locked
KERB_CERTIFICATE_LOGON and custom KSP RRS feed

  • Question

  • I'm implementing an OTP solution based on the Microsoft's whitepaper "Strong Authentication with One-Time Passwords in Windows 7 and Windows Server 2008 R2" ( https://technet.microsoft.com/en-us/library/gg637807(v=ws.10).aspx ) .

    The summary of the relevant part of that whitepaper is to essentially fake presence of a smart-card reader by implementing a custom key storage provider (KSP) for Windows CNG subsystem. However having followed the instructions as described, I cannot get my custom KSP to be used by the OS when required.

    In my credential provider I am creating an authentication package with KERB_CERTIFICATE_LOGON and KERB_SMARTCARD_CSP_INFO structures. My custom KSP is referenced in KERB_SMARTCARD_CSP_INFO as required (it is also correctly registered, can be enumerated, and can be used with NCrypt APIs). However it is never loaded by the OS after ICredentialProviderCredential::GetSerialization returns (not even DLL being loaded in memory) or during the call to LsaLogonUser() in my standalone test app.

    The issue is identical to the one described in the other thread here (without any answers - https://social.msdn.microsoft.com/Forums/sqlserver/en-US/01a2abf3-f1a2-49e4-bdfc-c5fb833dd830/lsalogonuser-kerbcertificatelogon-and-custom-cng-ksp?forum=windowssecurity ) and I came to the same conclusion that the issue is with the contents of KERB_SMARTCARD_CSP_INFO (example usage can be found here - https://www.idrix.fr/Root/Samples/LsaSmartCardLogon.cpp ) - however due to next to no documentation and not a single example of this rare case, I have no idea what to do...

    P.S. Sorry for lack of clickable links, for some reason I'm not allowed to add them?
    Friday, May 20, 2016 2:45 PM