Kerberos TGS request to obtain NTLM credentials after smart card logon
- hello,
I am just investigating how does it work when a user logged on with a smart card is trying to access a file server by using its IP address such as \\10.10.0.11\data from Windows 7 (Seven). In the case the user has been logged on with a smart card, he has only Kerberos tickets and the only thing is, that he can obtain TGT and TGS tickets for SPNs. But for IP addresses, Kerberos is never used (since Vista). So the workstation really uses NTLM. But for this, it needs to obtain NTLM credentials for this operation from its DC somehow. How?
I was monitoring this by using Network Monitor and the sequence of events after typing the UNC path appears like the following:
a) try accessing the server by using NTLM - SMB Negotiate
b) receive MORE_PROCESSING_REQUIRED with a server NTLM challenge
- the message also contains the server's domain name and the server's name
- this COULD lead to SPN construction, but it IS NOT USED!
c) smart card PIN dialog displayed
d) TGT requested for the user (say Ondrej)
and here comes the weird thing:
e) TGS request for an spn: Ondrej (the user's login, not the server's SPN)
f) SMB SESSION SETUP with NTLM response!!!
The fact is that the user after obtaining his own TGT(Ondrej) then asks not for CIFS/server TGS but for TGS(Ondrej). This must somehow bring him NTLM credentials from DC.
How does this work exactly?
Thank you very much.
ondrej.
Answers
Hi,
Based on my research, Windows CredSSP clients use the OWF of password contained in the TGT ticket returned from KDC for NTLM authentication. This OWF of password allows NTLM to be used even when the original logon is done with a smartcard.
The following text in the article http://msdn.microsoft.com/en-us/library/cc238488(PROT.13).aspx explains why the TGT ticket returned by KDC contains the NTLM credentials:
“When PKCA is used, even though the user did not authenticate with NTLM, the KDC returns the NTLM credentials for that user in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer, as specified in [MS-PAC] section 2.6.1. These credentials allow an application to connect to some network service that does not accept Kerberos tickets and requires NTLM authentication.”
Hope the information is helpful.
Joson Zhou
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byOndrej SevecekMVPTuesday, November 03, 2009 10:11 PM
All Replies
Hi,
Based on my research, Windows CredSSP clients use the OWF of password contained in the TGT ticket returned from KDC for NTLM authentication. This OWF of password allows NTLM to be used even when the original logon is done with a smartcard.
The following text in the article http://msdn.microsoft.com/en-us/library/cc238488(PROT.13).aspx explains why the TGT ticket returned by KDC contains the NTLM credentials:
“When PKCA is used, even though the user did not authenticate with NTLM, the KDC returns the NTLM credentials for that user in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer, as specified in [MS-PAC] section 2.6.1. These credentials allow an application to connect to some network service that does not accept Kerberos tickets and requires NTLM authentication.”
Hope the information is helpful.
Joson Zhou
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byOndrej SevecekMVPTuesday, November 03, 2009 10:11 PM
- exquisite. thank you very much.
ondrej.
