[Samba] Schema version 87 and windows Hello

mailist mailist at kaminot.xyz
Tue Sep 29 09:10:13 UTC 2020

Hi Mason,

it does make sense and I would be into helping implementing it.
I am just affraid that like always with microsoft when you wireshark it
you have some not so nice surprises.


On 9/29/20 1:34 AM, Mason Schmitt wrote:
>     > Is this all that would be required to enable a deployment based upon a
>     > traditional PKI?
>     >
>     If you are using windows yes, if not then you would need to find a way
>     to replace the EDRS (there is a good doc about it here
>     https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning)
>     >> But the big trouble is that the 'Hello for buisness' enrolment
>     process
>     >> is all wrapped up in a flow via Active Directory Federation Services,
>     >> and we have *none* of that stack.
>     >>
>     >
>     > I took a look at the slide deck presented at SambaXP 2019 (
>     >
>     https://sambaxp.org/fileadmin/user_upload/sambaxp2019-slides/farooqi_sambaxp2019_WindowsHelloForBusiness.pdf)
>     > and specifically the provisioning process.  I see what you mean
>     about the
>     > requirement for ADFS, to enable a user friendly self registration
>     process.
>     >
>     > However, for smaller environments, with a very low volume of new users
>     > being introduced, would it not be possible to forego the self
>     provisioning
>     > process and substitute either a manual admin process or some light
>     > automation to generate key pairs on the client and push the necessary
>     > changes directly to the DC?  This would essentially be a Windows
>     Hello for
>     > Business minimum viable product.
>     >
>     well you would have to bypass the whole registration process it is
>     possible in theory but seems rather complex.
> Yes, that's exactly what I'm proposing - bypassing the self registration
> process and instead doing an administrator controlled registration
> process.  I think that entirely removes the need for ADFS and an MFA server.
>     I mean how do you register
>     the pin then?
> The PIN isn't actually registered with the server.  The PIN is only used
> to unlock the TPM on the PC, so that the TPM can use it's knowledge of
> the private key/certificate to authenticate against the server that
> contains a copy of the public key.
> The following is what I think the authentication (not provisioning)
> process boils down to:
> - User attempts to login and provides their PIN to unlock their TPM
> - Kerberos PKINIT authentication is attempted using the private
> key/certificate stored in the TPM
> With the above authentication process in mind, I'm thinking that the
> provisioning process could be boiled down to:
> - Configure the TPM to store a private key and protect it with a PIN
> - Write the public key to the correct location in LDAP (AD DC)
> - Configure the Windows Hello client on the PC
> As Andrew said, under the covers this is really just PKINIT and an AD
> schema upgrade.  I think that most of the complexity lies in the self
> registration process.  Of course self registration would be super
> convenient, but if I want that now, then I need to be willing to pay for
> some Windows Server licensing and ongoing maintenance and support of
> that platform.
> Does this make sense?  Or have I dramatically oversimplified this?
> --
> Mason

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20200929/4705033b/signature.sig>

More information about the samba mailing list