none
remarks for [MS-AUTHSOD] RRS feed

  • Question

  • Hi,

    First thank you for providing documentation about the authentication mechanisms. This kind of documentation is really useful to get an overview of this complicated subject.

    I developed a Security Package (SSP) and I want to give you my feedback about [MS-AUTHSOD].

    My first remark is that the link with [MSDN-DPAPI] is missing when an interactive logon is done.

    <technical note>

    I discovered that the password provided in the structure SECPKG_PRIMARY_CRED by the function LsaApLogonUserEx2 is used to feed DPAPI. But only the flag PRIMARY_CRED_CLEAR_PASSWORD is used by NTLM and an empty structure is returned by kerberos. So the use of the flag PRIMARY_CRED_OWF_PASSWORD is undocumented (and not used by MS SSP), and kerberos is using an unknown way to feed DPAPI. (I submitted my feedback to msdn 8 months ago without a reply about that). However [MSDN-API] is well mentioned in [MS-BKRP] chapter 4.

    </technical note>

    My second remark is about chapter 2.1.1 of [MS-AUTHSOD] where it is stated that only login/password can be used for local login. I understood from msdn that there is no limitation about the credential which can be used at the exception of what a custom SSP can do. I don't see any reference to custom SSP except at the figure 7 (chapter "network login"). I also didn't find any reference to GINA or Crendential Providers. So I think that the "interactive login" chapter can be improved.

    Don't hesitate to contact me if I can help you improve this document.

    Regards,

    Vincent

    Saturday, March 17, 2012 9:32 PM

Answers

  • Hi Vincent

    I apologies for the delay in response as I was analyzing your feedback and discussing with the owner of the document on the proposed remarks. Please find response below on 2 queries. Thanks once again for sharing the feedback.

    Query #1: My first remark is that the link with [MSDN-DPAPI] is missing when an interactive logon is done.

    I discovered that the password provided in the structure SECPKG_PRIMARY_CRED by the function LsaApLogonUserEx2 is used to feed DPAPI. But only the flag PRIMARY_CRED_CLEAR_PASSWORD is used by NTLM and an empty structure is returned by kerberos. So the use of the flag PRIMARY_CRED_OWF_PASSWORD is undocumented (and not used by MS SSP), and kerberos is using an unknown way to feed DPAPI. (I submitted my feedback to msdn 8 months ago without a reply about that). However [MSDN-API] is well mentioned in [MS-BKRP] chapter 4.

    Response: Per analysis, Data Protection application programming interface for password-based data protection. Scopeof Overview Document is not to cover APIs and its related data structures; data protection API in this case.  Instead, overview document describes the coordinated use of protocols (listed under http://msdn.microsoft.com/en-us/library/cc216513(v=prot.10).aspx)) to accomplish specific goals. As a result covering details on MS-DPAPI API’s does not fall under MS-AUTHSOD. In addition, MS-BKRP mentions MS-DPAPI to illustrate the working of BackupKey remote protocol only. As per Section 1.2.2 and Section 4, MS-DPAPI is an informative reference and out of scope of MS-BKRP protocol and not part of open specification.

    Query #2 : My second remark is about chapter 2.1.1 of [MS-AUTHSOD] where it is stated that only login/password can be used for local login. I understood from msdn that there is no limitation about the credential which can be used at the exception of what a custom SSP can do. I don't see any reference to custom SSP except at the figure 7 (chapter "network login"). I also didn't find any reference to GINA or Credential Providers. So I think that the "interactive login" chapter can be improved.

    Response: As a part of this Overview document, we document the interaction between LSA and default loaded SSP’s. Windows support extension, for vendors, to develop their custom SSP, but covering that is out of scope of this document. Also, our goal here is to provide details w.r.t various inbox authentication protocols and their message exchanges with Server. Details on selecting authentication package on client and passing credential information to authentication package (through GINA or Credential Providers) is also not in scope of this document.

    Thanks


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    • Proposed as answer by Tarun Chopra - MSFT Friday, March 30, 2012 11:38 PM
    • Marked as answer by vletoux2 Friday, April 20, 2012 9:51 AM
    Friday, March 30, 2012 10:06 PM

All replies

  • Hi Vincent

    Thank you for contacting Microsoft. I am researching this for you and will contact in case of any further clarification or update.

    Thanks.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Sunday, March 18, 2012 4:46 PM
  • Hi Vincent

    I apologies for the delay in response as I was analyzing your feedback and discussing with the owner of the document on the proposed remarks. Please find response below on 2 queries. Thanks once again for sharing the feedback.

    Query #1: My first remark is that the link with [MSDN-DPAPI] is missing when an interactive logon is done.

    I discovered that the password provided in the structure SECPKG_PRIMARY_CRED by the function LsaApLogonUserEx2 is used to feed DPAPI. But only the flag PRIMARY_CRED_CLEAR_PASSWORD is used by NTLM and an empty structure is returned by kerberos. So the use of the flag PRIMARY_CRED_OWF_PASSWORD is undocumented (and not used by MS SSP), and kerberos is using an unknown way to feed DPAPI. (I submitted my feedback to msdn 8 months ago without a reply about that). However [MSDN-API] is well mentioned in [MS-BKRP] chapter 4.

    Response: Per analysis, Data Protection application programming interface for password-based data protection. Scopeof Overview Document is not to cover APIs and its related data structures; data protection API in this case.  Instead, overview document describes the coordinated use of protocols (listed under http://msdn.microsoft.com/en-us/library/cc216513(v=prot.10).aspx)) to accomplish specific goals. As a result covering details on MS-DPAPI API’s does not fall under MS-AUTHSOD. In addition, MS-BKRP mentions MS-DPAPI to illustrate the working of BackupKey remote protocol only. As per Section 1.2.2 and Section 4, MS-DPAPI is an informative reference and out of scope of MS-BKRP protocol and not part of open specification.

    Query #2 : My second remark is about chapter 2.1.1 of [MS-AUTHSOD] where it is stated that only login/password can be used for local login. I understood from msdn that there is no limitation about the credential which can be used at the exception of what a custom SSP can do. I don't see any reference to custom SSP except at the figure 7 (chapter "network login"). I also didn't find any reference to GINA or Credential Providers. So I think that the "interactive login" chapter can be improved.

    Response: As a part of this Overview document, we document the interaction between LSA and default loaded SSP’s. Windows support extension, for vendors, to develop their custom SSP, but covering that is out of scope of this document. Also, our goal here is to provide details w.r.t various inbox authentication protocols and their message exchanges with Server. Details on selecting authentication package on client and passing credential information to authentication package (through GINA or Credential Providers) is also not in scope of this document.

    Thanks


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    • Proposed as answer by Tarun Chopra - MSFT Friday, March 30, 2012 11:38 PM
    • Marked as answer by vletoux2 Friday, April 20, 2012 9:51 AM
    Friday, March 30, 2012 10:06 PM