[Samba] Schema version 87 and windows Hello
mailist
mailist at kaminot.xyz
Tue Sep 29 09:10:13 UTC 2020
Hi Mason,
it does make sense and I would be into helping implementing it.
I am just affraid that like always with microsoft when you wireshark it
you have some not so nice surprises.
+1
Vincent
On 9/29/20 1:34 AM, Mason Schmitt wrote:
>
> > Is this all that would be required to enable a deployment based upon a
> > traditional PKI?
> >
> If you are using windows yes, if not then you would need to find a way
> to replace the EDRS (there is a good doc about it here
> https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning)
>
>
>
> >> But the big trouble is that the 'Hello for buisness' enrolment
> process
> >> is all wrapped up in a flow via Active Directory Federation Services,
> >> and we have *none* of that stack.
> >>
> >
> > I took a look at the slide deck presented at SambaXP 2019 (
> >
> https://sambaxp.org/fileadmin/user_upload/sambaxp2019-slides/farooqi_sambaxp2019_WindowsHelloForBusiness.pdf)
> > and specifically the provisioning process. I see what you mean
> about the
> > requirement for ADFS, to enable a user friendly self registration
> process.
> >
> > However, for smaller environments, with a very low volume of new users
> > being introduced, would it not be possible to forego the self
> provisioning
> > process and substitute either a manual admin process or some light
> > automation to generate key pairs on the client and push the necessary
> > changes directly to the DC? This would essentially be a Windows
> Hello for
> > Business minimum viable product.
> >
> well you would have to bypass the whole registration process it is
> possible in theory but seems rather complex.
>
>
> Yes, that's exactly what I'm proposing - bypassing the self registration
> process and instead doing an administrator controlled registration
> process. I think that entirely removes the need for ADFS and an MFA server.
>
>
>
> I mean how do you register
> the pin then?
>
>
> The PIN isn't actually registered with the server. The PIN is only used
> to unlock the TPM on the PC, so that the TPM can use it's knowledge of
> the private key/certificate to authenticate against the server that
> contains a copy of the public key.
>
> The following is what I think the authentication (not provisioning)
> process boils down to:
> - User attempts to login and provides their PIN to unlock their TPM
> - Kerberos PKINIT authentication is attempted using the private
> key/certificate stored in the TPM
>
> With the above authentication process in mind, I'm thinking that the
> provisioning process could be boiled down to:
> - Configure the TPM to store a private key and protect it with a PIN
> - Write the public key to the correct location in LDAP (AD DC)
> - Configure the Windows Hello client on the PC
>
>
> As Andrew said, under the covers this is really just PKINIT and an AD
> schema upgrade. I think that most of the complexity lies in the self
> registration process. Of course self registration would be super
> convenient, but if I want that now, then I need to be willing to pay for
> some Windows Server licensing and ongoing maintenance and support of
> that platform.
>
> Does this make sense? Or have I dramatically oversimplified this?
>
> --
> Mason
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20200929/4705033b/signature.sig>
More information about the samba
mailing list