1

First of all, I'm not an infrastructure guy, I'm a developer, so please excuse me if I'm leaving important information out. I just need to determine if the following is possible, and if so, how to proceed.

When a user changes their Active Directory password, I would like to sync it back into MIT Kerberos.

From the AD side, I see that there's something called Password Filters available to execute upon password change. But I don't know anything about Kerberos. Is it possible to programmatically change a user password's to something? If so, can C# be used? Or does it have to be Java or C++?

Any help is appreciated. Thanks in advance for your comments.

silverCORE
  • 111
  • 1
  • 1
  • 4
  • So you have a separate MIT Kerberos realm outside of your AD Kerberos realm that contains copies of all of the AD accounts? And you want to change that copy's password when the original's password gets changed? – Ryan Bolger Nov 03 '16 at 18:00
  • Hi Ryan, I'm not sure if they are separate realms or the same. Like I said, I'm not an infra guy. What I do know is that right now, there is synchronization from the MIT Kerberos into the existing (old) AD environment, and the goal is to introduce synchronization from the NEW AD environment back into the Kerberos instance. Does it make a difference (e.g. possible or not) if Kerberos is or is not on a separate realm than the AD I want to sync from? – silverCORE Nov 03 '16 at 18:54
  • I'm just trying to understand the motivation because there might be an easier way to accomplish the underlying business goal. Password filters aren't exactly simple and your AD admins may veto the idea outright. – Ryan Bolger Nov 03 '16 at 21:14
  • Just to be clear, Kerberos is an authentication protocol, not an identity management database. Kerberos is used by AD and other identity management systems to allow users to authenticate, and then to access systems. – Jeter-work Nov 04 '16 at 16:56
  • @RyanBolger Most likely this is someone else's horribly bad domain design that this guy is stuck with trying to make work. – Michael Hampton Nov 04 '16 at 18:03
  • @RyanBolger thanks for your comments. From my conversation with the requesting team, they have both MIT Kerberos AND also an existing AD realm. They mentioned there is a Kerberos plugin in place to sync from MIT Kerberos to their existing AD, whenever a user changes their password through the web application they use. I guess I'm still missing the piece of where they are storing the password in the first place, besides their existing AD. Thoughts? Like you said, K. is not an IM DB, but it's likely they have one in their environment, no? – silverCORE Nov 04 '16 at 21:15
  • If an organization does not have Active Directory but they do use Kerberos, there still has to be a password database somewhere, no? Is there a commonly used or default password database when using MIT Kerberos? – silverCORE Nov 04 '16 at 21:16
  • @Xalorous Kerberos is indeed a protocol. But the protocol relies on KDC servers to request tickets from and those KDCs store their principals and passwords in some sort of database. MIT's implementation uses a file based DB. Active Directory uses its internal database shared with the LDAP server. – Ryan Bolger Nov 04 '16 at 22:22
  • @silverCORE The passwords are likely stored in both the MIT Kerberos database and the Active Directory database which is why they need to be sync'd in the first place. I'm confused though. If they already have a web app that is propagating password changes to both places, what are you on the hook to deliver? – Ryan Bolger Nov 04 '16 at 22:25
  • @RyanBolger I think even I'm confused now. They said they wanted bi-directional sync added; right now the sync is from Kerberos into the old AD, and they are introducing the new AD. But If they are already syncing a pw into Kerberos..I just don't know. I'll have to meet with them again. What I initially suggested was to leave the existing call from the webapp into Kerberos, and to add a new call to the new AD. Still, I wanted to know about feasibility of changing a Kerberos pw from the new AD Password Filter, in case that is what they wanted. – silverCORE Nov 05 '16 at 04:00
  • 1
    My question is, "Why stand up a separate KDC when you can use the AD DC as a KDC?" – Jeter-work Nov 05 '16 at 17:51

1 Answers1

3

When a user changes their Active Directory password, I would like to sync it back into MIT Kerberos.

In its current form, this is too vague of a statement for it to really be answered in one shot.

Sending or "synchronizing" passwords from Active Directory to a 3rd party KDC (key distribution center/database) is not part of how Kerberos works. Nor can I think of a good reason to do it. Ever.

Active Directory uses a loosely-consistent database replication model to ensure that the database of usernames and passwords (and quite a lot else) is synchronized and kept up-to-date from one domain controller (KDC) to the next. Needless to say, MIT Kerberos KDCs cannot participate in that replication. (At least not in any sort of supportable fashion that is befitting of a professional organization.)

It is technically feasible to accomplish what you're describing, though very ill-advised.

Is it possible to programmatically change a user password's to something?

Of course. You can administratively reset a user's password in Active Directory to whatever you want, whenever you want, assuming you have the rights to do so. You can do this in either native code or managed code. Here is a simple example:

using (var context = new PrincipalContext( ContextType.Domain ))
{
  using (var user = UserPrincipal.FindByIdentity( context, IdentityType.SamAccountName, userName ))
  {
      user.SetPassword( "newpassword" );
      // or
      user.ChangePassword( "oldPassword", "newpassword" );
      user.Save();
  }
}

The key difference is that "changing" a user's password requires knowledge of the user's current password. "Resetting" a user's password can be done without the knowledge of the user's current password, but requires administrative privileges.

Not sure what that has to do with your original question of synchronizing passwords from Active Directory to a non-AD database, though.

From the AD side, I see that there's something called Password Filters

Password filters may only be developed in native (C or C++) code. No managed code allowed. Password filters are modules that are loaded into the Lsass process on all domain controllers. You must take Extreme care if you plan on developing one, since if you cause a crash in lsass.exe, the entire domain controller goes down. And if one of them crashed because of your password filter, then they'll all probably crash since they're also all running your same password filter. And if all your domain controllers crash simultaneously, your entire company is down.

Yes, you could theoretically use a password filter. The password filter could record every password change that occurs into a text file or a separate database. Or it could transmit the password to another server over the network. How you choose to transmit and secure the password, is entirely up to you. You'd better use TLS at a minimum. I swear if you transmit or store the passwords in plain text I will come find you in hell and torture you myself.

(Just kidding about that last part.)

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Ryan Ries, thanks for the reply. I was already aware that one can programmatically change an AD password. My question was whether it can be done for an MIT Kerberos password, but since then Ryan Bolger has set me straight on that Kerberos is not a password database. However, on your comment on Password Filters...the team that requested this also wants to enforce certain password criteria. Is there any recommended guidance on how to do that? Or are Password Filters the recommended way? – silverCORE Nov 04 '16 at 21:21
  • Password filters are the correct way to enforce a password complexity policy that is above and beyond what is already achievable via Group Policy password policy rules. Since you're doing things with non-Windows accounts, I suppose a password filter would be the correct solution for that as well. – Ryan Ries Nov 04 '16 at 23:22