[Samba] Schema version 87 and windows Hello

Mason Schmitt mason at ftlcomputing.com
Mon Sep 28 23:34:56 UTC 2020

> > Is this all that would be required to enable a deployment based upon a
> > traditional PKI?
> >
> If you are using windows yes, if not then you would need to find a way
> to replace the EDRS (there is a good doc about it here
> https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning
> )

> >> But the big trouble is that the 'Hello for buisness' enrolment process
> >> is all wrapped up in a flow via Active Directory Federation Services,
> >> and we have *none* of that stack.
> >>
> >
> > I took a look at the slide deck presented at SambaXP 2019 (
> >
> https://sambaxp.org/fileadmin/user_upload/sambaxp2019-slides/farooqi_sambaxp2019_WindowsHelloForBusiness.pdf
> )
> > and specifically the provisioning process.  I see what you mean about the
> > requirement for ADFS, to enable a user friendly self registration
> process.
> >
> > However, for smaller environments, with a very low volume of new users
> > being introduced, would it not be possible to forego the self
> provisioning
> > process and substitute either a manual admin process or some light
> > automation to generate key pairs on the client and push the necessary
> > changes directly to the DC?  This would essentially be a Windows Hello
> for
> > Business minimum viable product.
> >
> well you would have to bypass the whole registration process it is
> possible in theory but seems rather complex.

Yes, that's exactly what I'm proposing - bypassing the self registration
process and instead doing an administrator controlled registration
process.  I think that entirely removes the need for ADFS and an MFA server.

> I mean how do you register
> the pin then?

The PIN isn't actually registered with the server.  The PIN is only used to
unlock the TPM on the PC, so that the TPM can use it's knowledge of the
private key/certificate to authenticate against the server that contains a
copy of the public key.

The following is what I think the authentication (not provisioning) process
boils down to:
- User attempts to login and provides their PIN to unlock their TPM
- Kerberos PKINIT authentication is attempted using the private
key/certificate stored in the TPM

With the above authentication process in mind, I'm thinking that the
provisioning process could be boiled down to:
- Configure the TPM to store a private key and protect it with a PIN
- Write the public key to the correct location in LDAP (AD DC)
- Configure the Windows Hello client on the PC

As Andrew said, under the covers this is really just PKINIT and an AD
schema upgrade.  I think that most of the complexity lies in the self
registration process.  Of course self registration would be super
convenient, but if I want that now, then I need to be willing to pay for
some Windows Server licensing and ongoing maintenance and support of that

Does this make sense?  Or have I dramatically oversimplified this?


More information about the samba mailing list