CredSSP and kerberos credentials delegation

> Hi,
>
> Thank you for posting.
>
> According to your description, I understand that:
>
> You need to get some clarification about the CredSSP and delegation of
> kerberos smart-card credentials. Another question is how CredSSP works.
>
> If I have misunderstood the problem, please don't hesitate to let me know.
>
> First, I would like to summary what's CredSSP and how it works.
>
> The Credential Security Support Provider (CredSSP) Protocol enables an
> application to securely delegate a user's credentials from a client to a
> target server. For example, the Microsoft Terminal Server uses the CredSSP
> Protocol to securely delegate the user's password or smart card PIN from
> the client to the server to remotely log on the user and establish a
> terminal services session
>
> The CredSSP Protocol is a composite protocol that relies on other
> standards-based security protocols. It first uses the Transport Layer
> Security (TLS) Protocol to establish an encrypted channel between the
> CredSSP client and the CredSSP server. (The client is anonymous at this
> point; the client and the server may have no common trusted certification
> authority root.)
>
> All subsequent messages are sent over this channel. The CredSSP Protocol
> then uses the Simple and Protected Generic Security Service Application
> Program Interface Negotiation Mechanism (SPNEGO) to authenticate the user
> and server in the encrypted TLS session.
>
> By default, SPNEGO has the Kerberos Protocol and NTLM available. The
> Kerberos Protocol is always preferred over NTLM. In Windows XP SP3,
> Windows
> Vista, and Windows 7, the SPNEGO client negotiates Kerberos or NTLM.
>
> The CredSSP Protocol introduces the TSRequest message. The client and
> server use this message to encapsulate the SPNEGO tokens and TSCredentials
> message that the client uses to delegate the user's credentials to the
> CredSSP server over a TLS connection.
>
> =========================
> Briefly compare of Kerberos and CredSSP.
>
> Like the Kerberos authentication protocol, CredSSP can delegate
> credentials
> from the client to the server, but it does so by using a completely
> different mechanism and with different usability and security
> characteristics. With CredSSP, when policy specifies that credentials
> should be delegated, users will be prompted for credentials-unlike
> Kerberos
> delegation-which means the user has some control over whether the
> delegation should occur and (more importantly) what credentials should be
> used. With Kerberos delegation, only the user's Active Directory?
> credentials can be delegated.
>
> =========================
> As for your questions:
>
> 1. Generally, CredSSP is not directly related to Kerberos. They are just
> two different SSPI.
> 2. CredSSP server and clients send TSRequest to exchange messages. For
> detailed information, please refer to the "Protocol Examples" section of
> the following articles:
>
> [MS-CSSP]: Credential Security Support Provider (CredSSP) Protocol
> Specification
> http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx
>
> You can also find other detailed information about CredSSP.
>
> Windows Vista Authentication Features and Changes for Developers
> http://msdn.microsoft.com/en-us/library/cc540483.aspx
>
> Hope it helps.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

> Hi,
>
> Thank you for posting.
>
> According to your description, I understand that:
>
> You need to get some clarification about the CredSSP and delegation of
> kerberos smart-card credentials. Another question is how CredSSP works.
>
> If I have misunderstood the problem, please don't hesitate to let me know.
>
> First, I would like to summary what's CredSSP and how it works.
>
> The Credential Security Support Provider (CredSSP) Protocol enables an
> application to securely delegate a user's credentials from a client to a
> target server. For example, the Microsoft Terminal Server uses the CredSSP
> Protocol to securely delegate the user's password or smart card PIN from
> the client to the server to remotely log on the user and establish a
> terminal services session
>
> The CredSSP Protocol is a composite protocol that relies on other
> standards-based security protocols. It first uses the Transport Layer
> Security (TLS) Protocol to establish an encrypted channel between the
> CredSSP client and the CredSSP server. (The client is anonymous at this
> point; the client and the server may have no common trusted certification
> authority root.)
>
> All subsequent messages are sent over this channel. The CredSSP Protocol
> then uses the Simple and Protected Generic Security Service Application
> Program Interface Negotiation Mechanism (SPNEGO) to authenticate the user
> and server in the encrypted TLS session.
>
> By default, SPNEGO has the Kerberos Protocol and NTLM available. The
> Kerberos Protocol is always preferred over NTLM. In Windows XP SP3,
> Windows
> Vista, and Windows 7, the SPNEGO client negotiates Kerberos or NTLM.
>
> The CredSSP Protocol introduces the TSRequest message. The client and
> server use this message to encapsulate the SPNEGO tokens and TSCredentials
> message that the client uses to delegate the user's credentials to the
> CredSSP server over a TLS connection.
>
> =========================
> Briefly compare of Kerberos and CredSSP.
>
> Like the Kerberos authentication protocol, CredSSP can delegate
> credentials
> from the client to the server, but it does so by using a completely
> different mechanism and with different usability and security
> characteristics. With CredSSP, when policy specifies that credentials
> should be delegated, users will be prompted for credentials-unlike
> Kerberos
> delegation-which means the user has some control over whether the
> delegation should occur and (more importantly) what credentials should be
> used. With Kerberos delegation, only the user's Active Directory?
> credentials can be delegated.
>
> =========================
> As for your questions:
>
> 1. Generally, CredSSP is not directly related to Kerberos. They are just
> two different SSPI.
> 2. CredSSP server and clients send TSRequest to exchange messages. For
> detailed information, please refer to the "Protocol Examples" section of
> the following articles:
>
> [MS-CSSP]: Credential Security Support Provider (CredSSP) Protocol
> Specification
> http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx
>
> You can also find other detailed information about CredSSP.
>
> Windows Vista Authentication Features and Changes for Developers
> http://msdn.microsoft.com/en-us/library/cc540483.aspx
>
> Hope it helps.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

> Hi,
>
> Thanks for the update.
>
> CredSSP uses the the TSCredentials structure to forward user’s credential
> to server. The TSCredentials structure contains both the user's
> credentials
> that are delegated to the server and their type.
>
> Credentials may contain a TSPasswordCreds structure that defines the
> user's
> password credentials or contains a TSSmartCardCreds structure that defines
> the user's smart card credentials.
>
> For detailed information, please refer the article below.
>
> http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>