Extending Kerberos with a Domain Controller SubAuthentication Filter

Can anyone from MS comment on creating a Domain Controller Sub
Authentication Package plus a client AP (authentication package) to
extend Kerberos to support multi-factored authentication, which would
be enforce by the domain controller?

The idea: The client AP would create a named-pipe on the client with
Local-System access only, write the biometric data into the named-
pipe, and make the Kerberos authentication call with password, and
then the Sub Authentication packages on the domain-controller would
open the named-pipe pull out the biometric credential and accept or
reject the Kerberos authentication. This mechanism could then be
extended to n-factors.

1. General comments on the idea of using a domain controller sub
authentication package + named pipe to extend Kerberos

2. Assuming the machine-authentication has already happened, how
reliable/feasible is it to use the named pipe to pass data from the
client to the server?

3. I'm assuming that by the time the domain-controller receives the
Kerberos request, the RPC subsystem that supports the named-pipes is
fully functional?


Relevant Pages

  • InitializeSecurityContext() and Negotiate/Kerberos sessions
    ... I am using InitializeSecurityContextin a web client application in order ... send the Kerberos requests to my domain controller. ... then I see two Kerberos packet requests to my Domain controller. ...
  • Re: Kerberos Error Message
    ... First check that basic dns configuration is correct as dns misconfiguration is the ... You can also use the support tools netdiag and dcdiag to check for domain controller ... I have turned on Kerberos logging as I have been ... > Client Realm: ...
  • RE: Event log shows NTLM not Kerberos
    ... Authentication Package NTLM not Kerberos? ... Windows operating system will adopt Kerberos as the default ...
  • Re: Event log shows NTLM not Kerberos
    ... Successful Network Logon: ... Authentication Package: Kerberos ... Authentication Package NTLM not Kerberos? ...