may be thinking, ‘Why on earth would we need to check sources that are not Microsoft? Why wouldn’t we look at these hella complicated things when we don’t really know the basics?” Im just going to leave this meme here for your perusal (then links):
That seems simple enough but honestly, I have no idea what the fuck happens in that exchange. So I’ve called in my buddy, who is an expert.
Ok so its just basic user name and password authentication, if im understanding it right. I didn’t got to school for that sort of thing. In fact I dropped of Security + study because it got boring. I’m sure I’m pretty close to being able to pass. I do that sometimes though. Get real close to finishing something and then on the home stretch be like ‘nahh fuck it.’ Only with personal things though, to be honest. I’m sure I’m going to pick it back up but as I started getting into the groove I got real bad excited to start studying Microsoft stuff again. Anyway. That’s how it goes, lets move on, now that we think we know, meaning we probably have no idea and are arrogant, what we are doing.
To be honest, this seems like basic HTTP but with more steps thus making it more exploitable. I could be wrong on that. I’ve been wrong on things before, though I don’t remember them. However, its not that hard to figure out basic HTTP, honestly it seems like the same thing but they added ‘cookies’ for some reason. This makes absolutely 0 sense and I have no idea whats going on. Obviously they want you to read white papers for further info. Surprise fuckers! I’m absolutely not reading that shit because I will have 0 understanding.
Lol this is surprisingly helpful. It explains how it works without giving away the amount of information needed to easily break it. Which either means its good or these people are drunkenly posting on the internet. Which, for the record is not what im doing while drinking Kyle Juice tm and cheap vodka. (dieting and we are coming up on two weeks without a cigarette and for someone that was a pack a day smoker its a big deal). It looks like this one has a lot of back and forth stuff internally and I’m not exactly clear on how the client is interacting with this that makes it more secure than http basic but I feel comfortable with the idea at least. This isnt used in the question from MeasureUp that I can tell you with 90% certainty will not be on the test due to Microsoft’s propensity toward testing only on proprietary information however I can also tell you with some degree of certainty that kerberos most definitely influenced this authentication model and bits of it where definitely harvest to produce this. Would have to call in an expert to confirm tho.
Through these two, the first one being ‘look how easy this is for end users’ and the second one being a basic overview, are helpful but they dont shed any light on top how Pass-Through as a basic concept is any different that OAuth. That’s thing with sign on and security protocols, they have names but its sort of meaningless. I can assure, as a person that works for a company that doesn’t exactly have SSO figured out, at least in my department, its not that easy. Like ok so I sign in using a user name and password and then a front end server connects with a back-end server which is completely transparent to me as an end user? I don’t understand why this is any different than basic HTTP. You have a server, you auth to it and then it internally access the resources it needs. On a conceptual level I understand that it isn’t safe to have a front end server in a DMZ area with easy access to a back-end server housing data full time but its still slightly confusing to me. I’m starting to grasp the ideas but there is so much to learn about authentication. I feel like it would be much like what I’ve learned so far about Windows server though, once you get the basics every thing else is kind of seasoning. However, I can say at this point, when I look at the question I’m far less confused. I really think I should get back to Security + at some point and blog about all the confusing stuff as its really helpful for me to write the ideas out. CompTIA certs don’t exactly seem to be taken seriously though so It’s a bit rough for me to sink the money into one as you have to continually renew it now.
Now that I feel I kind of understand the question, I guess that’s all for tonight. Kind of bummed it took a day and a half to write this and feel like It should have been done yesterday and now its midnight but I had a few things to take care of today. I’ll get through this eventually.