none
Explanation needed for NLA Smartcard Logon ([MS-NMLP].pdf and [MS-CSSP].pdf) RRS feed

  • Question

  • Hello

    The NLA 'password' authentication and the smartcard logon without NLA is supported for a while by Axel thin clients.
    Now we want to support the NLA smartcard authentication.

    In [MS-CSSP].pdf, the TSSmartCardCreds structure is fully described.
    The username, the domain and the pincode had to be included in this structure. It makes sense.

    But with the NLA protocol, the CredSSP information is encapsulated and secured by NTLM.
    And as described in [MS-NMLP].pdf, the NTOWFv1, LMOWFv1, NTOWFv2, LMOWFv2 functions are based on the user's password.

    So to achieve a NLA smartcard logon, the RDP client must use the user's password!!!
    (Further our investigation mstsc.exe can retreive the user's password with KerberosV5 function. But only if the PC had joined the RDS server domain)

    Could you confirm that?
    Is there a way to process a NLA smartcard logon without the user's password?
    (And without belonging to a domain because Axel Thin Clients are O.S.-less devices)

    Regards

    Vincent

    Tuesday, February 2, 2016 1:17 PM

Answers

  • Hi Vincent,

    This is not an intentional behavior on Windows part. Windows will use Kerberos whenever possible. NTLM is possible since in PAC you get the OWA. Only provided for conditions when Kerberos is not possible.

    In this case, Windows uses NTLM since the server IP address is used instead of the server name that is registered with KDC. Kerberos needs SPN of the server to work. In the absence of that it will use NTLM since that is the fallback mechanism and possible due to availability of OWF. So, you can force this behavior if you use IP address of the RDP server with smartcard authentication. 

    Please let me know if it does not answer your question.


    Regards, Obaid Farooqi

    Tuesday, February 23, 2016 5:34 PM
    Owner

All replies

  • Bonjour Vincent,
    Thank you for this question. We have noticed this question as an extension to your previous post:
    [MS-RDPBCGR].pdf : username with smartcard logon
    https://social.msdn.microsoft.com/Forums/en-US/b851fdf5-28db-4932-a8c1-41f9a1da8d4f/msrdpbcgrpdf-username-with-smartcard-logon?forum=os_windowsprotocols#b851fdf5-28db-4932-a8c1-41f9a1da8d4f
    One of our engineers is investigating and will follow-up soon.

    Regards,
    Edgar
    Tuesday, February 2, 2016 4:13 PM
    Moderator
  • Hi Vincent:

    I don't think this question is an extesion of your other question. Right?

    Regardless, I'll look into it and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi

    Wednesday, February 3, 2016 12:09 AM
    Owner
  • Hi,

    The first question is about the strange username used DURING the RDP protocol negotiation.
    And this one is about the NLA protocols (Kerberos, CredSSP, NTLM, SPNego). And it takes place BEFORE the RDP protocol.

    But of course the two questions are connected because the both are about smartcard logon. And I guess this strange user name of the first question is certainly issuee from the Kerberos authentication used by NLA.

    And definitively this question is more important than the first one.

    Regards

    Vincent


    Wednesday, February 3, 2016 9:09 AM
  • Hi Vincent:

    If you want to use NTLM but do not want the user to enter password in addition to smartcard PIN, you will have to implement MS-PKCA (http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/[MS-PKCA].pdf). This document describes that:

    "In order to support NTLM authentication [MS-NLMP] for applications connecting to network services that do not support Kerberos authentication, when PKCA is used, the KDC returns the user's NTLM one-way function (OWF) in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer ([MS-PAC] section 2.6.1). (https://msdn.microsoft.com/en-us/library/cc238462.aspx)"

    Alternatively, while you are developing MS-PKCA, you can develop more and use Kerberos authentication for CredSSP.

    Your client need not be domain joined to do an AS-REQ to KDC.

    Please let me know if it does not answer your question.


    Regards, Obaid Farooqi

    Thursday, February 4, 2016 10:42 PM
    Owner
  • Hi

    Thank you for the information. It's exactly what we're looking for.

    Is there a special setting to force mstsc.exe to act in this way?

    (this will allow us to experience this method and to check PDF information before implementing this in our thin client)

    Regards

    Vincent

    Friday, February 5, 2016 2:05 PM
  • Hi Vincent,

    I am looking into it.


    Regards, Obaid Farooqi

    Tuesday, February 9, 2016 5:50 PM
    Owner
  • Hi Vincent,

    This is not an intentional behavior on Windows part. Windows will use Kerberos whenever possible. NTLM is possible since in PAC you get the OWA. Only provided for conditions when Kerberos is not possible.

    In this case, Windows uses NTLM since the server IP address is used instead of the server name that is registered with KDC. Kerberos needs SPN of the server to work. In the absence of that it will use NTLM since that is the fallback mechanism and possible due to availability of OWF. So, you can force this behavior if you use IP address of the RDP server with smartcard authentication. 

    Please let me know if it does not answer your question.


    Regards, Obaid Farooqi

    Tuesday, February 23, 2016 5:34 PM
    Owner