TechQA.

Active directory custom authentication

1k views Asked by At

I had created a sub-authentication package for Windows-7 login. It worked successfully for local account logins. I then tried to implement same sub-authentication package for active directory in Windows server 2008 r2. I placed my DLLs in Windows\System32\ folder and modified registry values of Kerberos as this Microsoft document explains for sub-authentication dll.

The value I set was in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos Value: Auth0 set to C:\Windows\System32\SubAuth.dll (am I right here?).

But while authenticating I notice that my sub-authentication package doesn't get called as I don't get asked for the second factor while authenticating user on client machine against AD.

Am I missing something in setup or there is something I have to change in my Sub-authentication package.

Let me know if I have missed on any information here.

PS: Sub-authentication package is developed as per the Microsoft's Credential Provider documentations (in Msv1_0SubAuthenticationFilter routine).

windows authentication active-directory windows-server-2008-r2 custom-authentication
Original Q&A
2

There are 2 answers

0
R.Timur On

Looks like this is by design - Msv1_0SubAuthenticationFilter routine from kerberos\ssv1_0 subauth package will not be called for cached domain interactive logon.

For interactive logon сall chain will be something like: 

LsaApLogonUserEx2->MsvSamValidate->MsvpSamValidate->MsvpPasswordValidate
LsaApLogonUserEx2->MsvSamValidate->MsvpSamValidate->Msv1_0SubAuthenticationRoutine

But for cached interactive logon сall chain looks like: 

LsaApLogonUserEx2->MsvpPasswordValidate 
<and there is no call to Msv1_0SubAuthenticationRoutine here>
0
harshad On

To achieve what I have asked in question, I needed to hack around in Microsoft's authentication package.

Here's what I did.

To communicate to active directory & make the authentication w.r.t. AD, I had to do it before hand in credential provider.

So my control flow for the solution goes like this in Credential provider:

  1. Check whether user is connected to network.
  2. If yes, then communicate with AD server, which is predefined & validate user against AD entry.
  3. If user is validated then ask for 2nd factor in credential provider only & then on successful validation, pass user to sub-auth module & bypass 2nd factor in sub-auth.
  4. If user is not connected to network, then validate with sub-auth module.

So basically, I had to first perform 2nd FA if the user needed to validate against AD & perform password authentication later on in the sub-auth module.

Related Questions in WINDOWS

Related Questions in AUTHENTICATION

Related Questions in ACTIVE-DIRECTORY

Related Questions in WINDOWS-SERVER-2008-R2

Related Questions in CUSTOM-AUTHENTICATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions