👉 Overview
👀 What ?
The Windows Kerberos Double Hop problem is a security issue where the Kerberos authentication protocol cannot pass user credentials more than one 'hop' from the user's local machine. It typically arises in three-tier application architecture where the user’s credentials must be passed between the client machine, the web server, and the SQL server.
🧐 Why ?
The double hop problem is important because it can limit the functionality of applications and potentially expose sensitive information. If not addressed, it can prevent applications from accessing needed resources on behalf of the user, or it can force developers to use less secure methods of authentication.
⛏️ How ?
To solve the double hop problem, you would generally use Kerberos delegation. This involves configuring the service account running the middle tier (the 'first hop') to be trusted for delegation in Active Directory. You also need to ensure that the user, service account, and target service all use Kerberos for authentication and that the necessary Service Principal Names (SPNs) are registered.
⏳ When ?
The double hop problem has been a known issue in Windows environments since the introduction of Kerberos as the default authentication protocol in Windows 2000. It remains relevant today due to the continued widespread use of Kerberos in Windows environments.
⚙️ Technical Explanations
In a typical scenario, a user might authenticate to a web server using Kerberos, which works fine for that first hop. However, when the web server tries to use the same Kerberos ticket to authenticate to a SQL server on behalf of the user, it fails because the Kerberos protocol does not allow the ticket to be used for that second hop. This is by design to prevent potential 'ticket forwarding' attacks. However, it can be mitigated by using Kerberos delegation, which requires careful configuration and management to ensure it is used securely.