Re: Custom GINA Using Our Custom CSP
From: David M. Hunter (skipper_dhunter_at_yahoo.com)
Date: 10/29/04
- Next message: Eric Perlin [MS]: "Re: smartcard protocol transimssion????"
- Previous message: Garfield Lewis: "Trustee form (is name)?"
- In reply to: Eric Perlin [MS]: "Re: Custom GINA Using Our Custom CSP"
- Next in thread: Eric Perlin [MS]: "Re: Custom GINA Using Our Custom CSP"
- Reply: Eric Perlin [MS]: "Re: Custom GINA Using Our Custom CSP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Oct 2004 14:34:38 -0400
Eric,
Thanks for the information on how USB token based products are architected.
In our case, we are using secure hardware storage, but we don't control the
driver to that device. The hardware device does generic PKI functions,
including key storage, but doesn't come with a CSP so we wrote one.
David
"Eric Perlin [MS]" <ericperl@online.microsoft.com> wrote in message
news:Onvpo6VvEHA.3908@TK2MSFTNGP12.phx.gbl...
> The USB devices in question typically expose themselves as a USB smartcard
> reader with a card that's always inserted.
> As such, it's still a smartcard PKI logon.
>
> I'm curious though: where do you plan to store the keys required to
> satisfy
> a PKI logon?
> --
> Eric Perlin [MS]
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> ---
>
> "David M. Hunter" <skipper_dhunter@yahoo.com> wrote in message
> news:OAiaomEuEHA.1404@TK2MSFTNGP11.phx.gbl...
>> We have our own custom CSP and we want to write a GINA such that we can
> use
>> PKI keys and certs in our CSP as part of the Windows logon. We've been
>> working on this for three weeks and I'm looking for a reality check that
> we
>> are heading in the correct direction.
>>
>> Basically we want to do a PKI-based logon (user doesn't type in a
> password)
>> to a Windows domain. Based on the documentation we have found the best
>> approach we can see is to simulate a smart card logon. We call
> WlxSasNotify
>> with the WLX_SAS_TYPE_SC_INSERT. Then later when we hook
> WlxLoggedOutSAS()
>> we are calling LsaLogonUser() with type 'Interactive' and the
>> AuthenticationInformation (the 5th arg) is a copy of the
>> KERB_SMART_CARD_LOGON structure. The KERB_SMART_CARD_LOGON is not
>> documented in MSDN, but it looks like the only structure we can pass to
>> LsaLogonUser() passing CSP or Certificate information. Currently, we are
>> getting an error that the Kerberos Authentication Package is rejecting
>> our
>> AuthenticationInformation as incorrectly formatted.
>>
>> Does this sound right to anyone or are we way off base. I think this is
>> possible because some companies sell little USB tokens that implement PKI
>> features and claim to support Windows logon. Again, we have been hacking
> on
>> this for three weeks and given our lack of success I'm starting to
> question
>> our approach. Can anyone give an overview of how best to do a custom
>> PKI-based (no password and not a smart card) logon to a Windows domain?
>>
>> Thank you very much for any pointers you can provide.
>>
>> David
>>
>>
>>
>
>
- Next message: Eric Perlin [MS]: "Re: smartcard protocol transimssion????"
- Previous message: Garfield Lewis: "Trustee form (is name)?"
- In reply to: Eric Perlin [MS]: "Re: Custom GINA Using Our Custom CSP"
- Next in thread: Eric Perlin [MS]: "Re: Custom GINA Using Our Custom CSP"
- Reply: Eric Perlin [MS]: "Re: Custom GINA Using Our Custom CSP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
