How to logon a user on a server and run a process given a Kerberos Ticket

About

Asked 13/9, 2018 at 6:48 Answered 19/9, 2018 at 18:33

ssh kerberos windows-authentication gssapi sspi

How does authentication and logon work on Windows with Kerberos? What I want to achieve is to logon a user on a server and run a process for that user.

As a first step, I create a Kerberos ticket on the client and send it to the server. On the server, I do not know the API to logon the user given its ticket. Of course I can accept the security context using AcceptSecurityContext (SSPI), but that does not initiate a logon.

I think that some SSH implementations for Windows do exactly that. But I want to know how and what API they probably use?

Canaliculus answered 13/9, 2018 at 6:48 Comment(0)

There are a few ways you can do this. You do need to call AcceptSecurityContext on the ticket to get a security context. This is what bootstraps everything in Windows. From there you can do a couple different things.

Usually you call ImpersonateSecurityContext so the current thread understands what user it thinks it needs to be. After that you can call QuerySecurityContextToken to get a Windows access token handle. With this handle you then call CreateProcessAsUser. You can also tell it to do things like load the profile if necessary.

This doesn't really do a logon like LogonUserX does, but it effectively starts a process as that user, which is usually what people are looking to accomplish.

Affine answered 19/9, 2018 at 18:33 Comment(4)

Thank you for your answer. It works so far with CreateProcessAsUser, a new process is started running as user. However, it cannot communicate with other services on different servers (e.g. a REST API). It is not possible to create new tickets for other services (using AquireCredentialsHandle and InitializeSecurityContext), I get an error: "No credentials are available in the security package". I can create new tickets (delegation) in the service after ImpersonateSecurityContext and before I create a new process. But that is not what I want. Is it possible to do it in the new process? – Canaliculus 20/9, 2018 at 8:8

Yeah, there's one more step required in that scenario, which is to configure the account the parent process is running as to allow delegation and impersonation. So client => server => child process that means the server process is running as a user and that user must have impersonate and delegate configured. – Affine 20/9, 2018 at 16:10

It seems to work with unconstrained delegation. Do you know whether this approach works with constrained delegation (where the TGT is not sent along with the service ticket for delegation purposes). – Canaliculus 30/1, 2019 at 14:47

@Affine Could you let me know how to get the hToken value from security context. We are trying to create a process in spring controller method where we wont be having scope of AuthorizationHeader to extract the authorizationHeader.getTokenBytes() . We have been spending more than a week, but no luck. any small hint would be great help! TIA! – Bookstall 22/7, 2022 at 16:24

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags