0

I would like to perform windows domain authentication using kerberos (AS request) but all I have is a cardID provided by client. I do have username but no password.

How to validate the card user as kerberos needs username and password. Any mechanisms to validate card ID using kerberos mechanism on windows 2012/2016 server ?

Ajay
  • 23
  • 2
  • 9
  • AFAIK, smart card authentication is based on X509 certificates. When the Active Directory server has checked your device, it assumes that you (the official device owner) have passed authentication, and it provides your Windows session a Kerberos ticket -- check with `klist.exe` – Samson Scharfrichter May 13 '20 at 11:27
  • In other words, smart card auth bypasses Kerberos initial auth. But then kerberos is used to access Microsoft services (with Kerberos service tickets for LDAP, file shares, etc) – Samson Scharfrichter May 13 '20 at 11:29
  • For the sake of precision -- the AD server knows your X509 public certificate, and the smart card contains the private key that matches the certificate -- plus the chip that can process the crypto challenge/response with that PK as proof of identity. – Samson Scharfrichter May 13 '20 at 11:33
  • Kerberos understands x509 certificates. Kerberos Pre-auth occurs as normal, just using a different mechanism (See PKINIT RFC 4556). In any case this question doesn't have enough information in it. What is a "cardID"? Does it give you access to an X509 certificate, and does it let you interact with a private key to sign stuff? If so, you can pass a handle to the ACH SSPI function and attempt to request a ticket. – Steve May 13 '20 at 15:29
  • I am using a smart card which has a certificate embedded in it – Ajay May 19 '20 at 10:39

0 Answers0