CredSSP and kerberos credentials delegation

Posted: 01-19-2009, 10:59 PM
Hello,

please, would you be able to kindly provide some kind of a clarification
about the CredSSP and delegation of kerberos smart-card credentials (to TS
for example)?

I assume this:
the user is logged on by using smart-card (online by using DC)
the private key cannot leave the smart-card
the user then receives a valid TGT
then the client uses CredSSP to forward "his credentials" to a TS server.

and here comes the question:
what actually is forwarded to the TS server? is it the clients TGT together
with the session key to decrypt the TGT?

many thanks

ondra.

CredSSP and kerberos credentials delegation


Responses to "CredSSP and kerberos credentials delegation"

Mervyn Zhang [MSFT]
Guest
Posts: n/a
 
RE: CredSSP and kerberos credentials delegation
Posted: 01-20-2009, 07:12 AM
Hi,

Thank you for posting.

According to your description, I understand that:

You need to get some clarification about the CredSSP and delegation of
kerberos smart-card credentials. Another question is how CredSSP works.

If I have misunderstood the problem, please don't hesitate to let me know.

First, I would like to summary what's CredSSP and how it works.

The Credential Security Support Provider (CredSSP) Protocol enables an
application to securely delegate a user's credentials from a client to a
target server. For example, the Microsoft Terminal Server uses the CredSSP
Protocol to securely delegate the user's password or smart card PIN from
the client to the server to remotely log on the user and establish a
terminal services session

The CredSSP Protocol is a composite protocol that relies on other
standards-based security protocols. It first uses the Transport Layer
Security (TLS) Protocol to establish an encrypted channel between the
CredSSP client and the CredSSP server. (The client is anonymous at this
point; the client and the server may have no common trusted certification
authority root.)

All subsequent messages are sent over this channel. The CredSSP Protocol
then uses the Simple and Protected Generic Security Service Application
Program Interface Negotiation Mechanism (SPNEGO) to authenticate the user
and server in the encrypted TLS session.

By default, SPNEGO has the Kerberos Protocol and NTLM available. The
Kerberos Protocol is always preferred over NTLM. In Windows XP SP3, Windows
Vista, and Windows 7, the SPNEGO client negotiates Kerberos or NTLM.

The CredSSP Protocol introduces the TSRequest message. The client and
server use this message to encapsulate the SPNEGO tokens and TSCredentials
message that the client uses to delegate the user's credentials to the
CredSSP server over a TLS connection.

=========================
Briefly compare of Kerberos and CredSSP.

Like the Kerberos authentication protocol, CredSSP can delegate credentials
from the client to the server, but it does so by using a completely
different mechanism and with different usability and security
characteristics. With CredSSP, when policy specifies that credentials
should be delegated, users will be prompted for credentials-unlike Kerberos
delegation-which means the user has some control over whether the
delegation should occur and (more importantly) what credentials should be
used. With Kerberos delegation, only the user's Active Directory?
credentials can be delegated.

=========================
As for your questions:

1. Generally, CredSSP is not directly related to Kerberos. They are just
two different SSPI.
2. CredSSP server and clients send TSRequest to exchange messages. For
detailed information, please refer to the "Protocol Examples" section of
the following articles:

[MS-CSSP]: Credential Security Support Provider (CredSSP) Protocol
Specification
http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx

You can also find other detailed information about CredSSP.

Windows Vista Authentication Features and Changes for Developers
http://msdn.microsoft.com/en-us/library/cc540483.aspx

Hope it helps.

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Ondrej Sevecek
Guest
Posts: n/a
 
Re: CredSSP and kerberos credentials delegation
Posted: 01-21-2009, 10:11 AM
thank you very much for the links and such comprehensive details. I will
investigate them deeper over time.

Now only a simple clarification that comes to my mind:

when a user logs on with a user name and password - the CredSSP will forward
the actuall login/password, right?
but what will CredSSP forward, if the user logs on by using her smart card?
The only thing the user provides at logon screen is her PIN. So is that
true, that CredSSP will forward just the user's PIN to the TS? And that the
Terminal Server itself will then use the user's PIN and remote smart card to
log her on?


ondra.


