2 answers

solvable.

The first half was my oversight. The second half... well, I have no word on what was wrong. It's not actually a bug, or an incompatibility, but something very awkward, intermittent, and hard to understand. First a summary and then an explanation of the length for those who care:

Despite the error message's suggestions, this is not a problem with the conceptual model (CSDL), but a column mapping problem that has recreated itself intermittently.

A conceptual model was built using EdmxWriter to parse the DbContext and its main parts.

The model was then used to generate SQL scripts to translate the schema into the new database. The trick is that the database is Oracle.

Oracle is a baby and doesn't accept long column names. Therefore, the generated EDMX and SQL scripts had to be modified to create and map parts of the conceptual model with shortened column names.

Not a big deal. It works fine. So where did it all go wrong?

Oracle does not support "code first". Although it was done manually, using EdmxWriter is a code-based approach in Oracle. Therefore, when the first EDMX circuit was disassembled, it was binary about logical mappings. The solution was to temporarily remove bools from my C# models, add them to EDMX manually, and do an Oracle web.config mapping (bool mapping to NUMBER(1,0)).

Everything is groovy again. But why does it keep repeating itself?

At various times throughout the development process, some ends of the convention - either C#, EDMX, or Oracle - change. And every time it seems the columns were automatically reassigned without me knowing. If the EDMX model was updated from Oracle, the mappings were pointing to C# properties that were not there (short column names). If the model was updated from C# code, the mappings were not saved and they tried to map long column names that were not in Oracle.

The bummer with this approach (first hybrid code and model) is if I want to continue to manage my own models and handle the settings needed for a small child relationship, I have to be very careful and keep an eye on the EDMX file trait.

10/29/2012 Tim Springston

In this article, I will try to clarify some aspects of “the most confusing dialog box in AD,” which is the Delegation tab in the object properties window of the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (dsa.msc). We'll look at attribute values ​​for different configurations. Understanding the purpose of the settings will allow you to correctly configure applications and services that use Kerberos delegation in AD

Tim Springston ( [email protected]) – senior service engineer technical support Commercial Technical Support division at Microsoft, responsible for security and authorization

One of the most actively discussed on blogs Microsoft technologies– authentication using the Kerberos protocol. This is strange considering that the technology itself and its functions have not undergone significant changes since its release Windows Server 2003. Still, Kerberos remains a subject for additional documentation.

The ongoing need to learn the technical aspects of how Kerberos works and why errors occur is because while the technology itself remains the same, the services that use it and the ways in which it is used are often unique. However, what remains constant in each scenario is the intent of the Active Directory (AD) settings and the meaning of the error messages.

In this article, I will try to clarify some aspects of “the most confusing dialog box in AD,” which is the Delegation tab in the object properties window of the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (dsa.msc). We'll look at attribute values ​​for different configurations. Understanding the purpose of the settings will allow you to correctly configure applications and services that use Kerberos delegation in AD.

Simple interface

Why waste time learning a “simple” interface? It is necessary to go into detail, because understanding the technical aspect of how various parameters work will allow you to more successfully correct errors in their configuration. Therefore, let's start by understanding the meaning of attitudes. If you open the Active Directory Users and Computers snap-in and go to the computer account properties, you will see the Delegation tab (assuming your forest is at the Server 2003 functional level). This tab is shown in Figure 1. To help explain the purpose of the switches on this tab, Figure 2 suggests alternative names that you could give them.

Before we dive into what the parameters mean, let's explain what Kerberos delegation is. Delegation (also called impersonation or simple delegation) is the process of an application or service obtaining Kerberos tickets to access resources or remote computer on behalf of the user. An entity trusted for delegation is a service entity. Account, on behalf of which the application runs. Delegation allows an application to access only those resources that a user would have access to and to deliver information to the user. An example scenario would be a web server connecting to a system SQL Server to display the data the user needs in the web client.

The top two options (“Don't trust the computer to delegate” and “Trust the computer to delegate any services”) in Figure 1 are self-explanatory. The third option is Kerberos Constrained Delegation (KCD), which is essentially the same as simple delegation, but delegates the impersonated identity to only specified services or computers. This option provides a higher level of security by limiting the scope of delegation of the identity of the impersonated user, so that if the service identity trusted for delegation is compromised, the consequences are limited to the ability to access only those resources on remote servers, which are manually selected for constrained delegation.

