[OT] Digest authentication session key with ADS

Andrew Bartlett abartlet at samba.org
Thu Feb 19 21:45:21 GMT 2004

On Fri, 2004-02-20 at 08:29, Henrik Nordstrom wrote:
> This is probably somewhat out of topic for this list, but I figure you
> probably know MS trusted channels authentication etc better than anyone
> else, and I also hope the answer to the question fits into the winbind
> world of authentication somehow.
> I am looking into what it would take to implement MD5-Sess digest
> authentication on non-Windows servers with MS-ADS as backend directory
> service. The culpit is that there is no official standard on how to query
> a directory server for the MD5-Sess session key required for proper Digest
> authentication with a directory service. But now comes the interesting
> parts
> As you may kow Digest is one of the main authentication service providers
> in ADS, even if support is normally not enabled by default (directory 
> security reasons, storage of another password key is required)
> To applications running locally on a Windows server this information
> (MD5-Sess session key) appears to be available from the Digest security
> provider session when the Digest authentication is successful.
> By security reasons the MD5-Sess key must only be made available over a
> trusted channel where the other endpoint is well known. For this reason it
> is not available from any of the normal protocols using Digest
> authentication. An attacker gaining access to the MD5-Sess key can take
> over the Digest session from the original user until the session expires.
> My question to you is if you think it would be possible via the trusted
> channel used by Winbind or similar mechanism to talk to the Digest
> provider in ADS to get hold of the Digest session key?

If windows can do it, so can we :-)

What we need to do now is setup IIS (or IAS) to use this mechanism, and
see what happens on the wire.  It will all be in schannel, so set a
local and domain policy to ensure that 'secure channel' communications
are signed, not sealed.  

There may be a new RPC - this may just be a hack on the existing
NETLOGON calls (very easy to implement).

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040220/b0a5af38/attachment.bin

More information about the samba-technical mailing list