"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message
news:uS6V%235seJHA.4200@TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thank you for posting.
>
> According to your description, I understand that:
>
> You need to get some clarification about the CredSSP and delegation of
> kerberos smart-card credentials. Another question is how CredSSP works.
>
> If I have misunderstood the problem, please don't hesitate to let me know.
>
> First, I would like to summary what's CredSSP and how it works.
>
> The Credential Security Support Provider (CredSSP) Protocol enables an
> application to securely delegate a user's credentials from a client to a
> target server. For example, the Microsoft Terminal Server uses the CredSSP
> Protocol to securely delegate the user's password or smart card PIN from
> the client to the server to remotely log on the user and establish a
> terminal services session
>
> The CredSSP Protocol is a composite protocol that relies on other
> standards-based security protocols. It first uses the Transport Layer
> Security (TLS) Protocol to establish an encrypted channel between the
> CredSSP client and the CredSSP server. (The client is anonymous at this
> point; the client and the server may have no common trusted certification
> authority root.)
>
> All subsequent messages are sent over this channel. The CredSSP Protocol
> then uses the Simple and Protected Generic Security Service Application
> Program Interface Negotiation Mechanism (SPNEGO) to authenticate the user
> and server in the encrypted TLS session.
>
> By default, SPNEGO has the Kerberos Protocol and NTLM available. The
> Kerberos Protocol is always preferred over NTLM. In Windows XP SP3,
> Windows
> Vista, and Windows 7, the SPNEGO client negotiates Kerberos or NTLM.
>
> The CredSSP Protocol introduces the TSRequest message. The client and
> server use this message to encapsulate the SPNEGO tokens and TSCredentials
> message that the client uses to delegate the user's credentials to the
> CredSSP server over a TLS connection.
>
> =========================
> Briefly compare of Kerberos and CredSSP.
>
> Like the Kerberos authentication protocol, CredSSP can delegate
> credentials
> from the client to the server, but it does so by using a completely
> different mechanism and with different usability and security
> characteristics. With CredSSP, when policy specifies that credentials
> should be delegated, users will be prompted for credentials-unlike
> Kerberos
> delegation-which means the user has some control over whether the
> delegation should occur and (more importantly) what credentials should be
> used. With Kerberos delegation, only the user's Active Directory?
> credentials can be delegated.
>
> =========================
> As for your questions:
>
> 1. Generally, CredSSP is not directly related to Kerberos. They are just
> two different SSPI.
> 2. CredSSP server and clients send TSRequest to exchange messages. For
> detailed information, please refer to the "Protocol Examples" section of
> the following articles:
>
> [MS-CSSP]: Credential Security Support Provider (CredSSP) Protocol
> Specification
> http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx
>
> You can also find other detailed information about CredSSP.
>
> Windows Vista Authentication Features and Changes for Developers
> http://msdn.microsoft.com/en-us/library/cc540483.aspx
>
> Hope it helps.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Ondrej Sevecek
Guest
Posts: n/a
 
Re: CredSSP and kerberos credentials delegation
Posted: 01-21-2009, 10:11 AM
thank you very much for the links and such comprehensive details. I will
investigate them deeper over time.

Now only a simple clarification that comes to my mind:

when a user logs on with a user name and password - the CredSSP will forward
the actuall login/password, right?
but what will CredSSP forward, if the user logs on by using her smart card?
The only thing the user provides at logon screen is her PIN. So is that
true, that CredSSP will forward just the user's PIN to the TS? And that the
Terminal Server itself will then use the user's PIN and remote smart card to
log her on?


ondra.