The fourth option in Figure 1 allows KCD and the Services for User (or S4U) extension. The S4U extension provides more advanced functions, such as changing the protocol. Protocol switching occurs when the client first authenticates with a protocol other than Kerberos on an incoming connection and then switches to Kerberos. Detailed description S4U is contained in the documentation "Exploring S4U Kerberos Extensions in Windows Server 2003" (msdn.microsoft.com/en-us/magazine/cc188757.aspx) and "Protocol Transition with Constrained Delegation Technical Supplement" (msdn.microsoft.com/en- us/library/ff650469.aspx). These resources are aimed at programmers, not administrators, but it is also important for an administrator to understand what S4U is, how to configure it, and when to use it. For this purpose, here is a short list of S4U capabilities intended for the administrator.

Obtaining information about a user's token without actually obtaining that token and without the trusted ticket service obtaining a ticket-granting ticket (TGT) from the trusting user or access to credentials. The information obtained can then be used, for example, for authorization checks. This extension is known as Services-For-User-To-Self (S4U2Self).

Obtaining tickets without requiring a Kerberos service ticket, without accessing credentials, passing TGTs, or without authentication at all - Services-For-User-To-Proxy (S4U2Proxy).

Perform the protocol change mentioned earlier. A client accessing an enterprise service initially authenticates using a method other than Kerberos, and S4U allows a trusted service to switch an already authenticated user's session to use Kerberos. This is where failures caused by configuration errors most often occur, since application documentation often does not clearly explain whether a protocol change is necessary or how to configure it in AD. However, this topic is relevant, since today almost no article is complete without mentioning the “cloud”. Clients connecting through the cloud will most often use NTLM authentication due to the lack of domain controllers (DCs) handling Kerberos service ticket requests over the Internet. Changing the protocol allows the user of this domain to connect via software firewall or proxy using one of the authentication methods (such as NTLM), and then switch to Kerberos authentication to perform further actions inside corporate network. Since "cloud" means connecting over the Internet, you can rest assured that if you are using any cloud solution, sooner or later you will end up using the Kerberos protocol changer.

Under the outer shell

Now let's look at what actually happens when each of these four parameters is set by using LDP to look at the values ​​of the attributes that are set for each of the configurations. LDP is installed with the AD Domain Services role by default and can be used as an LDAP query processing tool with graphical interface. LDP allows you to build your own LDAP queries and view the results in an easy-to-read format. An additional benefit of using LDP to view attribute values ​​(for example, userAccountControl) is that it translates the calculated parameter values ​​into a human-readable form instead of a combination of numbers. By the way, later versions of adsiedit.msc also provide similar processing of calculated parameter values.

Therefore, in Windows Server 2008 and later, ldp.exe and adsiedit.msc provide automatic translation of attribute values ​​(such as userAccountControl), eliminating the need to open calc.exe and consult online MSDN documentation or the Microsoft Knowledge Base .

Now let's look at changing attribute values ​​in LDP depending on the settings made. Let's start with an account that is not trusted for delegation. Figure 3 shows that the Test2 account is not trusted and that the hexadecimal value 1020 of the userAccountControl attribute (corresponding to decimal 4128) is translated to WORKSTATION_TRUST_ACCOUNT and PASSWD_NOTREQD.

Figure 4 shows the account that is trusted for delegation. We can see the userAccountControl attribute value translated to TRUSTED_FOR_DELEGATION, indicating that simple unrestricted Kerberos delegation is allowed to this service identity.

Trust delegation to specific services

The following settings are critical if you intend to use S4U or KCD. The first case corresponds to the choice of the Trust this option computer for delegation to specified services only and Use Kerberos only. Figure 5 shows that with this selection, the userAccountControl attribute is again set to WORKSTATION_TRUST_ACCOUNT, and the MsDS-AllowedToDelegateTo attribute is automatically populated with the selected services that are allowed to delegate. This attribute is not populated or affected by any other procedure. The entries list specific services on the computer for which delegation is enabled.

The second option is less secure - Use any authentication protocol, which allows changing the protocol and other extension options. In addition to the entries in the MsDS-AllowedToDelegateTo attribute, this setting changes the userAccountControl attribute, which receives TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (T2A4D), as Figure 6 shows. Without the T2A4D flag, you can expect a protocol change error. This flag is not used by any other component. Note that this simple switch is extremely important because if it is not selected, S4U2Self, S4U2Proxy, and protocol change will behave differently, which can cause problems for applications and services that expect the corresponding ticket types. In particular, changing the protocol will fail and no ticket will be issued. S4U2Proxy and S4U2Self will not have the forwardable flag, which will result in an error: for S4U2Proxy - in any case, and for S4U2Self - in situations where you need to send a ticket to another service or node.

