Kerberos Authentication in Active Directory

The Kerberos version 5 authentication protocol provides a mechanism for authentication — and mutual authentication — between a client and a server, or between one server and another server.

Rather than transmitting user actual password over the network, Kerberos operates with a series of tickets.  When you sit down at your workstation and press Ctrl+Alt+Del to log on and enter your credentials, your machine begins the process of authentication.

pic1

The process can be divided into three stages

  1. Authentication
  2. Obtaining a Service Ticket
  3. Accessing the Services

  1. Authentication process.

At this step the system sends an AS_REQ or authentication request to Kerberos message to the DC. We call the DC a Key Distribution Center (KDC)

pic2

The client name is the user principle name (UPN) . To prevent replay attacks whereby an attacker recycles an AS_REQ message, the current time is encrypted using a hash of the user’s password .Once the KDC receive the AS_REQ , KDC will decrypt the encrypted time stamp using its local copy of the user’s password hash .If this operation fails then an error message will be send to the client .

If the decryption is successful and the timestamp is within acceptable limits, the KDC returns an AS_REP (Authentication Service Reply) message to the user, with an embedded TGT  .

AS Res        as res2

At this point user’s machine caches the TGT and session key for life time of the TGT, by default this will be 10 Hours. AS_REP message contains two parts. In first part, the session key will be used for further communications with the KDC and this will be encrypted with client secret.

The second component, the TGT is encrypted with the KDC’s secret .The KDC’s secret in AD’s Kerberos implementation is stored as the password to the krbtgt user account that exists in every AD domain. The krbtgt account is created when the first DC in a domain is promoted; this account is crucial to the domain’s operation.

  1. Obtaining a Service Ticket

After you log in and try to access a resource or service the service ticketing process gets started. Client system will send a TGS_REQ message to KDC when the client attempts to access a service.

The first piece of information is the SPN of the service the client is requesting a ticket for. Encrypted with the session key the client received as part of the AS_REP earlier is the client’s name and a timestamp. This information is again used to prevent replay attacks whereby an attacker reuses a request message. Also included is a copy of the TGT the client received earlier.

Once KDC validate the TGS_REQ the client will receive a TGS_REP from the KDC which will be embedded with a service ticket. Now client has everything to access the requested service. This will be valid for 10 Hrs by default policy.

  1. Accessing the Services

Once the client has a service ticket, the ticket can present to the service and request for the access. The service ticket is presented to the application in the form of a Kerberos AP_REQ message which contains the previous service ticket and client details.

service

The service decrypts the service ticket and obtains the session key, which it can use to decrypt the timestamp and client name fields, which are in turn used to validate the authenticity of the service ticket itself. It’s important to note that even if the service accepts the service ticket, at this point the client has merely authenticated to the service. The task of authorization is still up to the service, based on the information it has about the client.

Identify Hyper-V VM by worker process if VM is hung on Starting/Snapshotting/Stopping

It’s easy to restart a running VM from Hyper-V Manager but when you have a situation where a number of VM’s running on a production server and you are not able to do this from the Hyper-V manager.

In this case you can make use of VM worker to restart the VM without affecting any other Virtual machines.

pic01

For each VM running on Hyper-V would have a virtual machine worker process associated with it, so our goal is to find the associated VM worker and kick that off – This will restart the VM immediately.

  1. Use the below Script to find out the PID of hung VM (Replace the “VM Name” with your VM)

(Get-WmiObject -q “SELECT * FROM Msvm_ComputerSystem WHERE ElementName = ‘VMName'” -n root\virtualization\v2).ProcessID

PS C:\Windows\system32> (Get-WmiObject -q "SELECT * FROM Msvm_ComputerSystem WHERE ElementName = 'VMName'" -n root\v
irtualization\v2).ProcessID
2676
PS C:\Windows\system32>

2. Now you can use Kill command to restart the VM

pic3

This will restart the VM immediately .When you have a minimum number of VM’s running you can use the task manager to identify the process ID which is associated with the VM GUID.

 

Configuring MPIO in Windows Server 2012 R2

We are going to configure a Hyper-V server to use an iSCSI target space for storing the VM files. Since the VM’s are loading from the remote storage it’s very crucial to have a high input/output operations over the network without any breach in latency.

tt

Here we are going to provide three paths for Hyper-V host to reach the storage server which will be working on a round robin policy. Please refer MPIO polices in details here .For better understanding we can split this configuration steps in to three phases ,please use the below link to view the configuration steps.

Click here to get the configuration guide . 

 

 

 

 

 

Hyper-V 2012 R2 Generation 1 vs Generation 2 VMs

 

In earlier versions of Hyper-V, It was not possible to boot a virtual machine from a SCSI virtual hard drive .It was also not possible to copy files from host to virtual machine without having a network connection in the virtual machine .

In virtual machines running 2012 and earlier, the Hyper-V BIOS only supported legacy drives such as IDE controller and legacy network cards.

Starting with windows server 2012 R2, there are two types of Hyper-V boot architectures available.

i.e., Hyper-V BIOS and Hyper v unified extensible firmware interface BIOS, virtual machine created with Generation 1 supports legacy drivers and uses Hyper-V BIOS-based architecture. Hyper-V BIOS-based virtual machines can only initialize IDE Controller for Operating System to initialize a file system, which is shown in the below image

On the other hand, a virtual machine created with Generation 2 supports  UEFI-based architecture, in which a subset of Integration Service components has been included to allow SCSI Controller to initialize before the Operating System starts loading. This is shown in the above image:

Benefits of Generation 2 VMS

  1. Boot from SCSI virtual hard drive
  2. PXE boot option
  3. Secure Boot
  4. Faster boot time and installation for guest operating system
  5. Only 64 bit operating systems
  6. VHDX boot volume can support up to 64 TB

An absolute beginner’s guide to Microsoft Hyper-V

Virtualization is the creation of a virtual version of an IT environment which includes an operating system, a storage device, a network device, etc. The Hypervisor is the processor-specific virtualization platform that can host multiple virtual machines (VMs) that are isolated from each other but share the underlying hardware resources by visualizing the processors, memory, and I/O devices.

Microsoft introduced Hyper-V as a virtualization platform in 2008 and it continued to release new Hyper-V versions with new windows server versions. So far there are a total of four versions including windows server 2012 R2,Windows server 2012,windows server 2008 R2 and windows server 2008( Not including windows server 2016 now).

Hyper-V is a hybrid Hypervisor which is installed from operating system, however doing the installation it redesigns the OS architecture.

 

hyp-v

The magical transformation, when you add Hyper-V role in windows server *

                                           You first install windows server operating system at this point there is no hypervisor. When you enable Hyper-V role windows will install all required software components like VMBus and VSP but not the hypervisor. Instead windows installs the device driver Hvboot.sys, which will load the actual hypervisor on the next boot. This can be either %system root%system 32%Hvax64.exe for AMD processor %systemroot%system32%Hvix64.exe .These files are very small in size. Once loaded, the hypervisor used the virtualization extension of the CPU to inset as a ring -1 process, taking over the control of the hardware. It proceeds to load the windows server 2012  kernel to the parent partition, prepared with VMBus and VSP. Here your Hyper-V is ready to start .

Hyper-V is a great option for consolidating your server hardware,If you want to experiment with Hyper-V and you can try doing experiments with your windows 10 workstation.