Win2000 PAC-Credentials Implementation

Dr. Greg Wettstein greg at wind.enjellic.com
Tue Sep 9 10:29:07 EDT 2003 

On Sep 8,  2:04am, lukeh at PADL.COM wrote:

Hi Luke, thanks for contributing to the thread.

} Subject: Re: Win2000 PAC-Credentials Implementation
> 
> >Will Windows 2000 Clients be able to log on to Huderos? Will there be an
> >implementation through MSGINA.DLL, and will the users be able to
> >automatically get their kerberos tickets after successful logon?

> Hurderos would need to provide a LSA authentication package DLL,
> rather than a GINA, to do this in a way useful within the NT
> security model.

At this point in time I get to plead my utter ignorance with respect
to most things in the area of Windows architecture.  I've never owned
a computer which boots the operating system so my analysis needs to be
taken with a grain of salt.  There have been a couple of other notes
recently on this issue so I will offer the following comments to at
least provide background (from my perspective) on the issue.

The other caveat that must be expressed is that I have never formally
studied the Microsoft PAC scheme for handling service authorization or
read any of the information publically available on it.  When the
Hurderos identity and authorization model was being developed the
decision was made not to expose ourselves to anything that may 'taint'
our work.

Ben Creech from NCSU posted a note just a bit ago that discussed some
of the technical issues surrounding Windows logins.  Anyone interested
in more background on all this may find it beneficial to dig that note
out from the archives.

Luke please feel free to jump in and indicate anyplace where I am
being stupid.

The important issue to clarify is what it exactly means to 'logon' to
a Windows machine or network.  If 'logon' means to authenticate
someone who is sitting at the keyboard of a Windows client so they can
use the machine locally the PGINA project provides tools that would
enable Hurderos to manage 'logins'.

I've sketched together plans and an architecture for doing this with
Hurderos.  Secondary to my complete lack of skills on the platform I
haven't gone beyond that point.

The problem with PGINA (and Ben Creech's note discusses this in more
detail) is that the DLL's which PGINA replaces don't implement a
'login' in the strictest sense of the word.  PGINA basically replaces
the graphical user interface which captures a user identifier and
authentication token and in response to those allows local access to
the operating system.

This is not a 'login' in the strictest definition used by Windows
Network developers or by most security professionals.  To them a
'login' is something which establishes a security context which
conveys or enumerates rights and privileges that a user may enjoy
while being 'logged in'.

The LSA that Luke refers to above is an acronym for the Local Security
Authority.  This is perhaps best thought of as the 'setuid manager'
for the Windows operating system.  The code in the DLL implements the
functionality need to take user identification and authentication
tokens and carry out the steps necessary to establish a security
context for that identity.  Once this is carried out a process or
session is started which enjoys whatever privileges are encapsulated
in or conveyed by the security context.

The problem being faced (or will be faced) by the information
technology industry at large is what is encased in the security
context and how it is expressed.  Thats where the Privilege Access
Certificates (PAC) come into play that everyone talks about it.  This
is also where other people can probably talk more intelligently than I
can.

The security context created by the LSA contains a TGT which has been
extended to carry PAC's in the optional payload section of the ticket.
These codes either convey or authenticate participation of the
identity in Windows administrative groups.  If they are an actual
certificate applications may be able to authenticate group
participation or they may serve only to enumerate the groups that the
identity is a member of.  Or none of the above for all I know... :-)

The important issue is that this data carries information which
establishes roles and privileges of the authenticated identity.  It
would also seem that while Microsoft is within its right to use the
optional payload field in any way they desire they are not interested
in having others replicate its functionality or content.

The above underlies my concern about the potential impact that Active
Directory can and will have on open-architecture information systems.
Controlling authorization controls what information can be consumed
and how it is consumed.  Alternate application platforms cease to be
relevant if architectures such as this become encompassing, especially
within the enterprise.

So Hurderos can actually 'authorize' desktop access by leveraging the
PGINA work.  That is simply a matter of declaring a fundamental
service identity which represents desktop login.  A Hurderos PGINA
module would simply check to see whether the user posesses an instance
identity for that service during the authentication process.  That, in
and of itself, is probably useful to a lot of organizations.

Going beyond that means that an LSA DLL is needed to create a security
context around an identity based on the Hurderos identity and
authorization model.  Perhaps even more formidable is making or
mapping that context into something relevant to a proprietary
operating system and applications.  I'm doing a lot of thinking about
that right now.... :-)

The real issue is does the OSS world lead or follow?  Larry McVoy
keeps talking about the fact that it only follows.  This whole area is
virgin territory where it could lead if it were so inclined.

> -- Luke

My apologies to Luke and everyone else for any mis-analysis.

Best wishes for a productive week.

}-- End of excerpt from lukeh at PADL.COM

As always,
GW

The Hurderos Project - Open Identity and Authorization Management
------------------------------------------------------------------------------
"Join in the new game that's sweeping the country.  It's called
`Bureaucracy`.  Everybody stands in a circle.  The first person to do
anything loses."
                                -- Steve RTFM Przepiora

More information about the Kerberos mailing list