On 12/5/2014 1:31 PM, Dr. Hendrik Naumann wrote: > Hi > > I am looking for a way to setup the Integrated Logon in such a way, > that the aquired AFS Tokens can be renewed. > >[...] > > Is there any way to get access to the Kerberos Tickets from the > integrated logon? Under Linux Kerberos can be configured to store its > Tickets in a file und thus the TGT and also the Token can be renewed > later.
The AFS Integrated Logon functionality is implemented as a WinLogon Authentication Provider function. The purpose of this function is to obtain credentials necessary for the logon process to access the user's profile data that might be stored in a remote file system. This function is called before the creation of the logon session. Credentials obtained in the Authentication Provider can be injected into the AFS Authentication Group (my Windows variant of PAGs on UNIX) that will be inherited by the logon session. However, there is no place to store the Kerberos TGT that was obtained. Prior to Windows Vista there were two other hook functions that would be executed within the logon session. One when the desktop shell started and the other when it shutdown. These functions ran with elevated permissions so in XP I used them to permit WinLogon to write the Kerberos TGT to a protected file and then extract it and store the contents into the logon session credential cache. This trick no longer works. Microsoft removed the hooks because their presence was an exploitable security hole. If the TGT obtained by Integrated Logon is for the same Kerberos principal that will later be found in the MSLSA: credential cache, then all that is required for NIM to obtain a new AFS token is to configure the data for your cell in NIM. If the AFS token is obtained using a different Kerberos principal, then your users must enter the password again when the initial token expires. Support services for Network Identity Manager is provided by Secure Endpoints. Jeffrey Altman Secure Endpoints Inc.
smime.p7s
Description: S/MIME Cryptographic Signature
