Announcement

Collapse
No announcement yet.

Time server for internet users

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Time server for internet users

    Hi everyone.

    I am in a bit of a Jam.

    I am running a service that should be available for external users as well as internal users.
    External users must trust my Certificate Authority in order to use the service I am running and of course this brings on many horrible issues that relate to the system time on my servers.

    I am looking for a way to enable external users to sync their system time with my Windows 2003 server.

    If this is not possible, then I will need to look for a way to make the certificates issued by my server AND the CA server itself, more forgiving - time wise. As far as I know a discrepancy of more than 5 minutes means the certificate is useless... is there any way to change that?


    Thanks for your help.

    Meni
    Visit iCount
    Visit MSEC
    Visit LCS-GUIDES.COM
    Visit Melariche

  • #2
    skew of 5 mins is only an issue with Kerberos authentication.
    If this is a web service, the certificates are handled by SSL/TLS protocol and do not require time synchronization.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      as a matter of fact this IS a TLS service.
      So you are saying that if i change Kerberos authentication to NTLM authentication i will not have that problem?

      *amazingly quick response time by the way - very cool!
      Visit iCount
      Visit MSEC
      Visit LCS-GUIDES.COM
      Visit Melariche

      Comment


      • #4
        Originally posted by Meni
        *amazingly quick response time by the way - very cool!
        RSS does wonders

        I am trying to understand something here...
        Are the users authenticating using certificates or they also get user/password message box ?

        In theory you can:

        1) Use only TLS for client authentication (this does not involve Windows Integrated/Basic/Digest) and require client certificates. Sticking to this option greatly depends on the way you issue your certificates (do you require certs to be not exportable, is there a chance that the cert has been stolen ?, etc...)

        2) Use both TLS (require client certificates) AND Windows Integrated/Basic/Digest. In this case, if you are using Windows Integrated, you will need to switch to NTLM as Kerberos is touchy to clock skews.

        Second option makes it more of "two-factor authentication" - users have to have both valid client certificate AND know account's password.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          The service is used for remote connections to Microsoft Live Communications server.
          Users need the certificates to authenticate in front of the LCS server.
          They are ALSO asked for a username and a password.

          Changing the auth type to NTLM as suggested in your previous post does help a bit, but not entirely.

          In Kerberos - the system will sense if the user has daylight saving time feature on or off. In NTLM - it doesn't care.

          But there is still a sensitivity to time sync. Although it seems to forgive a 20 minute diff at the moment, as opposed to the 5 minutes in Kerberos, I am still looking for a way to completely eliminate this sensitivity.
          Visit iCount
          Visit MSEC
          Visit LCS-GUIDES.COM
          Visit Melariche

          Comment


          • #6
            NTLM is not sensitive to clock skews.

            some questions if you don't mind:

            1) Are you using Enterprise Root CA ?
            2) Have you configured account mapping ?
            3) Have you enabled Directory Services mapping for certificates or are you using IIS's 1-to-1 user account mapping ?
            4) Is it your question at Tapuz about SipSnoop ? (just trying to put the pieces together)
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"

            Comment


            • #7
              1) Are you using Enterprise Root CA ?

              I am using a stand-alone root CA

              2) Have you configured account mapping ?

              Nope

              3) Have you enabled Directory Services mapping for certificates or are you using IIS's 1-to-1 user account mapping ?

              No I haven't. And i see no relation to LCS... Is there any relation?

              4) Is it your question at Tapuz about SipSnoop ? (just trying to put the pieces together)

              NO - could you send a link? I hold and maintain an LCS support site where there are several references to SipSnoop http://www.lcs-guides.com
              Visit iCount
              Visit MSEC
              Visit LCS-GUIDES.COM
              Visit Melariche

              Comment


              • #8
                stand-alone root CA without certificates mapping ?
                That explains... In your case the certificate is only checked for validity and is not mapped to a security principal in AD, hence the second authentication method is required to actually map the user to account in AD.

                in your current configuration the user certificates are quite useless as their only value at present is the fact that you can check CRLs for cert revokation. It is not used to identify the user, hence the application (LCS) can not build user token to use for further authentication.

                Sorry about referencing IIS, from some reason I connected TLS to IIS too quickly and only now realized that TLS is enforced by LCS itself (or am I wrong again ?)

