2

Wanted to see if the following is feasible or is there a way out?

  1. My situation, computers have internet access always (assumption)
  2. I want to write a credential provider with a browser embed and talk to an external saml shib Idp
  3. After saml token is released by shib Idp, I want to submit to AD
  4. Here is where I am in a dilemma: can AD release SID and other info to credential provider to open desktop windows (i.e. In leu of traditional login Userid password submitted to AD via windows login)? If so what version and what config changes I need to make ?

Any documentation you can point to me?

Appreciate any inputs from your end

tech_geek
  • 101
  • 4

1 Answers1

1

No, not really. Or sorta, I guess, but it's not usable.

You can fake it by creating a local token, which will eventually create a session and get to the desktop, but you're crippled because Windows doesn't have an AD ticket. As such, you can't reach anything on the domain, and anything requiring Kerberos or NTLM auth will fail in spectacular ways.

Additionally, you can't get a ticket (safely -- anyway) from AD for a user, and you can't make one, without actually authenticating to AD proper. The issued SAML token has no relationship to the ticket, so AD wouldn't know what to do with it.

One thing you could consider is creating an SSPI package on both the client and DC, which would exchange a SAML token for a Kerberos ticket, by virtue of the fact that AD has the necessary permissions to do anything it wants. The catch though is that everyone needs the package, and everyone needs to understand how to use the package.

On top of all that, opening a browser session in the Credential Provider context is downright scary because they run as SYSTEM.

Steve
  • 15,155
  • 3
  • 37
  • 66
  • Steve, thanks! A few followup Q :1. Authenticating to AD means submitting Userid and Password only to get AD ticket to open desktop seasion? No other way? :) pls confirm. 2. On sspi/kerb package can you point me to additional documentation. Thanks again – tech_geek Nov 23 '16 at 21:05
  • Ok I found this article and clearly password login is Atleast not mandatory. As such was wondering if there is an alternate way to get Ad token (not necessarily saml token exchange) any pointers further? https://www.google.com/amp/www.thewindowsclub.com/assign-default-credential-provider-windows-10/amp – tech_geek Nov 24 '16 at 10:41