Re: Custom GINA Using Our Custom CSP
From: Eric Perlin [MS] (ericperl_at_online.microsoft.com)
Date: 10/29/04
- Previous message: Yu Chen [MS]: "Re: how to determine it's a TLS connecton?"
- In reply to: David M. Hunter: "Custom GINA Using Our Custom CSP"
- Next in thread: David M. Hunter: "Re: Custom GINA Using Our Custom CSP"
- Reply: David M. Hunter: "Re: Custom GINA Using Our Custom CSP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Oct 2004 19:25:48 -0700
The USB devices in question typically expose themselves as a USB smartcard
reader with a card that's always inserted.
As such, it's still a smartcard PKI logon.
I'm curious though: where do you plan to store the keys required to satisfy
a PKI logon?
-- Eric Perlin [MS] This posting is provided "AS IS" with no warranties, and confers no rights. --- "David M. Hunter" <skipper_dhunter@yahoo.com> wrote in message news:OAiaomEuEHA.1404@TK2MSFTNGP11.phx.gbl... > We have our own custom CSP and we want to write a GINA such that we can use > PKI keys and certs in our CSP as part of the Windows logon. We've been > working on this for three weeks and I'm looking for a reality check that we > are heading in the correct direction. > > Basically we want to do a PKI-based logon (user doesn't type in a password) > to a Windows domain. Based on the documentation we have found the best > approach we can see is to simulate a smart card logon. We call WlxSasNotify > with the WLX_SAS_TYPE_SC_INSERT. Then later when we hook WlxLoggedOutSAS() > we are calling LsaLogonUser() with type 'Interactive' and the > AuthenticationInformation (the 5th arg) is a copy of the > KERB_SMART_CARD_LOGON structure. The KERB_SMART_CARD_LOGON is not > documented in MSDN, but it looks like the only structure we can pass to > LsaLogonUser() passing CSP or Certificate information. Currently, we are > getting an error that the Kerberos Authentication Package is rejecting our > AuthenticationInformation as incorrectly formatted. > > Does this sound right to anyone or are we way off base. I think this is > possible because some companies sell little USB tokens that implement PKI > features and claim to support Windows logon. Again, we have been hacking on > this for three weeks and given our lack of success I'm starting to question > our approach. Can anyone give an overview of how best to do a custom > PKI-based (no password and not a smart card) logon to a Windows domain? > > Thank you very much for any pointers you can provide. > > David > > >
- Previous message: Yu Chen [MS]: "Re: how to determine it's a TLS connecton?"
- In reply to: David M. Hunter: "Custom GINA Using Our Custom CSP"
- Next in thread: David M. Hunter: "Re: Custom GINA Using Our Custom CSP"
- Reply: David M. Hunter: "Re: Custom GINA Using Our Custom CSP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
