www.cendio.com
Bug 4498 - Add cert+pin authentication functionality to CredSSP
: Add cert+pin authentication functionality to CredSSP
Status: CLOSED FIXED
: ThinLinc
| rdesktop (deprecated)
: 4.0.0
: PC Unknown
: P2 Normal
: 4.1.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2012-12-04 14:08 by
Modified: 2013-06-27 09:56 (History)
Acceptance Criteria:


Attachments
Implementation of TSSmartCardCreds for CredSSP (6.71 KB, patch)
2013-02-26 11:24, Henrik Andersson
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2012-12-04 14:08:55

    
------- Comment #1 From cendio 2012-12-05 11:16:52 -------
With the latest kerberos + CredSSP implementation only the TSPasswordCreds
is supported, however there is also support for delegation of smartcard creds
using TSSmartCardCreds for SSO, for more information:

http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-CSSP%5D.pdf
------- Comment #2 From cendio 2012-12-05 11:21:35 -------
A test environment need to be set up and configured with user certificates and
then verify functionality using MS client, then dump the RDP trafic to identify
the actual data passed in the pretty anonymous cryptographic service
provider (TSCspDataDetail).
------- Comment #3 From cendio 2012-12-20 14:44:21 -------
How to setup smart card authentication using Windows 2008 R2 AD
with third party CA and certificates:

Enable CA:
--------------
1. Export CA and user certificates as der:
  pkcs15-tool -r <ID> > cert.pem
  openssl x509 -outform der -in cert.pem -out cert.cer

2. Add CA to trusted roots in Active Directory group policy object:
  edit Default Domain Policy Group Policy and got to,
  Computer Configuration->Policies->Windows Settings->Security Settings->Public 
  Key Policy. Right click "Trusted Root Certification Authorities"->"All Tasks"
  ->"Import" and select the CA cert to import.

3. The CA cert needs to be added to NTAuth store to be used for logon this is  
  done using following command: certutil -dspublish -f cert_ca.cer NTAuthCA


Map user certificate to user object:
-------------------------------------
1. Start "Active Directory Users and Computers" and enable advanced options
  using menu view->advanced features, then browse to the user you want to
enable   
  smartcard logons. rightclick and select "Name Mapping" and on the Certificate 
  tab click add and import the user certificate, actually only Subject and 
  issuer is imported and mapped to user.


I have tested this setup using rdesktop to authenticate and logon using local
smartcard reader and it works as expected.
------- Comment #4 From cendio 2012-12-20 17:22:14 -------
To disable the CRL checks which fails on Telia eID card one should
add this key, verified and working as expected:

HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Kdc\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors


More nifty information can be found here:

http://technet.microsoft.com/en-us/library/ff404287(v=ws.10).aspx#BKMK_3
------- Comment #5 From cendio 2013-02-26 11:24:57 -------
Created an attachment (id=465) [details]
Implementation of TSSmartCardCreds for CredSSP

The missing parts is what exactly the following fields of TSCspDataDetail
should contain see following datastructure:

TSCspDataDetail ::= SEQUENCE {
keySpec       [0] INTEGER,
cardName      [1] OCTET STRING OPTIONAL
readerName    [2] OCTET STRING OPTIONAL
containerName [3] OCTET STRING OPTIONAL
cspName       [4] OCTET STRING OPTIONAL
}
------- Comment #6 From cendio 2013-02-26 11:26:43 -------
The documentation for CredSSP is found in Microsoft spec MS-CSSP.pdf
found at following address:

http://msdn.microsoft.com/en-us/library/cc226764.aspx
------- Comment #8 From cendio 2013-03-12 12:22:50 -------
Here is some useful information on Smart Card authentication for windows:

http://technet.microsoft.com/en-us/library/dd277362.aspx
------- Comment #9 From cendio 2013-03-12 16:05:50 -------
Here is some good source of information for CryptoAPI (CSP)

http://technet.microsoft.com/en-us/library/ff404300(v=ws.10).aspx
------- Comment #10 From cendio 2013-03-18 15:02:33 -------
containerName seem to be the user logon name as stated by following
documentation:

http://msdn.microsoft.com/en-us/library/ms867086.aspx
------- Comment #11 From cendio 2013-03-19 11:21:27 -------
Looks like i have managed to work this out, for now 2 parameters needs to be
passed as arguments for smartcard SSO using CredSSP; CSP name and the Reader
name.

CSP Name is specific to Windows and reader names can be fetch from pc/sc, here
follows some examples from my test setup with 2 smartcard readers.

