Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,426 questions
How to implement an authentication package passthrough authentication ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 14.000000000000002%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Romain Braussen
1
Reputation point
Hello,
I am trying to develop a custom authentication package, maybe even a SSP/AP if I need to.
For now I succeeded developing a very basic POC custom authentication package, with no check at all, and by using a custom credential provider in parallel that use this AP I can log in into local accounts, or directly on a domain controller.
Now the question is basically how can I use this authentication package from a workstation in a domain, authenticating on the domain controller?
Reading this Microsoft documentation page, I learnt the MSV1 AP use the Netlogon service to do passthrough authentication.
So trying to do the same and reading the MS-NRPC specifications I need to call the NetrLogonSamLogonEx RPC method, but to do so I need to establish a secure connection using NetrServerAuthenticate3.
But to compute the session key to establish this connection, I apparently need to use the computer account password.
Now using LsaRetrievePrivateData("$machine.acc") I seem to be able to retrieve it but it's in an encrypted form and I can't find any documentation how?
I actually found some code on the internet that seems to be able to decrypt it (reverse engineered or did I miss something?), but if it's really undocumented I guess that's subject to change and break my application if I were to do the same.
So at this point I am just wondering if I am even going in the right direction?
Isn't there some higher level API doing all this secure workstation/DC communication by itself? Maybe the whole SSPI/SSP thing, but I admit I have trouble understanding how to use it. Can I use a builtin SSP, handling all the communication, giving it my message and specifying it which authentication package to give it on the other end?
Any pointers would be appreciated,
Thanks
{count} votes
-
Junjie Zhu - MSFT 15,056 Reputation points Microsoft Vendor2022-06-06T09:51:04.753+00:00 Have you considered NTLM.
-
Romain Braussen 1 Reputation point
2022-06-13T08:43:38.757+00:00 Yes. Well the Negotiate SSP would be even better.
I was really confused at first with the SSP/AP thing, but I need to actually use it, not implement it.
And it would actually handle all the message encryption and integrity, but then I won't be able to use the Netlogon service right?
If I follow this route, is my only option to also develop a windows service to listen for my messages (most likely socket based) ? Is there some builtin windows service I can use ? -
Junjie Zhu - MSFT 15,056 Reputation points Microsoft Vendor
2022-06-13T09:16:26.657+00:00 How about winsock?https://learn.microsoft.com/en-us/windows/win32/winsock/getting-started-with-winsock
-
Romain Braussen 1 Reputation point
2022-06-13T10:05:56.187+00:00 I mean a builtin service to do all the "calling a specific authentication package" thing. Something similar to Netlogon I guess, but that I could use with a builtin SSP.
Basically considering how critical that code would be, I am trying to use builtin things as much as I can. Ideally I would like to only be responsible for the user authentication, not the machine authentication on the network or the encryption or anything.
I was planning at first to use the Netlogon service with the generic data structure that would have done exactly that, but there is the machine password problem. -
Junjie Zhu - MSFT 15,056 Reputation points Microsoft Vendor
2022-06-14T09:56:31.95+00:00 I've notified Microsoft engineers to try and give you a better technical route, if there is any progress I'll update below.
-
Junjie Zhu - MSFT 15,056 Reputation points Microsoft Vendor
2022-06-30T06:34:03.763+00:00 Hi Romain!
Our engineers say that trying to create an auth package is very difficult if not impossible. What exactly are you trying to accomplish with this, and can you be more specific? -
Romain Braussen 1 Reputation point
2022-06-30T13:15:15.637+00:00 Hello Junjie !
Well if I was starting completely from scratch that would indeed be almost impossible and I would not even dare to attempt it alone, on that we agree!
But fortunately my company already have a solid and proven authentication platform supporting different mechanisms like LDAP, plain passwords, certificates, fido keys or time-based OTP and used with various integrations, and already deployed at lots of customers, including big ones.My role in the company is to develop Microsoft products plugins to integrate them with our authentication platform, and we actually already have a proven Credential Provider providing MFA authentication with password as a first factor (or smartcard), using the builtin MS authentication packages and our platform.
Now my goal here is to implement passwordless (and smartcardless I guess) authentication, and it is my understanding the only way to achieve this is to create my own authentication package (subauthentication packages sadly won't do since we want passwordless). The authentication package itself will be fairly simple and will basically serve as a hook to call our authentication platform and validate credentials, and then I have to create the user token (using lmaaccess.h api to get user groups and privileges, I am not trying to do anything special at this level)
Currently I have a POC solution using our own Credential Provider calling our own Authentication Package and it's working for local accounts, all I am trying to do is to extend it to domain accounts!
-
Junjie Zhu - MSFT 15,056 Reputation points Microsoft Vendor
2022-07-01T11:53:03.41+00:00 I'll discuss it with the team engineers, but it's almost the weekend, we'll get back to you as soon as next week, and I'll update below with any progress.
-
Junjie Zhu - MSFT 15,056 Reputation points Microsoft Vendor
2022-07-07T01:39:10.807+00:00 Hi, Romain
After discussion with team engineers. I'm afraid is not suitable to discuss in the Forum. For your scenario, I suggest that you might need to open a support ticket for this. Please contact our paid phone support at MS Support. You will get 1:1 support on that. Please kindly note that your support ticket will be free if it is Microsoft's issue.
Sign in to comment