1

Microsoft provides a variety of windows credential providers referred to as "security support provider" as part of microsoft windows, such as
・password (*1)
・smart card (certificates in window authentication) (*2)
・window hello, PIN (FIDO 2) (*3)

Kerberos is the primary method of authenticating users on Windows for interactive logon using passwords and network logon using Kerberos tickets. domain user logon process

From using above (*1) or (*2) or (*3), I really want to know is there any simple method to issues (create) kerberos tickets?

I have also consulted microsoft API set about this model (domain user logon process), but there does not seem to be a API to issues (create) ticket kerberos.

The API I have referenced: SSPI: https://learn.microsoft.com/en-us/windows/win32/api/sspi/ LsaLogonUser: https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsalogonuser

Please let me know. Thanks in advance!

John
  • 11
  • 2
  • In all cases, it's your Active Directory domain server that issues the Kerberos credentials after you have passed authentication, and Windows stores these creds in its "LSA cache" _(Linux would use other kinds of credential cache but, as always, Microsoft guys think they are sooo smart that they must invent proprietary stuff)_ – Samson Scharfrichter May 13 '20 at 11:38
  • Looks like you are not the only one with this kind of questions, cf. https://stackoverflow.com/questions/61769720/kerberos-authentication-for-validating-card-id-on-windows-2012-2016-server – Samson Scharfrichter May 13 '20 at 11:40
  • @SamsonScharfrichter Assuming I have 1 certificate, is there any method to passes credentials (certificate) to AD for passed authentication ? – John May 17 '20 at 06:36
  • Check the documentation of your smart card manufacturer. For a Windows session, if the OS detects a compatible USB device, the login prompt should offer a choice of authenticating by login/pwd **or** by the appropriate API -- which should handle the PIN prompt to access the card, then the challenge/response between AD and the card. _(Note that the certificate is **public**, that's not a "credential" -- it's the challenge/response using certificate on AD side and PK on card side that creates the credentials)_ – Samson Scharfrichter May 17 '20 at 08:09
  • Hi @SamsonScharfrichter I'm expecting somehow to passed authentication by using user credentials(certificate) (not username/pasword) and I think use the smart card (certificate) model. I wonder how to customize to send a certificate to AD to passed authentication - my question is below link, Thanks in advance. -- https://stackoverflow.com/questions/61867671/how-can-i-customize-the-cryptographic-service-provider-base-csp-in-the-smart-c ---- – John May 19 '20 at 01:51

1 Answers1

0

Credential Providers are not SSPs; they are Credential Providers. They ferry the credential you're using from the inputs (keyboard, bio, smartcard) to the SSPs. They're not meant to do heavy lifting. The SSPs do the actual protocol work of authenticating to whatever service is your authority.

The image you reference is not technically accurate as that's the pre-Vista process. Everything on the left side of the image is out of date. The right side is still mostly correct.

Color commentary aside, Samson is correct. AD is the ticket creator and the only way you can get it to create a ticket is by requesting it after you've authenticated with a credential, and its for the named credential to a specific named service. The way you request the tickets is through the SSPI ACH and ISC functions. SSPs are the internal implementations of those functions.

LsaLogonUser will verify a credential and store the resultant ticket in a dedicated cache (separate from the default logged on session cache). Often you call CredUIPromptForWindowsCredentials to collect creds, and pass the buffer to LsaLogonUser or the ACH function.

Steve
  • 4,463
  • 1
  • 19
  • 24
  • Thanks for your answer and based on your explanation, I would like to summarize as follows: ①. User send (passes) a credential (Certificate or password) to AD. ②. AD creates the ticket after authenticated a credential(Certificate or password). ③. Use SSPI to request tickets and create tickets. about flow ①→③ is it correct? Assuming that is correct I would like to have one more question. From ①. I have a certificate. So how do I send(passes) to AD for authentication? Thanks in advance. – John May 17 '20 at 06:29
  • Certificates and passwords are interchangeable during logon. This is the nature of the Kerberos protocol. You provide a handle to the certificate during step 1. – Steve May 18 '20 at 16:05
  • Ugh. Kerberos supporting X509 certificates. Sounds like a Microsoft rewrite of George Orwell's 1984 -- "We invented Kerberos. Next year we'll say that we invented silicon". – Samson Scharfrichter May 19 '20 at 08:34
  • I'm at a loss for how to reply to such a statement. PKINIT is defined in RFC 4556 which is an extension of RFC 4120 which ratified the historic RFC 1510. PKINIT is the handling of X.509 certificate-based PKI and key exchange during the AS flow of Kerberos. They are in fact interchangeable during AS logon. Windows exposes this in a specific way and all major implementations of the protocol support PKINIT (MIT, Heimdal, Java, Microsoft, Go, etc.). What exactly are you taking issue with? – Steve May 19 '20 at 15:31
  • @Steve My issue is that I want to use the kerberos protocol to trying logon the window with a certificate without using smart card (hardware) and (not existing credentials the user created when they logged on. Means first login directly with a certificate). And is there any method to do that? -- I also looked at SSPI ACH (kerberos) but it seems that it does not support for certificates. Only support (username / password) via struct SEC_WINNT_AUTH_IDENTITY. Thanks in advance – John May 21 '20 at 13:13