[Users] Reset password from Zimbra when using Active Directory

[David Sommerseth]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/04/16 15:59, Barry De Graaff wrote:
> Hello David,
> 
> What would be the benefits from using kerberos?

The key concepts for Kerberos is single-sign-on (SSO).  I do not have the
details on the Windows side, but it should not differ that much from the
Linux world I live in - as Kerberos is a well defined standard.

It is probably easier to explain this using real life examples.

I have SL7 laptop, which is enrolled into a IPA domain (using FreeIPA).  So
when I log into my laptop with my username/password, once my laptop gets a
network connection I get a kerberos ticket automatically based on my login
credentials (SSSD provides caching for off-line situations and does the
'kinit' process once the Kerberos server - the KDC - is reachable).

I have also enabled Kerberos on my Zimbra server, which means that when I
access the webmail (or the admin webUI) - I am automatically logged in.  The
same if I use IMAP.  POP3 and SMTP is also supported

With that said, there are a few bugs in Heimdal which Zimbra builds with,
which breaks Kerberos for SMTP and if IMAP/POP3 goes via a nginx proxy
(using GSSAPI) - but that's details in this context (Quanah and I have done
some debugging on this already, and it is slowly moving forward, and it
seems related to RHEL platforms).  SPNEGO support is also lacking on the
webdav interface.  Once all of these issues are solved, Zimbra will provide
a fairly well integrated SSO experience.

But the key user experience is: Once you're logged in, you don't type your
password any more.

The security side of Kerberos is that the password is almost never
transferred over the wire.  Kerberos is actually designed to be used over
insecure networks.  There are basically two scenarios where the password
goes over the wire.  1) When you change the password (the KDC needs to have
a copy of your password), and 2) when you don't have a possibility to obtain
a Kerberos ticket and the service you access can do the Kerberos
authentication on behalf of you (Zimbra supports this too).

Further on the security side, when you do have a Kerberos ticket and that
has been provided to a service using GSSAPI (IMAP/POP3/SMTP) or SPNEGO over
HTTP/HTTPS, the service also have no clue what the password might be.  It
only knows that you are authenticated by the same KDC the service it is
configured to trust.  (Each service needs a separate service ticket granted
by the KDC)

If GSSAPI or SPNEGO is not used, the password is only temporarily available
on the Zimbra platform.  Otherwise the Zimbra platform does not have any
password hashes stored locally.

On top of this, you can also enable a KDC Proxy. which allows the Kerberos
authentication to be done over an HTTPS connection over an insecure Internet
connection; which again provides SSO capabilities even when the KDC is not
directly available [1].  In fact the KDC can be put inside a very strict and
well controlled network with only specific hosts/networks being allowed to
initiate contact directly with it.


[1] For this to work, you need krb5 libraries on your client which supports
    KDC proxy.  RHEL7 and newer Fedora releases have at least support for
    that out of the box.  KDC Proxy is also a standard designed by Microsoft,
    so I take it for granted that Windows supports this as well.
    More info: <http://www.freeipa.org/page/V4/KDC_Proxy>
    <https://msdn.microsoft.com/en-us/library/hh553774.aspx>


> There are some known flaws in the Kerberos implementation for windows 
> http://www.theregister.co.uk/2015/12/15/devastating_flaw_in_windows_authenti
cation/
>
>  The Extension uses 2 an Ldap Bind DN AND uses the existing users's
> credentials to change the password. It requires the use of LDAP over SSL
> (TLS).
> 
> For a secure implementation one can create a service account in Windows
> that can act as bind dn, with limited access rights (and read-only access
> on the ldap)
> 
> So... Kerberos, would not add much in terms of security, but would add a
> lot of complexity to the code.
> 
> Anyways, maybe I am missing something, so please explain your comment 
> further.

I beg to differ.  With Kerberos you get proper SSO, and the reason for
wanting support for changing the Kerberos password is for those scenarios
where you using the webmail from a computer where Kerberos tickets are not
possible to establish.  The Kerberos server (in practise the KDC) manage
password history, expiry dates, attempt counters and so on.  So if your
password has expired, you should ideally get the "change password" dialogue
instead of a failed login.

If you're on a computer enrolled in a Kerberos domain, you'll get a change
password dialogue during the normal login.  But that isn't always the case.
 And if a Zimbra user is travelling without his Kerberos enrolled computer,
there's no possibility to change the password until he can access the KDC
again from a computer enrolled to that KDC.  Otherwise you need side-channel
solutions with different login-portals to change the password.  But if the
Kerberos password is expired and try to log in via the webmail, AFAIR you
just get a login failed error.

