Re: Custom GINA Using Our Custom CSP
From: Eric Perlin [MS] (ericperl_at_online.microsoft.com)
Date: 10/30/04
- Next message: Eric Perlin [MS]: "Re: WLX_DLG_SAS (101)"
- Previous message: Krishna Monian: "Problems with CreatePipe and CreateProcessWithLogonW"
- In reply to: David M. Hunter: "Re: Custom GINA Using Our Custom CSP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Oct 2004 16:02:28 -0700
MSGina is not smartcard aware. It actually gets all the smartcard data from
winlogon through messages for insertion/removal and couple calls to
WlxGetOption. If you hook enough of this, you should be able to make it
believe it's doing a smartcard logon.
-- Eric Perlin [MS] This posting is provided "AS IS" with no warranties, and confers no rights. --- "David M. Hunter" <skipper_dhunter@yahoo.com> wrote in message news:OtnYEYevEHA.612@TK2MSFTNGP15.phx.gbl... > Eric, > > Thanks for the information on how USB token based products are architected. > In our case, we are using secure hardware storage, but we don't control the > driver to that device. The hardware device does generic PKI functions, > including key storage, but doesn't come with a CSP so we wrote one. > > David > > > > "Eric Perlin [MS]" <ericperl@online.microsoft.com> wrote in message > news:Onvpo6VvEHA.3908@TK2MSFTNGP12.phx.gbl... > > The USB devices in question typically expose themselves as a USB smartcard > > reader with a card that's always inserted. > > As such, it's still a smartcard PKI logon. > > > > I'm curious though: where do you plan to store the keys required to > > satisfy > > a PKI logon? > > -- > > Eric Perlin [MS] > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > --- > > > > "David M. Hunter" <skipper_dhunter@yahoo.com> wrote in message > > news:OAiaomEuEHA.1404@TK2MSFTNGP11.phx.gbl... > >> We have our own custom CSP and we want to write a GINA such that we can > > use > >> PKI keys and certs in our CSP as part of the Windows logon. We've been > >> working on this for three weeks and I'm looking for a reality check that > > we > >> are heading in the correct direction. > >> > >> Basically we want to do a PKI-based logon (user doesn't type in a > > password) > >> to a Windows domain. Based on the documentation we have found the best > >> approach we can see is to simulate a smart card logon. We call > > WlxSasNotify > >> with the WLX_SAS_TYPE_SC_INSERT. Then later when we hook > > WlxLoggedOutSAS() > >> we are calling LsaLogonUser() with type 'Interactive' and the > >> AuthenticationInformation (the 5th arg) is a copy of the > >> KERB_SMART_CARD_LOGON structure. The KERB_SMART_CARD_LOGON is not > >> documented in MSDN, but it looks like the only structure we can pass to > >> LsaLogonUser() passing CSP or Certificate information. Currently, we are > >> getting an error that the Kerberos Authentication Package is rejecting > >> our > >> AuthenticationInformation as incorrectly formatted. > >> > >> Does this sound right to anyone or are we way off base. I think this is > >> possible because some companies sell little USB tokens that implement PKI > >> features and claim to support Windows logon. Again, we have been hacking > > on > >> this for three weeks and given our lack of success I'm starting to > > question > >> our approach. Can anyone give an overview of how best to do a custom > >> PKI-based (no password and not a smart card) logon to a Windows domain? > >> > >> Thank you very much for any pointers you can provide. > >> > >> David > >> > >> > >> > > > > > >
- Next message: Eric Perlin [MS]: "Re: WLX_DLG_SAS (101)"
- Previous message: Krishna Monian: "Problems with CreatePipe and CreateProcessWithLogonW"
- In reply to: David M. Hunter: "Re: Custom GINA Using Our Custom CSP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
