Passwords, computer ID

I have a client that has some unusual needs about passwords.

The scenario, as best I can describe it, is something like this:
A physically secure domain server
Hundreds of client machines, including laptops

The basic idea, and I can't go into the reasons because of NDA, is
A client will contact the server and ask for an account password
A client will then use that password to call LogonUserW or
similar API requiring a password

This means that at the point of the call of the LogonUserW API, the password must be in
plaintext. During the transmittal from the server, it is heavily encrypted. The goal is
to extract the password from the Windows password database, convert it to plaintext,
encrypt it, send it down, decrypt it, and use it.

Yes, they are aware of vulnerability issues during the brief plaintext time, and for
reasons I cannot discuss, that is under control.

The problem is how to get the password decrypted back into plaintext from the Windows
password database. There are lots of articles explaining how to set up to use reversible
password encryption.

While there is a lot of talk about reversible password encryption, there is no discussion
of the algorithms or APIs required to actually do this. Anyone have any ideas? google
search and MSDN search are not turning up anything usable.

In addition, it would be nice if the client machine could present some "credentials" to
the host that the host could validate insofar as the machine ID. For example, if there
were some ID established when the client was joined to the domain, if this could be
retrieved by an API on the client and sent (heavily encrypted) to the server, then the
server could decrypt it and call some other API to validate that it was a valid ID for a
machine that was in the domain.

I have no experience in this area of Windows.

Any pointers would be appreciated.
thanks
joe
Joseph M. Newcomer [MVP]
email:
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm

AD does not provide any facility to access the password data
programmatically, even if reversible encryption is used. There is also no
documentation about this particular feature works or can be accessed by
applicationss that need the plaintext password (that I've been able to find
anyway).

You might be better off with a custom system that escrows the password in a
separate store. You could achieve this with ILM for example. It includes
an agent that runs on the domain controllers that captures the plaintext pwd
during password change operations and stores it in the central store for use
with sync to other directories. You could certainly write a custom piece to
then take this and dump the passwords into SQL or something.

A common mechanism to identify the machine itself is to use machine
certificates with a Windows PKI environment. You might consider an approach
based on that for the machine authentication requirement.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Joseph M. Newcomer" <> wrote in message
news:...
>I have a client that has some unusual needs about passwords.
>
> The scenario, as best I can describe it, is something like this:
> A physically secure domain server
> Hundreds of client machines, including laptops
>
> The basic idea, and I can't go into the reasons because of NDA, is
> A client will contact the server and ask for an account password
> A client will then use that password to call LogonUserW or
> similar API requiring a password
>
> This means that at the point of the call of the LogonUserW API, the
> password must be in
> plaintext. During the transmittal from the server, it is heavily
> encrypted. The goal is
> to extract the password from the Windows password database, convert it to
> plaintext,
> encrypt it, send it down, decrypt it, and use it.
>
> Yes, they are aware of vulnerability issues during the brief plaintext
> time, and for
> reasons I cannot discuss, that is under control.
>
> The problem is how to get the password decrypted back into plaintext from
> the Windows
> password database. There are lots of articles explaining how to set up to
> use reversible
> password encryption.
>
> While there is a lot of talk about reversible password encryption, there
> is no discussion
> of the algorithms or APIs required to actually do this. Anyone have any
> ideas? google
> search and MSDN search are not turning up anything usable.
>
> In addition, it would be nice if the client machine could present some
> "credentials" to
> the host that the host could validate insofar as the machine ID. For
> example, if there
> were some ID established when the client was joined to the domain, if this
> could be
> retrieved by an API on the client and sent (heavily encrypted) to the
> server, then the
> server could decrypt it and call some other API to validate that it was a
> valid ID for a
> machine that was in the domain.
>
> I have no experience in this area of Windows.
>
> Any pointers would be appreciated.
> thanks
> joe
> Joseph M. Newcomer [MVP]
> email:
> Web: http://www.flounder.com
> MVP Tips: http://www.flounder.com/mvp_tips.htm