Extending Kerberos with a Domain Controller SubAuthentication Filter
- From: michael.vincent03@xxxxxxxxx
- Date: Mon, 02 Jul 2007 15:07:13 -0700
Can anyone from MS comment on creating a Domain Controller Sub
Authentication Package plus a client AP (authentication package) to
extend Kerberos to support multi-factored authentication, which would
be enforce by the domain controller?
The idea: The client AP would create a named-pipe on the client with
Local-System access only, write the biometric data into the named-
pipe, and make the Kerberos authentication call with password, and
then the Sub Authentication packages on the domain-controller would
open the named-pipe pull out the biometric credential and accept or
reject the Kerberos authentication. This mechanism could then be
extended to n-factors.
1. General comments on the idea of using a domain controller sub
authentication package + named pipe to extend Kerberos
authentication?
2. Assuming the machine-authentication has already happened, how
reliable/feasible is it to use the named pipe to pass data from the
client to the server?
3. I'm assuming that by the time the domain-controller receives the
Kerberos request, the RPC subsystem that supports the named-pipes is
fully functional?
.
- Prev by Date: Re: CSR Creation
- Next by Date: Domain Controller SubAuthentication Filter
- Previous by thread: Re: KERB_SMART_CARD_LOGON
- Next by thread: Domain Controller SubAuthentication Filter
- Index(es):
Relevant Pages
|
