barkills
posted this
01 February 2017
Well, when whoever suggested that weblogic is using LDAP, I’m not sure that’s the whole story. I’m not closely familiar with weblogic, but with a quick minute
of browsing, I see it has web-based components. In which case, you’ve got another potential layer (or a different layer) in the story. When I said the authentication method used by LDAP depends, there are a lot of complex details behind that or I would have
spoken more specifically. At the simplest level, the LDAP client sends a username and password. At the more complex end, it might be Kerberos via SPNEGO. But with weblogic, it may be that the LDAP client is wrapped by a web server (or there is no LDAP involved
and it is basic or integrated windows auth), in other words, the web server proxies the LDAP connection for the client. In which case, there may be a token/cookie that persists past the LDAP connection and even the web session. With web services that use simple
authN, the web server retrieves a logon token on behalf of the client. Depending on the design, that logon token might persist beyond the session and the web service might use cookies that allow re-use of the token.
Lots of complexity, but it all goes down to understanding how something is designed, which so few vendors document.
Brian

From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]
On Behalf Of Boaz Galil
Sent: Wednesday, February 1, 2017 9:16 AM
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ticket is still avilalble despite the fact that the account is locked down
Brian and Michael - thank you very much for the information. How do you explain the fact that I see different result between the following scenarios - just wondering if you have any theories about it? and is it related to the ticket life-time?
Scenario A -
1.user logins to his computer... then logins to the app based on weblogic...
2.User logoff from the weblogic app - in the background the user is disabled in active directory - user try to access the weblogic app (SSO/LDAP) and the login is failing (make sense).
Scenario B -
1.user logins to his computer... then logins to the app based on weblogic...
2.User logoff from the weblogic app - in the background the user is getting his account locked out (by entering wrong password) - user try to access the weblogic app (SSO/LDAP) and login successful (despite the fact that the user is locked
out in active directory).
On Wed, Feb 1, 2017 at 12:03 PM, Brian Arkills <barkills@xxxxxxxxxxxxxxxx> wrote:
To explain a bit more, LDAP authentication is very different than Kerberos.
With LDAP authentication, you make a connection (hopefully with an encrypted session), then you perform
a bind operation. What authentication mechanism is used depends, but after you’ve completed the bind operation, the resulting session needs no further bind/authentication. As long as that session does not hit a time out or is closed, it is good to go to perform
any other LDAP operation allowed by the security context.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]
On Behalf Of Michael Cramer
Sent: Wednesday, February 1, 2017 8:07 AM
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Ticket is still avilalble despite the fact that the account is locked down
Exchange has RPC connections to AD and does not use a simple LDAP Connector and filters.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]
On Behalf Of Boaz Galil
Sent: Wednesday, February 1, 2017 10:38
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ticket is still avilalble despite the fact that the account is locked down
Hi Michael,
Thank you for your respond. do you have any theory - for the scenario I have described in my previous message? User get locked down (because he entered wrong password few times)
- immediately, outlook disconnect from exchange but the user is still able to access application that is based on weblogic (SSO, connected with LDAP adapter to the Active directory) - regardless of the ticket lifetime, how did outlook/exchange detect that
the user is locked immediately? What is the mechanism behind it? basically I am trying to have the same mechanism with the weblogic (I guess its not related to the ticket lifetime? because outlook got disconnected seconds after the user got locked).
On Wed, Feb 1, 2017 at 10:19 AM, Michael Cramer <mike.cramer@xxxxxxxxxxxxxxxx> wrote:
In short, there is no way to nuke Kerberos ticket lifetimes. They will still be valid for the duration
of the ticket.
I would have thought that AD sets the lifetime only and does not allow a system to request a shorter
duration. Though I’ve never actually tested that behavior. So maybe the AD settings is just a “maximum”?
The problem with changing Kerberos ticket lifetimes is that users will have to re-authenticate
when that lifetime expires. So if you set it to something like 1 hour, then your users will have to re-authenticate every hour.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]
On Behalf Of Boaz Galil
Sent: Wednesday, February 1, 2017 9:39
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ticket is still avilalble despite the fact that the account is locked down
Hi Jeremy,
So when we disable the account through AD - the user is unable to browse to the app... but when we lock down the account (user enter the wrong password few time) - despite the fact
that the user cannot enter to different applications like outlook/etc - he can login to the app (based on weblogic).
On Tue, Jan 31, 2017 at 6:09 PM, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxx> wrote:
Hi Boaz,
I’ve never tried it myself. But as these are supported parameters in the krb5 config file,
the request via Weblogic may honour them.
When you say “locked down” do you mean disabled or expired?
Cheers,
Jeremy
From:
ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]
On Behalf Of Boaz Galil
Sent: Wednesday, 1 February 2017 1:06 AM
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ticket is still avilalble despite the fact that the account is locked down
Hi Jeremy,
I thought that the ticket life time is something that the AD responsible and not the webserver/weblogic - I guess I am wrong?
On Tue, Jan 31, 2017 at 10:18 AM, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxx> wrote:
You can probably do this from the Weblogic server itself within the krb5 config.
Cheers,
Jeremy
From:
ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]
On Behalf Of Boaz Galil
Sent: Tuesday, 31 January 2017 10:25 PM
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Ticket is still avilalble despite the fact that the account is locked down
Hi Ken,
So the overall behavior make sense? user that are locked down can still access resource for 10 hours or am I missing something?
On Tue, Jan 31, 2017 at 9:20 AM, Brown, Ken F. <Ken.Brown@xxxxxxxxxxxxxxxx> wrote:
You can shorten the lifetime (default is 10 hours – but goes down to 4 hours I think in win/2016?).
I’m not aware of any way, using Kerberos of killing a issued Kerberos ticket at the DC after it has been issued and
it is still valid. Using claims it should be possible (but I’m not a claims expert…yet!
J )
Here is an article that describes changing the time – and some other items that can be changed from in Kerberos policy
area via GPO:
https://technet.microsoft.com/en-us/library/jj852258(v=ws.11).aspx
Good luck!
From:
ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]
On Behalf Of Boaz Galil
Sent: Tuesday, January 31, 2017 8:38 AM
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: [ActiveDir] Ticket is still avilalble despite the fact that the account is locked down
Sent by an external sender
This email has an alternate reply address set.
Dear experts,
When implementing my application that is based on Weblogic – (with LDAP connection for Active directory for SSO capabilities against active directory 2008) – I notice during testing
that when the end-user account get locked down… the user can still login to the app because the Kerberos ticket (klist) is still available. Is there way to shorten the ticket expiration date OR is there configuration/setting in active directory to expire
all tickets for account that has been locked down?