Custom Interactive Authentication Method on an Active Directory federation RRS feed

  • Question

  • Hi,

    I'm working with Windows Local Security Account (LSA) system and trying to develop a custom credential provider and a custom authentication package which allow the authentication of a user on a Domain Controller without using username and password but with a custom set of informations used as hint.

    Looking at the available documentation on MSDN and at the Windows SDK examples, I couldn't find informations for this kind of scenario.

    So far, I've implemented and deployed on a Computer A (can run Windows 7/8/10..) a custom credential provider which sets the local custom authentication package by using LsaLookupAuthenticationPackage and then sends to the underlying authentication package some random informations by setting the KERB_INTERACTIVE_LOGON structure.
    In the custom authentication package, I've implemented all the SECPKG_FUNCTION_TABLE functions by proxying the kerberos.dll functions and enabled some verbose debugging and I've found out that LsaApLogonUserEx2 is called. The problem is, how can I achieve the interactive logon of an user on a specific Active Directory system without username and password but with a custom structure used as hint?

    On the server side, the Domain Controller, which kind of functions should I implement in the custom authentication package in order to do here the translation between my custom data and the real user data?

    I've seen the possibility of using KERB_S4U_LOGON but still I need to provide the real user principal name.

    Friday, February 5, 2016 2:05 PM