| Groups | Blog | Home |
iis security : Authentication using Distinguished name instead of Certificates...
I need to authenticate against active directory and log a user on to
Sharepoint. In order to reduce SSL load and support edge server caching we are using a persistant shared SSL connection. My code will be searching active directory using the distinguished name from the origional user certificate to determine the correct user account and then logging on the user. However, I do not have the "password" in plain text. How can I logon / impersonate the user / grab the appropriate "ticket" without the password? This is what IIS does when it does certificate based login, however, in this case, I do not have the full certificate.
I DO want to a pass-through authentication feature by myself. Instead of
authenticating on a client certificate, I want to authenticate based on the Distinguished name contained in a header in the client request. For security purposes there is also a certificate contained in the request, however, I am only using that to verify the validity of the connection, not to authenticate the user who originally sent the HTTP request. [quoted text, click to view] ""Yuan Ren[MSFT]"" wrote:
> Hi, > > Welcome to Microsoft newsgroup! > > >How can I logon / impersonate the user / grab the appropriate "ticket" > without the password? > >¡ > >"This is what IIS does when it does certificate based login, however, in > this case, I do not have the full certificate." > > IIS has client certificate authentication. However in this scenario, we do > need to provide each authenticated user account's password which is stored > into IIS metabase. The below article explains how this feature works in IIS > 5.0: > http://support.microsoft.com/default.aspx?scid=kb;en-us;313070&sd=tech > > >"I need to authenticate against active directory and log a user on to > Sharepoint. In order to reduce SSL load and support edge server caching we > are using a persistant shared SSL connection." > > I'm not very clear about what you want to achieve. Could you please explain > the whole scenario more clearly? It sounds like you want to implement a > pass-through authentication feature by yourself? What authentication method > you want to use? Is SSL used for encryption only or you also want it to > implement client cert authentication? > > Regards, > > Yuan Ren [MSFT] > Microsoft Online Support >
Hi,
Welcome to Microsoft newsgroup! [quoted text, click to view] >How can I logon / impersonate the user / grab the appropriate "ticket" this case, I do not have the full certificate."without the password? >¡ >"This is what IIS does when it does certificate based login, however, in IIS has client certificate authentication. However in this scenario, we do need to provide each authenticated user account's password which is stored into IIS metabase. The below article explains how this feature works in IIS 5.0: http://support.microsoft.com/default.aspx?scid=kb;en-us;313070&sd=tech [quoted text, click to view] >"I need to authenticate against active directory and log a user on to Sharepoint. In order to reduce SSL load and support edge server caching we are using a persistant shared SSL connection." I'm not very clear about what you want to achieve. Could you please explain the whole scenario more clearly? It sounds like you want to implement a pass-through authentication feature by yourself? What authentication method you want to use? Is SSL used for encryption only or you also want it to implement client cert authentication? Regards, Yuan Ren [MSFT] Microsoft Online Support
Hi,
Thanks for your post! [quoted text, click to view] >"I want to authenticate based on the Distinguished name contained in a header in the client request."Is the "Distinguished name" means the DN value of username in AD environment? If you want to attach the current DN value into the request without password, I think the IIS can not authenticate the current credential. Regards, Yuan Ren [MSFT] Microsoft Online Support
Daniel,
I'm a bit confused as well. Authentication occurs when you marry a user identity (e.g. a username, in this case the DN) with the corresponding "secret" (this is usually a password, or some kind of token like a certificate). Given that you have the username only, how do you intend to authenticate the user? How do you know the user is who they say they are? Cheers Ken [quoted text, click to view] "Daniel Corbett" <mrinalexandria@nospam.nospam> wrote in message :I DO want to a pass-through authentication feature by myself. Instead ofnews:E6823E0A-6B99-4F47-B4BF-1A386B811C63@microsoft.com... : authenticating on a client certificate, I want to authenticate based on the : Distinguished name contained in a header in the client request. For : security purposes there is also a certificate contained in the request, : however, I am only using that to verify the validity of the connection, not : to authenticate the user who originally sent the HTTP request. : [quoted text, click to view] : ""Yuan Ren[MSFT]"" wrote: :: > Hi, : > : > Welcome to Microsoft newsgroup! : > : > >How can I logon / impersonate the user / grab the appropriate "ticket" : > without the password? : > >¡ : > >"This is what IIS does when it does certificate based login, however, in : > this case, I do not have the full certificate." : > : > IIS has client certificate authentication. However in this scenario, we do : > need to provide each authenticated user account's password which is stored : > into IIS metabase. The below article explains how this feature works in IIS : > 5.0: : > http://support.microsoft.com/default.aspx?scid=kb;en-us;313070&sd=tech : > : > >"I need to authenticate against active directory and log a user on to : > Sharepoint. In order to reduce SSL load and support edge server caching we : > are using a persistant shared SSL connection." : > : > I'm not very clear about what you want to achieve. Could you please explain : > the whole scenario more clearly? It sounds like you want to implement a : > pass-through authentication feature by yourself? What authentication method : > you want to use? Is SSL used for encryption only or you also want it to : > implement client cert authentication? : > : > Regards, : > : > Yuan Ren [MSFT] : > Microsoft Online Support : > : >