                Sorry, but my knowledge of LCS is quite limited to the AD attributes it uses and schema extensions that are needed and I do not have LCS handy to take a look.

                And here is the link: http://www.tapuz.co.il/tapuzforum/ma...msgid=55108867
                (Apparently I referenced your website when trying to help someone )
                Guy Teverovsky
                "Smith & Wesson - the original point and click interface"

                Comment


                • #9
                  Yeah I try to work on my site 24x7 but am almost always out of time…

                  So you are saying that when I configure certificate mapping to users there will be no dependency on time whatsoever?

                  The issue that I fear the most is if a user has a different time zone set up in his remote system he might not be able to connect to my system.

                  This is the first time I get to work with M$ CA… so pardon the ignorance and thanks for the amazing support.
                  Visit iCount
                  Visit MSEC
                  Visit LCS-GUIDES.COM
                  Visit Melariche

                  Comment


                  • #10
                    In theory, if everything else fails, you can encrease the 5 mins Kerberos threshold. This opens up the AD to Kerberos replay attacks and should be considered by all means as last-resort. My opinion: DO NOT even think about it if the AD is used for anything other than LCS (aka, this is production AD).

                    I wish I had LCS handy... Sounds like an interesting problem to tackle.
                    Guy Teverovsky
                    "Smith & Wesson - the original point and click interface"

                    Comment


                    • #11
                      well the system is used ONLY for LCS, and the AD hosts ONLY LCS users. Nothing more.

                      What about your other suggestions? the mapping etc... you don't think that would help?

                      I am building a test environment from virtual machines.
                      When I am finished, I will PM you with details if you want to test out some options.
                      Visit iCount
                      Visit MSEC
                      Visit LCS-GUIDES.COM
                      Visit Melariche

                      Comment


                      • #12
                        I am familiar with certificate mapping in IIS and IAS (both use slightly different methods), not sure how this is handled in LCS.

                        I would also like to have a better understanding of the authentication steps/prtocols involved and how they all play together.

                        I have just played a bit with LCS virtual lab and what strikes me odd is the fact that I have not seen any option of authenticating users using certificates...

                        The only user authentication protocols available are NTLM and Kerberos. TLS is used only for encrypting the traffic between the user and the server, while the server's cert is used to establish the TLS tunnel.

                        Take a look at http://www.microsoft.com/technet/tra...lab/LCS05.mspx
                        The lab I am talking about is "Enabling Remote Access for LCS 2005"
                        Guy Teverovsky
                        "Smith & Wesson - the original point and click interface"

                        Comment


                        • #13
                          OK. yes - that's how it works. Ok now I get you. You wanted to have authentication without username and password? this means that I would have to crete a certificate for everyuser, and that wouldn't be so smart now would it?

                          bare in mind that my system is supposed to support 1000's.
                          Visit iCount
                          Visit MSEC
                          Visit LCS-GUIDES.COM
                          Visit Melariche

                          Comment


                          • #14
                            Originally posted by Meni
                            The service is used for remote connections to Microsoft Live Communications server.
                            Users need the certificates to authenticate in front of the LCS server.
                            They are ALSO asked for a username and a password.
                            This is where I got it wrong... I concluded that you were trying to authenticate to LCS with USER certificates, while in your setup the only certificate participating in the authentication is the LCS server certificate.

                            SO the authentication chain we have looks like this:

                            client <==[server certificate]==LCS
                            client==[TLS tunnel encrypted by server's certificate]===>LCS

                            Inside TLS tunnel:
                            client==NTLM/Kerberos===>LCS

                            In this case, switching to NTLM should resolve the clock skew issues, but because NTLM is not date/time aware (no timestamps are used during NTLM authentication process), you will not be able to pick the daylight savings settings of the client.
                            Guy Teverovsky
                            "Smith & Wesson - the original point and click interface"

                            Comment


                            • #15
                              didn't quite understand the last line of your message...
                              pick the daylight...? meaning?

                              I want there to be no effect whatsoever of system time on the connection.
                              Visit iCount
                              Visit MSEC
                              Visit LCS-GUIDES.COM
                              Visit Melariche

                              Comment

                              Working...
                              X