CSP: 'Net iD - CSP'
Reader: 'Gemalto PC Twin Reader 00 00'
Reader: 'Gemalto PC Twin Reader 01 00'

The CSP name is the "Smartcard Driver name" in windows and we need to provide a
tool for extracting this.
------- Comment #12 From cendio 2013-03-25 14:06:19 -------
Initial implementation of CredSSP smartcard support is now
commited upstream in commit r1705
------- Comment #13 From cendio 2013-04-04 13:42:22 -------
Commit r26892 brings vendordrop of rdesktop into ThinLinc
------- Comment #14 From cendio 2013-06-18 19:21:12 -------
Microsoft KB on enabling third party CA:

http://support.microsoft.com/kb/281245
http://support.microsoft.com/kb/295663
------- Comment #15 From cendio 2013-06-18 20:26:52 -------
The path referenced in the TAG to find out the CSP name isn't very good. It
references the ATR mapping tables in the registry, which isn't always used
(tried with Telia's version of Net iD).

A better path to look in is where the CSP:s register themselves:

HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider
------- Comment #16 From cendio 2013-06-18 21:10:27 -------
Problems in tl-run-rdesktop. Specifying the following:

rdesktop_args=-o sc-csp-name="Net iD - CSP"

doesn't work as tl-run-rdesktop doesn't support quotes and will blindly
separate it on spaces. This can be seen in strace:

"/opt/thinlinc/bin/rdesktop", "-o", "sc-csp-name=\"Net", "iD", "-", "CSP\"",
------- Comment #17 From cendio 2013-06-18 21:12:03 -------
I'm also not getting the reader name in the SSO information:

[tluser@dhcp-254-223 ~]$ xprop -root | grep TL_
TL_SENSITIVE_PARAMS(ATOM) = TL_SSO_TOKEN_PASSPHRASE
TL_SSO_TOKEN_PASSPHRASE(STRING) = <redacted>
------- Comment #18 From cendio 2013-06-19 10:30:27 -------
(In reply to comment #17)
> I'm also not getting the reader name in the SSO information:
> 
> [tluser@dhcp-254-223 ~]$ xprop -root | grep TL_
> TL_SENSITIVE_PARAMS(ATOM) = TL_SSO_TOKEN_PASSPHRASE
> TL_SSO_TOKEN_PASSPHRASE(STRING) = <redacted>

Moved to correct bug, #4565
------- Comment #19 From cendio 2013-06-19 11:08:20 -------
(In reply to comment #16)
> Problems in tl-run-rdesktop. Specifying the following:
> 
> rdesktop_args=-o sc-csp-name="Net iD - CSP"
> 
> doesn't work as tl-run-rdesktop doesn't support quotes and will blindly
> separate it on spaces. This can be seen in strace:
> 
> "/opt/thinlinc/bin/rdesktop", "-o", "sc-csp-name=\"Net", "iD", "-", "CSP\"",

Fixed in 27539.
------- Comment #20 From cendio 2013-06-25 13:09:43 -------
(In reply to comment #15)
> The path referenced in the TAG to find out the CSP name isn't very good. It
> references the ATR mapping tables in the registry, which isn't always used
> (tried with Telia's version of Net iD).
> 
> A better path to look in is where the CSP:s register themselves:
> 
> HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider

Verified that this is the case for 2008R2, will update the documentation.
------- Comment #21 From cendio 2013-06-25 13:10:37 -------
(In reply to comment #19)
> (In reply to comment #16)
> > Problems in tl-run-rdesktop. Specifying the following:
> > 
> > rdesktop_args=-o sc-csp-name="Net iD - CSP"
> > 
> > doesn't work as tl-run-rdesktop doesn't support quotes and will blindly
> > separate it on spaces. This can be seen in strace:
> > 
> > "/opt/thinlinc/bin/rdesktop", "-o", "sc-csp-name=\"Net", "iD", "-", "CSP\"",
> 
> Fixed in 27539.

Broken when rdesktop_args is missing:

Traceback (most recent call last):
  File "/opt/thinlinc/bin/tl-run-rdesktop", line 580, in oOoO0
    iiiI . extend ( shlex . split ( hive . get_string (
"/appservergroups/rdp/%s/rdesktop_args" % appservergroup , [ ] ) ) )
  File "/usr/lib64/python2.7/shlex.py", line 279, in split
    return list(lex)
  File "/usr/lib64/python2.7/shlex.py", line 269, in next
    token = self.get_token()
  File "/usr/lib64/python2.7/shlex.py", line 96, in get_token
    raw = self.read_token()
  File "/usr/lib64/python2.7/shlex.py", line 124, in read_token
    nextchar = self.instream.read(1)
AttributeError: 'list' object has no attribute 'read'
------- Comment #22 From cendio 2013-06-25 13:18:05 -------
(In reply to comment #21)
> (In reply to comment #19)
> > (In reply to comment #16)
> > > Problems in tl-run-rdesktop. Specifying the following:
> > > 
> > > rdesktop_args=-o sc-csp-name="Net iD - CSP"
> > > 
> > > doesn't work as tl-run-rdesktop doesn't support quotes and will blindly
> > > separate it on spaces. This can be seen in strace:
> > > 
> > > "/opt/thinlinc/bin/rdesktop", "-o", "sc-csp-name=\"Net", "iD", "-", "CSP\"",
> > 
> > Fixed in 27539.
> 
> Broken when rdesktop_args is missing:
> 
> Traceback (most recent call last):
>   File "/opt/thinlinc/bin/tl-run-rdesktop", line 580, in oOoO0
>     iiiI . extend ( shlex . split ( hive . get_string (
> "/appservergroups/rdp/%s/rdesktop_args" % appservergroup , [ ] ) ) )
>   File "/usr/lib64/python2.7/shlex.py", line 279, in split
>     return list(lex)
>   File "/usr/lib64/python2.7/shlex.py", line 269, in next
>     token = self.get_token()
>   File "/usr/lib64/python2.7/shlex.py", line 96, in get_token
>     raw = self.read_token()
>   File "/usr/lib64/python2.7/shlex.py", line 124, in read_token
>     nextchar = self.instream.read(1)
> AttributeError: 'list' object has no attribute 'read'

