AppFabric 1.1 Authentication Security Protocol: Kerberos or NTLM
You may ask the question why I care about what authentication protocol is used in AppFabric as long as it works. It is true in most of cases. However sometimes you want to know what authentication protocol is being used because you are concerned with the performance difference between Kerberos and NTLM or a large number of logon/logoff events in the security event log when the security auditing is enabled. This article is written as a continuation of this blog.
The default value of DataCacheServiceAccountType is DataCacheServiceAccountType.SystemAccount, in which case AppFabric client assumes the caching service account is network service. It uses Kerberos and the host SPN (the service principal name) in the Kerberos TGS Request. This works when the caching service account is indeed Network Service because the host SPN is registered for the machine account (machinename$) by default in DC. Note that the Network Service account is machinename$. You will see “Authentication Package: Kerberos” in the security event log when the security auditing is enabled:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/9/2015 2:10:28 PM
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: Server
Description:
An account was successfully logged on.Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0Logon Type: 3
New Logon:
Security ID: Domain\User
Account Name: User
Account Domain: Domain
Logon ID: 0x6a8fba
Logon GUID: {116d7aa7-7569-a5b7-ea37-7074c066e4b9}Process Information:
Process ID: 0x0
Process Name: -Network Information:
Workstation Name:
Source Network Address: -
Source Port: -Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0This event is generated when a logon session is created. It is generated on the computer that was accessed.
When the value of DataCacheServiceAccountType is set to DataCacheServiceAccountType.SystemAccount, AppFabric client assumes the caching service account is network service. It attempts to use Kerberos and the host SPN in the Kerberos TGS request. However this eventually fails if the caching service account is in fact a domain account rather than network service, because the host SPN is registered for the machine account but not for the domain account. You will see the error “The target principal name is incorrect” described in the blog. AppFabric does not fall back to use NTLM after encountering this error.
When the value of DataCacheServiceAccountType is set to DataCacheServiceAccountType.DomainAccount, AppFabric client assumes the caching service account is a domain account. It attempts to use Kerberos and creates a SPN identity “AppFabricCachingService/targetHostName:22233” in the Kerberos TGS request. This SPN is most likely never registered for the caching service account in DC. AppFabric encounters the error KDC_ERR_S_PRINCIPAL_UNKNOWN on the client and falls back to use NTLM.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/9/2015 2:17:43 PM
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: Server
Description:
An account was successfully logged on.Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0Logon Type: 3
New Logon:
Security ID: Domain\User
Account Name: Domain
Account Domain: User
Logon ID: 0x719641
Logon GUID: {00000000-0000-0000-0000-000000000000}Process Information:
Process ID: 0x0
Process Name: -Network Information:
Workstation Name: ClientComputer
Source Network Address: -
Source Port: -Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128This event is generated when a logon session is created. It is generated on the computer that was accessed.
Enabling Kerberos event logging on the client, you will see the SPN is AppFabricCachingService/ServerFQDN:22233.
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 2/9/2015 2:45:07 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ClientComputer
Description:
A Kerberos error message was received:
on logon session
Client Time:
Server Time: 19:45:7.0000 2/9/2015 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: REDMOND.CORP.MICROSOFT.COM
Server Name: AppFabricCachingService/ServerFQDN:22233
Target Name: AppFabricCachingService/ServerFQDN:22233@Domain
Error Text:
File: 9
Line: 12c4
Error Data is in record data.
Network trace:
0.0816158 4916 2:27:15 PM 2/9/2015 31.9676333 Unavailable 65.53.10.43 10.219.0.218 KerberosV5 KerberosV5:TGS Request {TCP:763, IPv4:751}
0.0806043 4928 2:27:15 PM 2/9/2015 32.0482376 Unavailable 10.219.0.218 65.53.10.43 KerberosV5 KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7) {TCP:763, IPv4:751}
If you really wish to use Kerberos rather than NTLM when the caching service account is a domain account, you can set DataCacheServiceAccountType to DomainAccount, and register the SPN “AppFabricCachingService/targetHostName:22233” for the service account using setspn:
setspn -a AppFabricCachingService/targetHostName:22233 Domain\CachingServiceAccount
In summary, AppFabric always tries Kerberos first. It uses the host SPN when DataCacheServiceAccountType = SystemAccount or a custom SPN as “AppFabricCachingService/targetHostName:22233” when DataCacheServiceAccountType = DomainAccount. The result of success or failure and the protocol used depend on whether the SPN is registered or not and whether the caching service account is network service or a domain account.
Finally I want to ask a question: will it work if the value of DataCacheServiceAccountType is set to DomainAccount but the caching service account is network service? The answer to the question is it works and uses NTLM if the SPN “AppFabricCachingService/targetHostName:22233” is not registered. It is also because AppFabric falls back to NTLM in case of KDC_ERR_S_PRINCIPAL_UNKNOWN. This combination of DataCacheServiceAccountType and caching service account is confusing and is certainly not recommended. The only benefit I can think of is the same client setting works irrespective of the caching service account at the cost of using NTLM rather than Kerberos.