I know who they are because I have gotten this DN from a trusted source over
an SSL connection. I am trying to simulate having gotten the users certificate. If necessary, I could grab all the components and re-create the certificate, but I would still have the same issue. I am trying to use LsaLogonUser with KERB_S4U_LOGON to impersonate the user but I am now getting this error: "specified logon session does not exist. It may already have been terminated. (1312)." I am using a "domain account" which has SeTcbPrivelege enabled, and am requesting an impersonation token. I have also made sure the user is a member of the "Pre-Windows 2000 compatible Access" group on the Domain. [quoted text, click to view] "Ken Schaefer" wrote:
> Daniel, > > I'm a bit confused as well. Authentication occurs when you marry a user > identity (e.g. a username, in this case the DN) with the corresponding > "secret" (this is usually a password, or some kind of token like a > certificate). Given that you have the username only, how do you intend to > authenticate the user? How do you know the user is who they say they are? > > Cheers > Ken > > > "Daniel Corbett" <mrinalexandria@nospam.nospam> wrote in message > news:E6823E0A-6B99-4F47-B4BF-1A386B811C63@microsoft.com... > :I DO want to a pass-through authentication feature by myself. Instead of > : authenticating on a client certificate, I want to authenticate based on > the > : Distinguished name contained in a header in the client request. For > : security purposes there is also a certificate contained in the request, > : however, I am only using that to verify the validity of the connection, > not > : to authenticate the user who originally sent the HTTP request. > : > : ""Yuan Ren[MSFT]"" wrote: > : > : > Hi, > : > > : > Welcome to Microsoft newsgroup! > : > > : > >How can I logon / impersonate the user / grab the appropriate "ticket" > : > without the password? > : > >¡ > : > >"This is what IIS does when it does certificate based login, however, > in > : > this case, I do not have the full certificate." > : > > : > IIS has client certificate authentication. However in this scenario, we > do > : > need to provide each authenticated user account's password which is > stored > : > into IIS metabase. The below article explains how this feature works in > IIS > : > 5.0: > : > http://support.microsoft.com/default.aspx?scid=kb;en-us;313070&sd=tech > : > > : > >"I need to authenticate against active directory and log a user on to > : > Sharepoint. In order to reduce SSL load and support edge server caching > we > : > are using a persistant shared SSL connection." > : > > : > I'm not very clear about what you want to achieve. Could you please > explain > : > the whole scenario more clearly? It sounds like you want to implement a > : > pass-through authentication feature by yourself? What authentication > method > : > you want to use? Is SSL used for encryption only or you also want it to > : > implement client cert authentication? > : > > : > Regards, > : > > : > Yuan Ren [MSFT] > : > Microsoft Online Support > : > > : > > >
LsaLogonUser with KerbS4ULogon set, uses the KERB_S4U_LOGON data structure.
This doesn't even have a field for the password. The point of using this is to log the user on WITHOUT a password.... With the right set of permissions I should be able to do this. This is the same thing which is done when the system receives a certificate. There IS no "password" when you receive a certificate, why should there be here? Thanks, - Daniel [quoted text, click to view] ""Yuan Ren[MSFT]"" wrote:
> Hi, > > Thanks for your reply! > > >"I am trying to use LsaLogonUser with KERB_S4U_LOGON to impersonate the > user but I am now getting this error:" > > As far as I know, if you want to use the LsaLogonUser method, you need > supply a credential to make the method works fine. As MSDN document's > description like the link below: > http://msdn.microsoft.com/library/en-us/secauthn/security/lsalogonuser.asp?f > rame=true > > I think the credential information is different with distinguished name in > Active Directory. The credential information must contain a password which > has been hashed or encrypted. If you used impersonated token as credential > information, I think it might not work well. > > Could you please give me more details about how to create credential > information in your application? It'll help me to understand your issue > clearly. > > Regards, > > Yuan Ren [MSFT] > Microsoft Online Support >
Hi,
Thanks for your reply! [quoted text, click to view] >"I am trying to use LsaLogonUser with KERB_S4U_LOGON to impersonate the user but I am now getting this error:"As far as I know, if you want to use the LsaLogonUser method, you need supply a credential to make the method works fine. As MSDN document's description like the link below: http://msdn.microsoft.com/library/en-us/secauthn/security/lsalogonuser.asp?f rame=true I think the credential information is different with distinguished name in Active Directory. The credential information must contain a password which has been hashed or encrypted. If you used impersonated token as credential information, I think it might not work well. Could you please give me more details about how to create credential information in your application? It'll help me to understand your issue clearly. Regards, Yuan Ren [MSFT] Microsoft Online Support
Hi Daniel,
Thanks for your reply! Below article from MSDN show us how to use LsaLogonUser to implement some function likes your scenario: http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/ Actually, I think the current issue is not focused on IIS tech as we discussed in these threads. IIS security newsgroup is just focused on secure issue such as configuration, authentication and so on. If you think the above article can't help you, I suggest you post a new thread in programming newsgroup so that you will get more details. Thanks for your understanding! Regards, Yuan Ren [MSFT] Microsoft Online Support
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |