Authentication types

Tonight I’m going to dig through some authentication stuff. There are so many types of authentication from front end to back, from federated Kerberos to pass through using NTLM. There are so many options and to be honest the TechNet articles do a better job of confusing that explaining the scenarios and possibilities. I get that when your technical this is kind of funny but, darn it, I’m just not to that level yet. I guess I’ll watch one of those study guide videos on YouTube by such and such academy that totally prep you or order one of those books with the light houses on it. Any way lets get into the one question I’m posting and then a flurry of TechNet articles.

 photo Capture_zpskfqk585i.png

 photo pt 2_zps2prynfg6.png

ok, lol so there are 5 listed and we still have to talk about pass-though auth and NTLM is at least worth mentioning. I’m sure there is more I could talk about but ill be sure and draw a diagram to insert with a real nice Spaghetti copter filled with Papas Promise!

Publishing Applications with SharePoint, Exchange and RDG

Publishing Applications using AD FS Preauthentication

Planning to Publish Applications Using Web Application Proxy

Publish Applications using Pass-through Preauthentication

Step 5: Plan to Publish Applications using Pass-through Preauthentication

So MeasureUp has ‘kindly’ provided us with 3 very specific scenarios related to the question which don’t really help to get a general idea of how authentication works. Thankfully I’ve come up with a (sarcastic) diagram

 photo authentication_zpsf8oylqna.png

You know, to be honest its probably best to read everything in the network subheading of TechNet. At least for me because there is so much to know. Its kind of baffling to be honest.

windows-server-supported-networking-scenarios

Honestly though, if your looking for a good time, dig through there for some quality networking diagrams.

Network Policy Server (NPS)

Im not sure if that looks like a robot or if its telling me that the remote requires two 9 volts in the side compartments and then 4 underneath it and then also due to the fact that this remote is so powerful it might be a good idea to use rechargeable batteries? I think that’s where its going anyway. Back to the task at hand, obviously I’m not going to go through every networking scenario and need to get back to the question but I will give the advice that its very worth while to be familiar with anything having to do with radius. At least it was in the past. Unclear on the deprecation factor at this point. May have to check back in on that. Anyway, lets read some stuff that isn’t the suggested Microsoft stuff that deals specifically with the topics at hand. At this point you may be thinking, ‘Why on earth would we need to check sources that are not Microsoft? Why wouldn’t we look at these hella complicated things when we don’t really know the basics?” Im just going to leave this meme here for your perusal (then links):

 photo ea7_zpssgeapr39.jpg

HTTP Basic

That seems simple enough but honestly, I have no idea what the fuck happens in that exchange. So I’ve called in my buddy, who is an expert.

Ok so its just basic user name and password authentication, if im understanding it right. I didn’t got to school for that sort of thing. In fact I dropped of Security + study because it got boring. I’m sure I’m pretty close to being able to pass. I do that sometimes though. Get real close to finishing something and then on the home stretch be like ‘nahh fuck it.’ Only with personal things though, to be honest. I’m sure I’m going to pick it back up but as I started getting into the groove I got real bad excited to start studying Microsoft stuff again. Anyway. That’s how it goes, lets move on, now that we think we know, meaning we probably have no idea and are arrogant, what we are doing.

MS-OFBA

To be honest, this seems like basic HTTP but with more steps thus making it more exploitable. I could be wrong on that. I’ve been wrong on things before, though I don’t remember them. However, its not that hard to figure out basic HTTP, honestly it seems like the same thing but they added ‘cookies’ for some reason. This makes absolutely 0 sense and I have no idea whats going on. Obviously they want you to read white papers for further info. Surprise fuckers! I’m absolutely not reading that shit because I will have 0 understanding.

OAuth 2

Lol this is surprisingly helpful. It explains how it works without giving away the amount of information needed to easily break it. Which either means its good or these people are drunkenly posting on the internet. Which, for the record is not what im doing while drinking Kyle Juice tm and cheap vodka. (dieting and we are coming up on two weeks without a cigarette and for someone that was a pack a day smoker its a big deal). It looks like this one has a lot of back and forth stuff internally and I’m not exactly clear on how the client is interacting with this that makes it more secure than http basic but I feel comfortable with the idea at least. This isnt used in the question from MeasureUp that I can tell you with 90% certainty will not be on the test due to Microsoft’s propensity toward testing only on proprietary information however I can also tell you with some degree of certainty that kerberos most definitely influenced this authentication model and bits of it where definitely harvest to produce this. Would have to call in an expert to confirm tho.

Azure SSO marketing for Pass-through

Pass-Through basic

Through these two, the first one being ‘look how easy this is for end users’ and the second one being a basic overview, are helpful but they dont shed any light on top how Pass-Through as a basic concept is any different that OAuth. That’s thing with sign on and security protocols, they have names but its sort of meaningless. I can assure, as a person that works for a company that doesn’t exactly have SSO figured out, at least in my department, its not that easy. Like ok so I sign in using a user name and password and then a front end server connects with a back-end server which is completely transparent to me as an end user? I don’t understand why this is any different than basic HTTP. You have a server, you auth to it and then it internally access the resources it needs. On a conceptual level I understand that it isn’t safe to have a front end server in a DMZ area with easy access to a back-end server housing data full time but its still slightly confusing to me. I’m starting to grasp the ideas but there is so much to learn about authentication. I feel like it would be much like what I’ve learned so far about Windows server though, once you get the basics every thing else is kind of seasoning. However, I can say at this point, when I look at the question I’m far less confused. I really think I should get back to Security + at some point and blog about all the confusing stuff as its really helpful for me to write the ideas out. CompTIA certs don’t exactly seem to be taken seriously though so It’s a bit rough for me to sink the money into one as you have to continually renew it now.

Now that I feel I kind of understand the question, I guess that’s all for tonight. Kind of bummed it took a day and a half to write this and feel like It should have been done yesterday and now its midnight but I had a few things to take care of today. I’ll get through this eventually.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

%d bloggers like this: