[OT] Digest authentication session key with ADS

Andrew Bartlett abartlet at samba.org
Thu Feb 19 21:45:21 GMT 2004


On Fri, 2004-02-20 at 08:29, Henrik Nordstrom wrote:
> This is probably somewhat out of topic for this list, but I figure you
> probably know MS trusted channels authentication etc better than anyone
> else, and I also hope the answer to the question fits into the winbind
> world of authentication somehow.
> 
> I am looking into what it would take to implement MD5-Sess digest
> authentication on non-Windows servers with MS-ADS as backend directory
> service. The culpit is that there is no official standard on how to query
> a directory server for the MD5-Sess session key required for proper Digest
> authentication with a directory service. But now comes the interesting
> parts
> 
> As you may kow Digest is one of the main authentication service providers
> in ADS, even if support is normally not enabled by default (directory 
> security reasons, storage of another password key is required)
> 
> To applications running locally on a Windows server this information
> (MD5-Sess session key) appears to be available from the Digest security
> provider session when the Digest authentication is successful.
> 
> By security reasons the MD5-Sess key must only be made available over a
> trusted channel where the other endpoint is well known. For this reason it
> is not available from any of the normal protocols using Digest
> authentication. An attacker gaining access to the MD5-Sess key can take
> over the Digest session from the original user until the session expires.
> 
> My question to you is if you think it would be possible via the trusted
> channel used by Winbind or similar mechanism to talk to the Digest
> provider in ADS to get hold of the Digest session key?

If windows can do it, so can we :-)

What we need to do now is setup IIS (or IAS) to use this mechanism, and
see what happens on the wire.  It will all be in schannel, so set a
local and domain policy to ensure that 'secure channel' communications
are signed, not sealed.  

There may be a new RPC - this may just be a hack on the existing
NETLOGON calls (very easy to implement).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040220/b0a5af38/attachment.bin


More information about the samba-technical mailing list