none
Can Post Sign On Authorization Be Extended? RRS feed

  • Question

  • Is it possible to extend Windows "Sign On" processes after the submitting of User ID and password to reach out to a SaaS provider and assess the response in addition to the AD result to determine if the user access should be granted? If "yes", where is the documentation for doing so?

    TIA, Marc

    Wednesday, October 18, 2017 11:17 AM

Answers

  • @AlaskanRogue,

    Yep the app runs before the desktop appears. However how can you do this "Forcing a log off generally leads to a bad user experience", probably you can find a way which I'm not aware of, but this leads to a bad user experience in my point of view.

    Best regards,

    Barry


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by AlaskanRogue Wednesday, October 25, 2017 9:56 AM
    Wednesday, October 25, 2017 5:28 AM

All replies

  • Hello,

    CLR forum seems not the right forum for your issue. Can you be specific about your technologies so that we can redirect you to the right forum. For example, what's your SaaS provider, does it related to Azure? What's your programming language and your project type and so on.

    Best regards,

    Barry


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, October 19, 2017 6:51 AM
  • Thanks for replying.

    The SaaS provider would be Identity Checkpoint which would add another multi-factor authentication capability to the sign on by reaching out to the owner of the UserID via the back side of the AD server | Windows' OS to our platform to reach out to the registered devices of the user to obtain an identity use authorization for the sign on.

    Four possible replies are returned: (Y)es, (N)o, no (A)ctive devices and (U)ser ID not found. If "Y" or "U" is the reply, the sign on proceeds if AD | Windows OS also approves; otherwise the sign on should fail. A user knows when their identity is in use and should be prepared to verify their activity using a registered device. The default answer where no response is received within the allocated time period is "N".

    At either the Windows' system or the domain AD service level, this should be either a feature option in the standard deployment or an installable add-in.

    Is this achievable?

    Basically I am asking there are APIs from which I can extend those functions as an external developer or do I need to have MS modify AD | Windows OS to add that functionality? As Windows is based on .NET libraries, I thought I would ask in this forum.
    Thursday, October 19, 2017 10:02 AM
  • @AlaskanRogue,

    Per my experience, the AD development in .NET world is based on LDAP protocol. And the code are wrote like this blog mentioned https://msdn.microsoft.com/en-us/library/ms973834.aspx#dotnetadsearch_topic3 So although you may have an idea to achieve a more flexible sign on process, all you can do is to put your idea in your own code. And I haven't heard any API which can extend these functions like you have described.

    And to be honest "do I need to have MS modify AD | Windows OS to add that functionality?", it needs a lot of time so to me it's not suggested. Anyway you can submit your idea to the latest Feedback tool and others will be able to see this idea and vote for this idea.  

    Best regards,

    Barry     


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, October 20, 2017 5:59 AM
  • Based on your response of doing it myself, it appears that I would need to create hooks into Windows OS to be notified when the sign on has begun and the UserID in use, then when the Windows OS is about to proceed with the log in and a API which can stop the log in. Are you aware of any documentation for example of hook points in the OS than I can use SetWindowsHookEx for log in? How about an API call for stopping log in? I would need them for both PC and Server OSs (I am assuming they might be different).


    Friday, October 20, 2017 10:47 AM
  • @AlaskanRogue,

    Sorry I'm not aware of any documentation that can do this. Login has security risk so the API should be limited in my point of view. And I haven't heard such an API which can stop the log in process. I'm afraid you have to submit a feature request for this.

    Best regards,

    Barry


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, October 23, 2017 9:12 AM
  • Thanks Barry for persisting. I remembered this morning that I could use the"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" registry key to force an app, I believe, to persistently run after login but before the desktop appears. The app could execute the scenario and subsequently force a logoff if the verification doesn't succeed.

    Is that correct, e.g. the designated app runs before the desktop appears?




    • Edited by AlaskanRogue Wednesday, October 25, 2017 12:04 AM
    Monday, October 23, 2017 10:15 AM
  • @AlaskanRogue,

    Yep the app runs before the desktop appears. However how can you do this "Forcing a log off generally leads to a bad user experience", probably you can find a way which I'm not aware of, but this leads to a bad user experience in my point of view.

    Best regards,

    Barry


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by AlaskanRogue Wednesday, October 25, 2017 9:56 AM
    Wednesday, October 25, 2017 5:28 AM
  • Thanks. Do I need to be pleasant to a hacker logging in?
    • Edited by AlaskanRogue Wednesday, October 25, 2017 9:56 AM
    Wednesday, October 25, 2017 9:56 AM
  • @AlaskanRogue,

    Well, that sounds more reasonable from APP level. But as a support engineer I cannot recommend you do that. Maybe a better idea is to create an app which can help customer use RDP to access a remote machine. And then you can store and verify the credential from your app level.

    Best regards,

    Barry


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, October 26, 2017 2:49 AM
  • Does re-login have the equivalent of the "Windows\CurrentVersion\Run" registry key?
    • Edited by AlaskanRogue Thursday, October 26, 2017 10:28 AM
    Thursday, October 26, 2017 10:28 AM