0

I am on an Azure domain where users are able to logon using their FIDO2 security keys. I would like to be able to obtain a user's Windows Logon token using their security key.

There are some very good C++ samples of Authentication (Assertion) of keys ( https://github.com/aseigler/HelloSample/blob/master/hello/hello.cpp ) but I have not found any way of using the returned Assertion information to obtain a user's logon token that can then be used for impersonation. This should be possible since a user can use that same security key login or unlock the Windows workstation.

I see some very interesting exported functions in the Windows WebAuthN.dll like WebAuthNGetPlatformCredentials or WebAuthNDecodeAccountInformation. Unfortunately, these functions do not seem to be documented.

Has anyone managed to obtain a Windows Logon Token using WebAuthN or have any idea of how this can be done?

Edz1o
  • 21
  • 3
  • I use impersonation. – Nick Abbot Dec 01 '22 at 22:00
  • Nick, can you please explain what you mean? Normally I use CredUIPromptForWindowsCredentials to prompt a user for their credentials, it returns a buffer "ppvOutAuthBuffer" that can be used with LsaLogonUser to obtain the user's token. I am trying to fingure out what can be used with the information returned by WebAuthNAuthenticatorGetAssertion to obtain a Logon token that can be impersonated. – Edz1o Dec 03 '22 at 00:45

1 Answers1

0

This is how I use Impersonation when users access IIS web apps and connect to Web services or SQL Server on the IIS server.

        impersonationContext = currentWindowsIdentity.Impersonate

        'Insert your code that runs under the security context of the authenticating user here. 

        impersonationContext.Undo()

PS: If you're asking users for their credentials,...ever, the systems you're using should be burned and you should be fired immediately.

Nick Abbot
  • 310
  • 3
  • 7
  • Hi Nick, Thanks for your input. The C++ program is not connecting to Web services but running locally on the system. I am not asking for anyone's credentials. Once a user is authenticated using "WebAuthNAuthenticatorGetAssertion" I am hoping to be able to impersonate that user user locally. Although my call to "WebAuthNAuthenticatorGetAssertion"seems to go successfully, the Current Windows Identity does not change - it is still that of the person that ran the program to call the function. – Edz1o Dec 05 '22 at 22:00