Passwords, computer ID

Discussion in 'Server Security' started by Joseph M. Newcomer, May 26, 2009.

  1. I have a client that has some unusual needs about passwords.

    The scenario, as best I can describe it, is something like this:
    A physically secure domain server
    Hundreds of client machines, including laptops

    The basic idea, and I can't go into the reasons because of NDA, is
    A client will contact the server and ask for an account password
    A client will then use that password to call LogonUserW or
    similar API requiring a password

    This means that at the point of the call of the LogonUserW API, the password must be in
    plaintext. During the transmittal from the server, it is heavily encrypted. The goal is
    to extract the password from the Windows password database, convert it to plaintext,
    encrypt it, send it down, decrypt it, and use it.

    Yes, they are aware of vulnerability issues during the brief plaintext time, and for
    reasons I cannot discuss, that is under control.

    The problem is how to get the password decrypted back into plaintext from the Windows
    password database. There are lots of articles explaining how to set up to use reversible
    password encryption.

    While there is a lot of talk about reversible password encryption, there is no discussion
    of the algorithms or APIs required to actually do this. Anyone have any ideas? google
    search and MSDN search are not turning up anything usable.

    In addition, it would be nice if the client machine could present some "credentials" to
    the host that the host could validate insofar as the machine ID. For example, if there
    were some ID established when the client was joined to the domain, if this could be
    retrieved by an API on the client and sent (heavily encrypted) to the server, then the
    server could decrypt it and call some other API to validate that it was a valid ID for a
    machine that was in the domain.

    I have no experience in this area of Windows.

    Any pointers would be appreciated.
    Joseph M. Newcomer [MVP]
    MVP Tips:
    Joseph M. Newcomer, May 26, 2009
    1. Advertisements

  2. Joseph M. Newcomer

    Joe Kaplan Guest

    AD does not provide any facility to access the password data
    programmatically, even if reversible encryption is used. There is also no
    documentation about this particular feature works or can be accessed by
    applicationss that need the plaintext password (that I've been able to find

    You might be better off with a custom system that escrows the password in a
    separate store. You could achieve this with ILM for example. It includes
    an agent that runs on the domain controllers that captures the plaintext pwd
    during password change operations and stores it in the central store for use
    with sync to other directories. You could certainly write a custom piece to
    then take this and dump the passwords into SQL or something.

    A common mechanism to identify the machine itself is to use machine
    certificates with a Windows PKI environment. You might consider an approach
    based on that for the machine authentication requirement.

    Joe K.
    Joe Kaplan, May 27, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.