With that said, it isn't ideal to pass any Kerberos passwords over the
Internet.  But sometimes you need to do a pragmatic compromise between
practical solutions and security.  For any setups involving more than a few
computers, having Kerberos available simplifies a lot of things while
enhancing the overall security.  I am also not saying this Kerberos password
change should be enforced enabled, but having this possibility would benefit
many sites.

At the same time, I must confess I do not know much about weaknesses in the
Windows AD/Kerberos implementation.  I just know that Kerberos is fairly
well supported on a lot of platforms and is a de-facto standard for SSO.
Which can also have a lot of other authentication schemes on top of that
(ipsilon, SAML, shibboleth, to mention a few).  Newer FreeIPA versions also
supports TOTP/HOTP for Kerberos passwords too, it would surprise me a lot if
the AD/Kerberos implementation does/will not support this as well.

If the Kerberos implementation have weaknesses and that is isolated the
implementation Microsoft have done - that doesn't problem should not concern
us that much.  That is something Microsoft needs to take care of in Windows.
 And it should not make Kerberos a less regarded solution.

And a quick note regarding LDAP authentication (which is possible with
Zimbra too).  This is a SSO solution.  It is just reusing the password
database stored somewhere else.  But it requires the password to be passed
over the wire each time a user must be authenticated.  When a Kerberos
tickets is available, the password is never transferred over the wire.

I hope this made it clearer.


David S.



> ----- Original Message ----- From: "David Sommerseth"
> <dazo at eurephia.org> To: "Jorge de la Cruz" <jdelacruz at zetalliance.org>,
> "Adam Cody" <ajcody at zetalliance.org> Cc: users at lists.zetalliance.org 
> Sent: Saturday, April 2, 2016 2:28:00 PM Subject: Re: [Users] Reset
> password from Zimbra when using Active Directory
> 
> On 02/04/16 10:10, Jorge de la Cruz wrote:
>> I will create couple of Blog Posts and a Wiki around it :)
> 
>> Why is this not natively in Zimbra?
> 
> You're probably in a better position to ask the proper persons about
> that ;-)  But nevermind my snarky comment, not blaming anyone :)
> 
> I just wanted to say that I would really appreciate that the Change
> Password feature would work using the Kerberos/kpassw protocol.  I have
> no chance to really check if that works against AD servers, I just think
> it would be odd if it doesn't as AD otherwise depend on Kerberos for
> authentication and SSO.
> 
> 
> David S.
> 
> 
>> ----- Original Message ----- From: "Adam Cody" <ajcody at zetalliance.org>
>>  To: "Barry De Graaff" <barrydg at zetalliance.org> Cc: 
>> users at lists.zetalliance.org Sent: Saturday, April 2, 2016 2:05:55 AM 
>> Subject: Re: [Users] Reset password from Zimbra when using Active 
>> Directory
> 
>> Awesome job. It will be interesting to see how much activity this
>> creates in the next couple of months.
> 
>> -Ajcody
> 
>> ----- Original Message ----- From: "Barry De Graaff" 
>> <barrydg at zetalliance.org> To: users at lists.zetalliance.org Sent:
>> Friday, April 1, 2016 12:33:38 PM Subject: [Users] Reset password from
>> Zimbra when using Active Directory
> 
>> Hello All,
> 
>> Today I have confirmed that the ADPassword Zimbra server extension to 
>> change Active Directory passwords from the Zimbra web client by
>> Antonio Messina works with Zimbra 8.6 and Windows 2012 R2 Active
>> Directory.
> 
>> I have send a pull request with updated documentation to Antonio.
> 
>> https://github.com/Zimbra-Community/ADPassword
> 
>> See the readme: 
>> https://github.com/Zimbra-Community/ADPassword/blob/master/README.md
> 
>> Also I created a video that demonstrates the readme: 
>> https://www.youtube.com/watch?v=AYmsdw3tHoU
> 
>> Also Antonio indicated he is willing to transfer his repository to the 
>> Zimbra-Community Github, allowing us to work closely together and also 
>> keeping things bundled together nicely for our users.
> 
>> Best regards,
> 
>> Barry
> 
> 
>> Related: https://bugzilla.zimbra.com/show_bug.cgi?id=6697
> 
> 
> 
> -- kind regards,
> 
> David Sommerseth
> 

- -- 
kind regards,

David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlcACWAACgkQDC186MBRfrrKzACfWrJAXspqzKiHTI+AxW1kv6St
BKEAnRbfqKvw9bOHo0nkWEj4RGezvsew
=GxzV
-----END PGP SIGNATURE-----