[Samba] Schema version 87 and windows Hello
mailist at kaminot.xyz
Tue Sep 29 09:10:13 UTC 2020
it does make sense and I would be into helping implementing it.
I am just affraid that like always with microsoft when you wireshark it
you have some not so nice surprises.
On 9/29/20 1:34 AM, Mason Schmitt wrote:
> > Is this all that would be required to enable a deployment based upon a
> > traditional PKI?
> If you are using windows yes, if not then you would need to find a way
> to replace the EDRS (there is a good doc about it here
> >> But the big trouble is that the 'Hello for buisness' enrolment
> >> is all wrapped up in a flow via Active Directory Federation Services,
> >> and we have *none* of that stack.
> > I took a look at the slide deck presented at SambaXP 2019 (
> > and specifically the provisioning process. I see what you mean
> about the
> > requirement for ADFS, to enable a user friendly self registration
> > However, for smaller environments, with a very low volume of new users
> > being introduced, would it not be possible to forego the self
> > process and substitute either a manual admin process or some light
> > automation to generate key pairs on the client and push the necessary
> > changes directly to the DC? This would essentially be a Windows
> Hello for
> > Business minimum viable product.
> well you would have to bypass the whole registration process it is
> possible in theory but seems rather complex.
> Yes, that's exactly what I'm proposing - bypassing the self registration
> process and instead doing an administrator controlled registration
> process. I think that entirely removes the need for ADFS and an MFA server.
> I mean how do you register
> the pin then?
> The PIN isn't actually registered with the server. The PIN is only used
> to unlock the TPM on the PC, so that the TPM can use it's knowledge of
> the private key/certificate to authenticate against the server that
> contains a copy of the public key.
> The following is what I think the authentication (not provisioning)
> process boils down to:
> - User attempts to login and provides their PIN to unlock their TPM
> - Kerberos PKINIT authentication is attempted using the private
> key/certificate stored in the TPM
> With the above authentication process in mind, I'm thinking that the
> provisioning process could be boiled down to:
> - Configure the TPM to store a private key and protect it with a PIN
> - Write the public key to the correct location in LDAP (AD DC)
> - Configure the Windows Hello client on the PC
> As Andrew said, under the covers this is really just PKINIT and an AD
> schema upgrade. I think that most of the complexity lies in the self
> registration process. Of course self registration would be super
> convenient, but if I want that now, then I need to be willing to pay for
> some Windows Server licensing and ongoing maintenance and support of
> that platform.
> Does this make sense? Or have I dramatically oversimplified this?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the samba