"Do it yourself"

What happens if the service account used by an application or service needs to perform an action that requires a protocol change, and the Delegation tab is set to Use Kerberos only instead of Use any authentication protocol authentication")? For a client application, the error may be: Access form Denied when trying to access resources over the network, or an NTLM authentication error without notification or an unexpected application-dependent error may occur. The uncertainty of the form in which the error will manifest itself further complicates the task. The most likely result, however, will be Access Denied. In this situation, be sure to review the application or service documentation to see if it states that there will be protocol changes or ticket requests from the service without a TGT. The problem is that most documentation writers don't really understand the meaning of KCD configuration and therefore provide little or no explanation.

A do-it-yourself method for identifying the cause of the error can be to simply collect network trace data from a server trusted for delegation. Filter the collected data by Kerberos (Kerberosv5 in Microsoft Network Monitor or kerberos in Wireshark). The ticket issuance service request (TGS_REQ) is sent to the AD Kerberos Distribution Center (KDC) and contains the KDC parameters with the constrained delegation flag set. If a ticket is refused, the server response (TGS_REP) will contain the KDC_ERR_BAD_OPTION error, which can be easily seen in the network trace results.

More detailed information The operation of Microsoft Kerberos implementations can be found in the online Open Protocols Specification. "Kerberos Protocol Extensions" (msdn.microsoft.com/en-us/library/cc233855%28v=PROT.13%29.aspx) contains general documentation on Kerberos, and "Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol Specification » (msdn.microsoft.com/en-us/library/cc246071%28v=PROT.13%29.aspx) – documentation about Kerberos and S4U constrained delegation.

Perfect world

I hope that this analysis of the settings in the Kerberos interface window and their correspondence in AD will help you better understand their meaning. An ideal world would be one in which the documentation of managed services provided technical guidance on how to operate them. correct setting for authentication. However, if the reality is less than ideal, this information should help improve your toolkit. Understanding the technical aspect of how the parameters work will be the key to success.

Websites, applications, games are information resources that are managed by users. To separate allowed and prohibited actions for a particular user, access rights (AP) are used. The scope of application of PD forms roles. For example, let's look at a basic website with registration options.

On such a site, 3 roles “live” with their own rights and responsibilities:

1.

All anonymous users act in this role by default. If we give site guests the “Add Comments” right, then the user who visits the site will be able to comment on your interesting things. If not, you will need to register first to comment on content.

2.

Anonymous individuals who have passed authentication and authorization receive new role. Only authorized users can manage personal account, add and edit personal data, view information about other characters. Unregistered users are not authorized to perform these operations.

3. Administrator

This default role gives the user full access to the site. The resource administrator adds and deletes blocks and gives or takes away from other users rights to access certain functionality.

How do we test and what do we pay attention to?

First of all, we will try not to delete “Super Admin” by playing with the settings.

• Creating a safe character

To get closer to real activities on the project, an additional user with similar admin powers will be enough. And with this character we test the resource and change the access rights of other users.

• Checking in several browsers

We do it at the same time: in one we change the PD, in the other we check the application of rights for the user, thus separating user sessions.

• Follow the direct link

We test block restrictions by navigating to them via a direct URL. Viewing some resource data should not be available via a link for an unauthorized site guest. If access is limited, then everything is ok: instead of classified information, anonymous users will receive a warning message in the form of a special page, most often with the code 403.

• Testing entity blocking

For resources like ticketing and tour services, it is important to lock an element when multiple users can access it at once. There are two blocking options:

+ Optimistic blocking when saving, checks the database for more new version data left by another user. If it exists, then current user re-downloads this copy essence.

+ Pessimistic blocking Entities are used when optimistic creates too many collisions. In this case, only one user at a current time uses and changes this version of the entity.

You can test from one computer in several browsers or with different accounts.

• Using a test matrix

It simplifies the tester’s work, clearly shows permitted and prohibited actions, and simply helps not to miss anything. We describe in it all the roles, users, variations of the limitations of our characters.

And here is the simplest example of a test matrix:

Access control is one of the main checks within the framework. Even testing a local library website with three roles poses challenges for the tester. But popular resources with dozens of roles, thousands of users and millions of permissions require an entire army of administrators! It is difficult for us to imagine the scale of the damage if an amateur takes on testing. Hire competent specialists and avoid gaps in the safety of your products!