1

How does authentication and logon work on Windows with Kerberos? What I want to achieve is to logon a user on a server and run a process for that user.

As a first step, I create a Kerberos ticket on the client and send it to the server. On the server, I do not know the API to logon the user given its ticket. Of course I can accept the security context using AcceptSecurityContext (SSPI), but that does not initiate a logon.

I think that some SSH implementations for Windows do exactly that. But I want to know how and what API they probably use?

Spiegelritter
  • 806
  • 1
  • 7
  • 16

1 Answers1

2

There are a few ways you can do this. You do need to call AcceptSecurityContext on the ticket to get a security context. This is what bootstraps everything in Windows. From there you can do a couple different things.

Usually you call ImpersonateSecurityContext so the current thread understands what user it thinks it needs to be. After that you can call QuerySecurityContextToken to get a Windows access token handle. With this handle you then call CreateProcessAsUser. You can also tell it to do things like load the profile if necessary.

This doesn't really do a logon like LogonUserX does, but it effectively starts a process as that user, which is usually what people are looking to accomplish.

Steve
  • 4,463
  • 1
  • 19
  • 24
  • Thank you for your answer. It works so far with `CreateProcessAsUser`, a new process is started running as user. However, it cannot communicate with other services on different servers (e.g. a REST API). It is not possible to create new tickets for other services (using `AquireCredentialsHandle` and `InitializeSecurityContext`), I get an error: "No credentials are available in the security package". I can create new tickets (delegation) in the service after `ImpersonateSecurityContext` and before I create a new process. But that is not what I want. Is it possible to do it in the new process? – Spiegelritter Sep 20 '18 at 08:08
  • Yeah, there's one more step required in that scenario, which is to configure the account the parent process is running as to allow delegation and impersonation. So `client => server => child process` that means the `server` process is running as a user and that user must have impersonate and delegate configured. – Steve Sep 20 '18 at 16:10
  • It seems to work with unconstrained delegation. Do you know whether this approach works with constrained delegation (where the TGT is not sent along with the service ticket for delegation purposes). – Spiegelritter Jan 30 '19 at 14:47
  • @Steve Could you let me know how to get the hToken value from security context. We are trying to create a process in `spring controller` method where we wont be having scope of `AuthorizationHeader` to extract the `authorizationHeader.getTokenBytes()` . We have been spending more than a week, but no luck. any small hint would be great help! TIA! – Chandru Jul 22 '22 at 16:24