"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message
news:uS6V%235seJHA.4200@TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thank you for posting.
>
> According to your description, I understand that:
>
> You need to get some clarification about the CredSSP and delegation of
> kerberos smart-card credentials. Another question is how CredSSP works.
>
> If I have misunderstood the problem, please don't hesitate to let me know.
>
> First, I would like to summary what's CredSSP and how it works.
>
> The Credential Security Support Provider (CredSSP) Protocol enables an
> application to securely delegate a user's credentials from a client to a
> target server. For example, the Microsoft Terminal Server uses the CredSSP
> Protocol to securely delegate the user's password or smart card PIN from
> the client to the server to remotely log on the user and establish a
> terminal services session
>
> The CredSSP Protocol is a composite protocol that relies on other
> standards-based security protocols. It first uses the Transport Layer
> Security (TLS) Protocol to establish an encrypted channel between the
> CredSSP client and the CredSSP server. (The client is anonymous at this
> point; the client and the server may have no common trusted certification
> authority root.)
>
> All subsequent messages are sent over this channel. The CredSSP Protocol
> then uses the Simple and Protected Generic Security Service Application
> Program Interface Negotiation Mechanism (SPNEGO) to authenticate the user
> and server in the encrypted TLS session.
>
> By default, SPNEGO has the Kerberos Protocol and NTLM available. The
> Kerberos Protocol is always preferred over NTLM. In Windows XP SP3,
> Windows
> Vista, and Windows 7, the SPNEGO client negotiates Kerberos or NTLM.
>
> The CredSSP Protocol introduces the TSRequest message. The client and
> server use this message to encapsulate the SPNEGO tokens and TSCredentials
> message that the client uses to delegate the user's credentials to the
> CredSSP server over a TLS connection.
>
> =========================
> Briefly compare of Kerberos and CredSSP.
>
> Like the Kerberos authentication protocol, CredSSP can delegate
> credentials
> from the client to the server, but it does so by using a completely
> different mechanism and with different usability and security
> characteristics. With CredSSP, when policy specifies that credentials
> should be delegated, users will be prompted for credentials-unlike
> Kerberos
> delegation-which means the user has some control over whether the
> delegation should occur and (more importantly) what credentials should be
> used. With Kerberos delegation, only the user's Active Directory?
> credentials can be delegated.
>
> =========================
> As for your questions:
>
> 1. Generally, CredSSP is not directly related to Kerberos. They are just
> two different SSPI.
> 2. CredSSP server and clients send TSRequest to exchange messages. For
> detailed information, please refer to the "Protocol Examples" section of
> the following articles:
>
> [MS-CSSP]: Credential Security Support Provider (CredSSP) Protocol
> Specification
> http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx
>
> You can also find other detailed information about CredSSP.
>
> Windows Vista Authentication Features and Changes for Developers
> http://msdn.microsoft.com/en-us/library/cc540483.aspx
>
> Hope it helps.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Mervyn Zhang [MSFT]
Guest
Posts: n/a
 
Re: CredSSP and kerberos credentials delegation
Posted: 01-21-2009, 11:31 AM
Hi,

Thanks for the update.

CredSSP uses the the TSCredentials structure to forward userís credential
to server. The TSCredentials structure contains both the user's credentials
that are delegated to the server and their type.

Credentials may contain a TSPasswordCreds structure that defines the user's
password credentials or contains a TSSmartCardCreds structure that defines
the user's smart card credentials.

For detailed information, please refer the article below.

http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Ondrej Sevecek
Guest
Posts: n/a
 
Re: CredSSP and kerberos credentials delegation
Posted: 01-21-2009, 11:56 AM
eeeeeeeeexxxxxxceeeeeeeeeeellllleeeeeeeeeent. I love you :-)

ondra.


"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message
news:LF0wKv7eJHA.3536@TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thanks for the update.
>
> CredSSP uses the the TSCredentials structure to forward userís credential
> to server. The TSCredentials structure contains both the user's
> credentials
> that are delegated to the server and their type.
>
> Credentials may contain a TSPasswordCreds structure that defines the
> user's
> password credentials or contains a TSSmartCardCreds structure that defines
> the user's smart card credentials.
>
> For detailed information, please refer the article below.
>
> http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Mervyn Zhang [MSFT]
Guest
Posts: n/a
 
Re: CredSSP and kerberos credentials delegation
Posted: 01-22-2009, 02:15 AM
Hi ondra,

I am glad to hear that the information is useful for. If you have any other
questions or concerns, please do not hesitate to contact us. It is always
our pleasure to be of assistance.

Have a nice day!

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
RDP/TS Single-sign-on with credentails delegation Ondrej Sevecek Windows Vista Security 0 04-17-2008 10:22 AM
Kerberos errors Bfreeman Windows XP Security & Administration 0 05-11-2004 05:07 PM
OS 10.3.3 SERVER AND KERBEROS? AB PP Apple Macintosh 0 05-05-2004 02:02 PM
Kerberos Bobby McMillan [MSFT] Windows XP Security & Administration 0 12-03-2003 08:16 AM
Kerberos Error Alberto Windows XP Security & Administration 0 11-10-2003 07:05 PM