[Gina]How to use Kerberos instead of NTLM ?  
Author Message
kuy





PostPosted: Thu Apr 27 09:02:36 CDT 2006 Top

Security >> [Gina]How to use Kerberos instead of NTLM ?

Hi there,

we have wrote a custom Gina in C a few years ago, for a NT machine on a NT4
server. Now our client is wanting to migrate to XP/ Active Directory, and we
would like to use Kerberos to authenticate a user with AD. But we lack of
reference about the AD WIN32 API, concerning the use of Kerberos. In fact
Kerberos is now a standard and we can't find how tha change the API in order
not to use NTLM v2...

Any hint ?

Oriane

Windows OS168  
 
 
Roger





PostPosted: Thu Apr 27 09:02:36 CDT 2006 Top

Security >> [Gina]How to use Kerberos instead of NTLM ? Are you aware that the Gina extension model ends with the
current Windows versions, and you updated code will not
work for post Windows 2003 R2 (i.e. Vista/Longhorn)

msdn.microsoft.com would have all the documentation that
is available for development objective



> Hi there,
>
> we have wrote a custom Gina in C a few years ago, for a NT machine on a
> NT4 server. Now our client is wanting to migrate to XP/ Active Directory,
> and we would like to use Kerberos to authenticate a user with AD. But we
> lack of reference about the AD WIN32 API, concerning the use of Kerberos.
> In fact Kerberos is now a standard and we can't find how tha change the
> API in order not to use NTLM v2...
>
> Any hint ?
>
> Oriane
>


 
 
Oriane





PostPosted: Thu Apr 27 10:22:28 CDT 2006 Top

Security >> [Gina]How to use Kerberos instead of NTLM ? Hi Roger,



> Are you aware that the Gina extension model ends with the
> current Windows versions, and you updated code will not
> work for post Windows 2003 R2 (i.e. Vista/Longhorn)
Yes but this is my client's choice anyway.
>
> msdn.microsoft.com would have all the documentation that
> is available for development objective
Yes and no. Switching from NTLM to Kerberos is not a subject that the MSDN
deal with.

Best regards


 
 
S





PostPosted: Sat Apr 29 03:56:56 CDT 2006 Top

Security >> [Gina]How to use Kerberos instead of NTLM ? I believe GINA doesn't have to support Kerberos vs. NTLM directly, as LSA
provides single interface to the network authentication mechanisms. If you
look at the authentication functions in the platform SDK
( http://www.hide-link.com/ )
then you'll see that NTLM and Kerberos are abstracted from the API using
SSPs.

Which means that your custom GINA may as well work in Kerberos environmant
(provided you are not using changed/discontinued APIs, which aren't many).
Not to mention that Windows XP/2003 fall back to NTLM should Kerberos
communication fail. Of course, there might be a zillion reasons for the
software not to work on the newer platform - load the de**** then...

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-



> Hi Roger,
>


>> Are you aware that the Gina extension model ends with the
>> current Windows versions, and you updated code will not
>> work for post Windows 2003 R2 (i.e. Vista/Longhorn)
> Yes but this is my client's choice anyway.
>>
>> msdn.microsoft.com would have all the documentation that
>> is available for development objective
> Yes and no. Switching from NTLM to Kerberos is not a subject that the MSDN
> deal with.
>
> Best regards
>
>


 
 
Oriane





PostPosted: Tue May 02 03:27:50 CDT 2006 Top

Security >> [Gina]How to use Kerberos instead of NTLM ? Thank you. I will check your URL.



>I believe GINA doesn't have to support Kerberos vs. NTLM directly, as LSA
>provides single interface to the network authentication mechanisms. If you
>look at the authentication functions in the platform SDK
>(http://msdn.microsoft.com/library/en-us/secauthn/security/authentication_functions.asp)
>then you'll see that NTLM and Kerberos are abstracted from the API using
>SSPs.
>
Oriane