1

My current environmental situation:
1. on the client side I installing the certificate issued from a window server (ADCS) with a provider type (Microsoft Enhanced Cryptographic Provider v1.0) and a PFX private key in the certificate store (my store).
2. Make command to check: certutil -store my .
3. Make connection with my credential provider to KSP through the article: this article by question

Issue: KSP (Key Storage Provider) is not being loaded at logon via a Credential Provider.

I wonder if the problem is below:

  1. Are the certificate(my store) associated private key not the Microsoft Sample Key Storage Provider type? (current: Microsoft Enhanced Cryptographic Provider v1.0) I still do not know how to create a certificate, a private key with a provider named Microsoft Sample Key Storage Provider. Anyone know can just help me?
  2. In the ConstructAuthInfo(LPBYTE* ppbAuthInfo, ULONG *pulAuthInfoLen) function:
    WCHAR szCardName [] = L ""; // no card name specified but you can put one if you want
    WCHAR szContainerName [] = L "my_key_name";
    WCHAR szReaderName [] = L "";
    WCHAR szCspName [] = L "Microsoft Sample Key Storage Provider";
    WCHAR szPin [] = L "11111111";
    -> What does this my_key_name mean? and can it set a value L ""; Is it OK?
    -> I do not use a hardware smart card, WCHAR szPin [] is an optional value?

Thanks in advance.

sliva
  • 11
  • 4
  • Have you registered your KSP with the name "My Key Storage Provider"? – Frank Jun 18 '20 at 14:13
  • @Frank,I updated the question, szCspName = "Microsoft Sample Key Storage Provider" and the default registry name of KSP after build is also "Microsoft Sample Key Storage Provider" . I then checked with comamnd (symmclient -enum or certutil -csplist) – sliva Jun 19 '20 at 03:59
  • @ Frank, I do not use LsaLogonUser but instead it is GetSerialization(): { ULONG ulAuthPackage; HRESULT hr = RetrieveNegotiateAuthPackage(&ulAuthPackage); ConstructAuthInfo(&pcpcs->rgbSerialization, &pcpcs->cbSerialization); pcpcs->ulAuthenticationPackage = ulAuthPackage; pcpcs->clsidCredentialProvider = CLSID_MyCredentialProvider; *pcpgsr = CPGSR_RETURN_CREDENTIAL_FINISHED; } Have you been successful with GetSerialization ()? – sliva Jun 19 '20 at 06:08
  • Yes, I have, but I wrote my own KSP. Basically it boils down to this question and answer: https://stackoverflow.com/questions/38398905/ksp-key-storage-provider-not-being-loaded-at-logon-via-a-credential-provider – Frank Jun 19 '20 at 06:22
  • When packing the KERB_CERTIFICATE_LOGON struct you must set the containername of the CspData to the correct value so the key can be identified by the KSP. You might find this using certutil. – Frank Jun 19 '20 at 07:01
  • Hi @ Frank, I tried executing the command: certuril -csp "Microsoft Sample Key Storage Provider" -key then returned error NTE_NOT_SUPORTED. Perhaps so the containername could not be identified. I have previously tried using the command (Certutil -CSP "Microsoft Sample Key Storage Provider" -user -importPFX "mycert.pfx") to import the key into KSP but returned an error. Is there a way to import or storage the key from another provider (ex: Microsoft Software key storage provider, or Microsoft Enhanced Cryptographic Provider v1.0) into custom KSP? Currently custom KSP is not storing any key. – sliva Jun 19 '20 at 07:40
  • use the "certutil -csptest" command to dump specific provider capabilities. I have not looked over the sample code yet, but perhaps you try to import a key with unsupported features ore the enumeration of keys is not implemented in the sample and therefore returns NTE_NOT_SUPPORTED. – Frank Jun 19 '20 at 15:02
  • @Frank, I successfully created a type certificate with the provider "Microsoft Sample Key Storage Provider" and I also got the key container "my_key_name" from the certificate. But I still can't interact with my credential provider. To confirm each debug, I have put all the log into the function but almost no function is called. – sliva Jun 28 '20 at 12:28
  • In the KSP sample, do we need any special customizations to interact with the credential provider? - Thanks in advance. – sliva Jun 28 '20 at 12:36
  • Yes, I remember that it is a hard struggle to find out what works and what does not. Not all methods in KSP are called when login in. IIRC the first method is GetKeyStorageInterface then OpenProvider, then OpenKey, mutliple calls to GetProviderProperty and GetKeyProperty and after all SignHash. If none of them is called then you should double check your construction of KERB_CERTIFICATE_LOGON. It's a pain in the ass to get those relative pointers correct. Perhaps if you could share the complete code where you construct this structure, we could see where things go wrong. – Frank Jun 29 '20 at 16:22
  • Yes, I tried put full log in KSP but no function was called. I put my code here: https://github.com/sliva1994/KSP-Custom/issues/1 -- And I have a question, I logon with user domain, do we need to set values in Group Policy Editor (gpedit.msc)? -- thanks for your support. – sliva Jun 30 '20 at 09:28
  • @Frank, I have solved my problem, it is related to the environment. I successfully loaded kSP when I moved to VMware and install Windows 10 LTSC 2019 (ver 1809) (OS build 1904). It's strange that I used to use a virtualbox and install windows (ver 2004, OS build 17763), but it didn't work. I wonder if the problem is due to the version window or the difference between using virtualbox and vmware? – sliva Jul 01 '20 at 01:37
  • You should have mentioned this from the beginning. WIndows 10 2004 has a nasty bug. you need to leave the domain empty (like domain = L"") otherwise this returns "invalid parameter". – Frank Jul 01 '20 at 06:54

0 Answers0