Fixed in 27557.
------- Comment #23 From cendio 2013-06-25 13:22:05 -------
(In reply to comment #20)
> (In reply to comment #15)
> > The path referenced in the TAG to find out the CSP name isn't very good. It
> > references the ATR mapping tables in the registry, which isn't always used
> > (tried with Telia's version of Net iD).
> > 
> > A better path to look in is where the CSP:s register themselves:
> > 
> > HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider
> 
> Verified that this is the case for 2008R2, will update the documentation.

Fixed in commit r27558.
------- Comment #24 From cendio 2013-06-25 16:26:58 -------
God damn Windows. After following all the guides, we are still unable to
reconstruct a working system.

We tested UseSubjectAltName (both in the KDC and LSA). We could see in the logs
that it stopped using the UPN from the certificate, but still things failed to
work.

We tested adding the SITHS UPN to the DC as a new user. This got us further,
and now fails with "Access denied" instead. The logs only log a successful
login as the relevant user.

What does work at this point is logging on to the local WTS on the DC machine.
We have no idea why that one works and the independent WTS fails though. So we
have no idea how to set up this test environment in the future. It will have to
do for now though to finish this round of testing.
------- Comment #25 From cendio 2013-06-25 16:58:06 -------
Does not work. Unknown as to why. I just get the generic "Could not verify your
credentials". Works fine after I manually enter the PIN in the prompt that
appears.
------- Comment #26 From cendio 2013-06-25 17:08:01 -------
Ooops. Wrong domain specified. After that was fixed, it is still broken though.
Now I get "The requested keyset does not exist on the smart card." instead.
------- Comment #27 From cendio 2013-06-27 09:56:16 -------
(In reply to comment #24)
> God damn Windows. After following all the guides, we are still unable to
> reconstruct a working system.
> 
> We tested UseSubjectAltName (both in the KDC and LSA). We could see in the logs
> that it stopped using the UPN from the certificate, but still things failed to
> work.
> 
> We tested adding the SITHS UPN to the DC as a new user. This got us further,
> and now fails with "Access denied" instead. The logs only log a successful
> login as the relevant user.
> 
> What does work at this point is logging on to the local WTS on the DC machine.
> We have no idea why that one works and the independent WTS fails though. So we
> have no idea how to set up this test environment in the future. It will have to
> do for now though to finish this round of testing.
(In reply to comment #24)
> God damn Windows. After following all the guides, we are still unable to
> reconstruct a working system.
> 
> We tested UseSubjectAltName (both in the KDC and LSA). We could see in the logs
> that it stopped using the UPN from the certificate, but still things failed to
> work.
> 
> We tested adding the SITHS UPN to the DC as a new user. This got us further,
> and now fails with "Access denied" instead. The logs only log a successful
> login as the relevant user.
> 

> What does work at this point is logging on to the local WTS on the DC machine.
> We have no idea why that one works and the independent WTS fails though. So we
> have no idea how to set up this test environment in the future. It will have to
> do for now though to finish this round of testing.

(In reply to comment #24)
> God damn Windows. After following all the guides, we are still unable to
> reconstruct a working system.
> 
> We tested UseSubjectAltName (both in the KDC and LSA). We could see in the logs
> that it stopped using the UPN from the certificate, but still things failed to
> work.
> 
> We tested adding the SITHS UPN to the DC as a new user. This got us further,
> and now fails with "Access denied" instead. The logs only log a successful
> login as the relevant user.
> 
> What does work at this point is logging on to the local WTS on the DC machine.
> We have no idea why that one works and the independent WTS fails though. So we
> have no idea how to set up this test environment in the future. It will have to
> do for now though to finish this round of testing.

I Just installed a new WTS 2008R2 and joined my current test domain,
and had no problems with CredSSP+SSO using smartcard, tested with both My own
Telia E-Leg and Fredrika SITHS test card.

To use subjectAltName for authentication, the UPN suffix should be added to DC
by right click ->properties on 'active directory domain and trusts'.

Also, one need to change userPrincipleName on the user object using adsi to set
the upn stored in cert as alt subject name.
------- Comment #28 From cendio 2013-06-27 09:56:59 -------
Works as expected.