Is it possible using Custom Credential Provider to make windows logon without real password of local user?
I'm already able to install/register sample code from Microsoft, and even able to debug it.
My expectation from this mechanism: User inputs some password and my implementation performs some comparison against local database of my password (stored as sqlite database).
Reality: local user password MUST be passed to LSA subsystem within
ICredentialProviderCredential::GetSerialization(...)
Frankly speaking I'm trying to use some sort of -one-time-coupon codes as passwords, to login to a kiosk-like workstation.
This is the main reason for developing custom credential provider.
Your provider must return to the Logon UI or Cred UI the authentication information. It can be a login/password pair or a certificate based authentication.
Inside of your database you can store a real user's password and return it after checking your own OTP.
Related
I am trying to create local admin account for my lab machines with unique passwords. I have around 25 machines in the lab. I am looking out if there is any way where we can store the password in Azure keyvault and if password is rotated in azure key vault, the authentication should pick up the updated password and authorize the user. I have to rotate password too often, usually once in couple of days. The end user would receive the password with which he can login.
This is a too complex task to put it into a simple answer. You have to divide your problem into some smaller ones. Here here the building blocks I would see:
Create an authenticated web api that allows CRUD operations against your Azure Key vault (maybe with ASP core or Azure functions, etc.)
Create a windows service that runs on your lab machines and is able to change the local admin accounts password and can communicate with your web api.
Create an authenticated web page, where you can log in and read the username and password.
All of these steps have to be divided on their own and or not trivial. Also some additional features could make sense like
when a username/password was given out some log is written about who got when this username/password.
when a username/password was given out the windows service will be informed (maybe by regular requests from the windows service or some back channel like SignalR or Redis channel) and produces a new password a given time later (e.g. 8 hours later)
Nevertheless, this is a complex project that needs at least several weeks to be implemented correctly, even if you know how all these techniques are working.
Is there any way to keep client third party service password secured from others being able to access server machine?
Password is used to send messages between two system, from A->B. There are 3 actors:
client - owner of the infrastructure and user of system A and B
provider A - author of system A which have ablitity to RDP into client server and administrate it to keep system A working
service B - service providing access to system B, secured with password known to client which provider A shouldn't directly know
Every solution based on encryption and storing password in configuration/database is not an option because provider A will always have access to decrypting algorithm and mangled password.
Best solution right know is based on keeping password in server Windows Credential Manager. Provider A can use it inside message sender process by its code but password itself is not directly visible in server. It always can be retrived by provider A but it is a bit safer.
I implemented my own custom Windows credential provider following the Windows SDK example which should let a remote application connect to a server and perform logon automatically.
The problem is: the SetUsageScenario event is not called until a user presses the SAS combination (Ctrl+Alt+Del), therefore my credential provider isn't able to automatically perform the login until that happens.
How does RDP do the login automatically without me pressing Ctrl+Alt+Del and logging in automatically? How do I do the same with my custom credential provider?
SAS can be skipped for Console session only if You turn it off manually in the registry/policies.
RDP session always skip SAS and direct You to enter credentials.
Moreover modern RDP client asks for credentials prior to establishing connection to remote server. It serialize your credentials and send them to remote server. On server authentication is done using this serialized data.
Since version 5.50 the Bitvise SSH Server allows connected client to authenticate to Windows user account without providing this user's Windows password. See here: https://www.bitvise.com/ssh-server-version-history
I've checked it myself - it does indeed.
My question is of pure curiosity: what kind of sorcery is this? Is there any WinAPI that allows such thing or is this some kind of clever hack? I always thought it is impossible to impersonate as other user without a password (as even when configuring Windows service or scheduled task to "run as user" it is neccessary to provide one).
IIRC, the SSH server in Cygwin does the same thing.
If you have the appropriate privileges you can create an access token with ZwCreateToken, no password required. Such a token has some limitations. For example, you can't access network resources without a password and some encrypted material isn't accessible.
There's an explanation and some sample code here.
Since version 5.50, Bitvise SSH Server comes with a Windows authentication package. An authentication package can enhance the Windows logon process in custom ways. When the SSH server needs to log you in, but does not have a password (e.g. because you logged in with a public key), it calls the authentication package to construct a logon token which closely resembles the logon token that would have been created by Windows. As arx has noted, a session created this way does not contain your authentication credentials, so side effects are that you can't access things like network resources and EFS.
I work as a student web developer for my computer science department and I've been asked to look into a modification of our password reset procedure for linux accounts. Currently users will log in with their university credentials (via Active Directory) and after being authenticated they get a temporary password through email which they are forced to change as soon as they log in. This way eben if the temporary password it intercepted there is a very short time span in which it could even be used.
Now the idea has been posed that instead of using a temporary password that we might allow the user to pick a new permanent password and set it directly through the web utility. It is my understanding that https is more of "the best we have" than "a great way to secure information". Are there any other avenues I can explore for securing the new password so that we can feel comfortable implementing such a system?
Basically, if you communicate with a server over HTTPS and the private key of the server isn't exposed to someone else, you can be sure that anything you transfer (e.g. the new password) can only be decrypted by the server. Additionally the server certificate assures, that the server you are communicating with, really is the server you want to communicate with.
So, using HTTPS provides authentication and prevents eavesdropping.
If you are working with Active Directory, it is my understanding that the Password Modify Extended Operation (which requires the existing password) is not supported. Therefore, the password must be changed with the LDAP modify request. One solution would be to use the UnboundID LDAP SDK with a web application to execute the LDAP modify with the new password. The modify request should be transmitted over a secure connection, or a non-secure connection promoted to a secure connection using the StartTLS extended operation.
see also
AD password change
Using ldapmodify - this article is about the command line utility ldapmodify but the concepts are useful.