none
How to login to windows using pki cert RRS feed

  • Question

  • Hi , 

    I would like to logon the user using certificate, some similar solution  to how smart card works but without the hardware, instead of password the user request will be signed in some web server (on the fist steps i can use hard coded private key) . 

    From what i understand this is the steps in order to achieve it 

    1. Join the computer to domain 
    2. in the domain - map a certificate to user account https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754866(v=ws.11)?redirectedfrom=MSDN
    3. in the client - implement custom credential provider and signed the request using the private key that belongs to the certificate in section 2. (Should i call to kerberos api? which structure should be signed)
    4. register the credential provider and able to login without the using of password. 
    5. the user obtain kerberos ticked 

    I'm not sure if i understand it correctly, any code example will be great. 

    Thanks 



    • Edited by yosi_ Monday, December 9, 2019 2:22 PM
    Monday, December 9, 2019 2:15 PM

All replies

  • Hello yosi_,

    Based on your description, virtual smart card may be what you want. It stores the certificate in the PC, no external hardware need. But the PC need support TPM which stores and protects the certificate. And also it requires user enter his PIN in order to be authenticated.

    Refer to "Credentials Processes in Windows Authentication" and "Virtual Smart Card Overview".

    Could you help to confirm the following information?

    1. Does this solution used for local computer logon or authenticated to some web resource?
    2. Do you have your own server for authentication?
    3. Does this solution will be used on a domain-joined computer or not?
    4. User need to enter PIN, is it fine? 

    Best regards,

    Rita


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, December 10, 2019 2:50 AM
  • Hello Rita , 

    i considered to use virtual smart card but in microsoft docs says that Microsoft will be deprecating virtual smart cards in the future -

    https://docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview

    1) the solution is for local logon only

    2) yes i have server that authenticate the user using mobile application

    3) the solution should fit to domain-joined computer 

    4) if the user enter PIN code it will lose the purpose , i want to move to passwordless logon (without the capability of windows hello) 

    Thanks for your help, 

    Yosi

    Tuesday, December 10, 2019 8:40 AM
  • Hello yosi_,

    For my understanding, when the user logon, a underlying operation that the server and mobile phone is working on and return user's credential to LogonUI, finally this credential passed to the Local Security Authority (LSA) to complete the authentication. What user need to do is clicking a tile or enter his user name without entering a password. What your custom credential provider to do is determining what UI elements represent to user and retrieving user's credential from the server. The server may interact with mobile phone for getting user's approval. 

    If my understanding is right, the purpose of the certificate here is securing the communication to the server.

    Here is an example of retrieving user's credential from a smart card, you can refer to and instead retrieving user's credential from your server.

    Official sample Credential Provider Sample you can also refer to.

    There is a lot of work to do. Hope above information helps.

    Best regards,

    Rita


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, December 11, 2019 7:28 AM
  • Hello Rita, 

    Thanks for your king support , i would like to verify 1 thing before i will refer your solution. 

    there is a possible way to login using PKI cert ,meaning to attach certificate or something similar that will allow the user to authenticate without password/pincode or getting the credentials from 3rd server.

    Thanks,

    Yosi

    Wednesday, December 11, 2019 2:40 PM
  • Hello yosi_,

    Certificate may need an external hardware to restore and still require a PIN to protect, however, this is what you want to avoid.

    Could you mind sharing the reason you prefer to certificate?

    Best regards,

    Rita


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, December 12, 2019 7:59 AM