many thanks, dave!
"DaveMo" <> wrote in message
news:bdb66547-ec45-4530-8388-...
On Feb 11, 7:22 am, "MarioC" <mar...@kapsch.net> wrote:
> Hi,
>
> I'm a little confused about the following behavior:
>
> User logs on via Smartcard on a WinXP Workstation.
> The flag "Smart card is required for interactive logon" is set for the
> specfic user account.
>
> As far as I know when this flag is set the password for the user is set to
> something unknown (long random value), isn't it ?
>
> There's a proxy device based on Linux or BSD installed. When a user wants
> to
> connect to it that box sends a "proxy authentication required" to the
> user.
> The box communicates with an NTLM authentication agent which is installed
> on
> a member server in the domain.
>
> When a user is authenticated via SmartCard on his client NTLM proxy
> authentication still works.
> My question is, HOW can NTLM authentication be done, when a user is
> authenticated via SmartCard ?
>
> I thought I knew that when SmartCard Logon is used only Kerberos
> authentication is possible ?
>
> Thanks for any input
> Mario
Mario,
If NTLM authentication were not possible, far too many common
scenarios would break, and that in turn would make SC-only auth less
likely to be deployed. So, there's a bit of a hack in this process. As
you noted, the account still has a password, but it's a big random
one. When the SC logon session is created, the normal NTLM OWF is
fetched from AD and returned with the Kerberos ticket and placed in
the logon session on the client computer. The OWF can then be used for
NTLM authentication as needed. With the often encountered weak
passwords that users choose, NTLM has a vulnerability against
dictionary attacks. With the strong password used in the SC-only
scenario the vulnerability is mitigated and security is equivalent to
the strong-keyed authentication mechanisms such as Kerberos and SSL.
HTH,
Dave
|
Similar Threads
Linear Mode
