|
|
|
date: Wed, 18 Jun 2008 12:50:11 +0000 (UTC),
group: microsoft.public.platformsdk.security
back
How to get credentials for network access in authentication package?
Hi,
maybe my question is a bit weird, but I guess I just don't understand
the whole logon process good enough. Bear with me.
My situation is this. I created a custom authentication package which
is supposed to be used by OpenSSH with public key authentication. The
public key is stored in the user's home dir and checked by the ssh
daemon, just like on any UNIX machine. When the authentication was
successful, the ssh daemon calls the authentication package which in
turn creates a user token. The resulting user token looks fine and the
user is correctly identified by, for instance, the whoami tool.
However, there was never a password exchanged in this process and the
credentials for network access are missing. The user can't access the
usual network shares, unless `net use' is called with explicitely
specifying the user's password. Or, when trying to get information from
AD using LDAP with default credentials, ldap_bind_s (ld, NULL, NULL,
LDAP_AUTH_NEGOTIATE) fails with error 0x01.
So here's the question. Is there a way to fetch and add the necessary
credentials in the authentication package or in the logon application,
without the need to specify the password? Is there some example code
which shows how to do it?
Thanks in advance,
Corinna
--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat
date: Wed, 18 Jun 2008 12:50:11 +0000 (UTC)
author: Corinna Vinschen am
Re: How to get credentials for network access in authentication package?
Does nobody have an answer?
Maybe I'm just too dumb, but I don't get how a LSA authentication
package is supposed to allow the calling logon package to get a complete
interactive token including all necessary credentials for network
access. MSDN states:
"The LSA calls the authentication package interface functions in the
custom package which, in turn, call the functions in MSV1_0. The custom
package must be able to pass the incoming logon information using data
structures supported by MSV1_0."
So, when my authentication package function LsaApLogonUser is called,
it's supposed to call CallPackageEx (AuthenticationPackage == MSV1_0,
...) with... what? A MSV1_0_INTERACTIVE_LOGON buffer? MSDN doesn't
tell.
How is that supposed to work at all, if the new authentication mechanism
does not use nor provide a password at any point?
Is there sample code or documentation (besides MSDN) available which
shows how to do that?
Corinna Vinschen wrote:
> Hi,
>
> maybe my question is a bit weird, but I guess I just don't understand
> the whole logon process good enough. Bear with me.
>
> My situation is this. I created a custom authentication package which
> is supposed to be used by OpenSSH with public key authentication. The
> public key is stored in the user's home dir and checked by the ssh
> daemon, just like on any UNIX machine. When the authentication was
> successful, the ssh daemon calls the authentication package which in
> turn creates a user token. The resulting user token looks fine and the
> user is correctly identified by, for instance, the whoami tool.
>
> However, there was never a password exchanged in this process and the
> credentials for network access are missing. The user can't access the
> usual network shares, unless `net use' is called with explicitely
> specifying the user's password. Or, when trying to get information from
> AD using LDAP with default credentials, ldap_bind_s (ld, NULL, NULL,
> LDAP_AUTH_NEGOTIATE) fails with error 0x01.
>
> So here's the question. Is there a way to fetch and add the necessary
> credentials in the authentication package or in the logon application,
> without the need to specify the password? Is there some example code
> which shows how to do it?
Thanks in advance,
Corinna
--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat
date: Wed, 25 Jun 2008 16:35:29 +0000 (UTC)
author: Corinna Vinschen am
Re: How to get credentials for network access in authentication pa
I am a novice looking at these things too, but I believe that the portion of
the msdn you refer to is considering a case where you are adding an
additional factor on top of the password challenge hash.
If you do not need to access the password hash then there's no need to proxy
through msv1_0. You can create your own logon session and use AddCredentials
to populate it. But in that case I'm not sure if it's possible to make
windows believe you are the real windows user.. I.e. it may be that the only
way to authenticate to active directory is via one of the built-in methods.
At a minimum, I have found no supporting evidence of anyone who has created
an auth package that could create an AD logon session without using kerberos
or ntlm. Furthermore I see no way to have a custom provider call into the
kerb/ntlm providers to cause them to create a secure login session, unless
you also provide them a successful challenge/response (which defeats the
purpose)
In short, if anyone knows how to make an auth provider that can spawn valid
AD login sessions without the requirement to pass through a hash or a
smartcard cert to the underlying system, please do the world a favor and let
us know how!
"Corinna Vinschen" wrote:
> Does nobody have an answer?
>
> Maybe I'm just too dumb, but I don't get how a LSA authentication
> package is supposed to allow the calling logon package to get a complete
> interactive token including all necessary credentials for network
> access. MSDN states:
>
> "The LSA calls the authentication package interface functions in the
> custom package which, in turn, call the functions in MSV1_0. The custom
> package must be able to pass the incoming logon information using data
> structures supported by MSV1_0."
>
> So, when my authentication package function LsaApLogonUser is called,
> it's supposed to call CallPackageEx (AuthenticationPackage == MSV1_0,
> ....) with... what? A MSV1_0_INTERACTIVE_LOGON buffer? MSDN doesn't
> tell.
>
> How is that supposed to work at all, if the new authentication mechanism
> does not use nor provide a password at any point?
>
> Is there sample code or documentation (besides MSDN) available which
> shows how to do that?
>
> Corinna Vinschen wrote:
> > Hi,
> >
> > maybe my question is a bit weird, but I guess I just don't understand
> > the whole logon process good enough. Bear with me.
> >
> > My situation is this. I created a custom authentication package which
> > is supposed to be used by OpenSSH with public key authentication. The
> > public key is stored in the user's home dir and checked by the ssh
> > daemon, just like on any UNIX machine. When the authentication was
> > successful, the ssh daemon calls the authentication package which in
> > turn creates a user token. The resulting user token looks fine and the
> > user is correctly identified by, for instance, the whoami tool.
> >
> > However, there was never a password exchanged in this process and the
> > credentials for network access are missing. The user can't access the
> > usual network shares, unless `net use' is called with explicitely
> > specifying the user's password. Or, when trying to get information from
> > AD using LDAP with default credentials, ldap_bind_s (ld, NULL, NULL,
> > LDAP_AUTH_NEGOTIATE) fails with error 0x01.
> >
> > So here's the question. Is there a way to fetch and add the necessary
> > credentials in the authentication package or in the logon application,
> > without the need to specify the password? Is there some example code
> > which shows how to do it?
>
>
> Thanks in advance,
> Corinna
>
> --
> Corinna Vinschen
> Cygwin Project Co-Leader
> Red Hat
>
date: Wed, 9 Jul 2008 10:27:01 -0700
author: ferrix
|
|
