Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Windows Executable File Authentication

Tags:

windows-authentication

windows-security

kerberos

ntlm

negotiate

Searching around the windows authentication methods and protocols, i decided to understand the exact difference between Negotiate, Kerberos, and NTLM used in a simple executable file before liking it with IIS and Web Authentication.

I reached to good results, BUT I still need more details about the Negotiate and Kerberos.

I have the following scenario :

I have created very simple C# windows forms application that shows a message box displays the value for :

System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType

Note that i'm a domain user with admin privileges on my local machine, I have the following results :

  1. When i run the exe file (double click) while i'm actively connected to the DC, i got "Negotiate".

  2. When i run the exe file (run as differnet user / using local user) while i'm actively connected to the DC, i got "NTLM".

  3. When i run the exe file using "Run as Administrator", or "Run as Different User" i got "Kerberos".

  4. When i run the exe file while i'm locally logged in using local account, i got "NTLM".

I understand that the LSA will use NTLM for local accounts. Also i understand that Active Directory uses Kerberos to authenticate domain users and computers.

My question is, why i'm getting the Negotiate Authentication Type when i run the exe using my account either by (Double Click), or "run as different user" using my Same account ?

Update : I noticed the following :

- If local user is running the exe then it is NTLM
- If domain user run the exe then it is Negotiate (If that user is local admin) but is is Kerberos (if that user is not local admin)
- If domain admin run the exe then it is Kerberos

I just a clarification about this behavior.

like image 522
Khaled Obaid Avatar asked Mar 22 '16 12:03

Khaled Obaid

1 Answers

First off, (which you seem to understand in the question, but just to be clear) an EXE doesn't have any authentication - it is just an executable. The OS creates a process object which executes it within a logon session identified by a principal. It's this principal which has been authenticated by NTLM or Kerberos (or some other protocol).

Next, Negotiate means that when the logon session was created the Negotiate authentication package was used to decide which authentication package - Kerberos or NTLM - would be used.

When you query the WindowsIdentity.AuthenticationType value, you are ultimately calling a function in the Local Security Authority (LSA) called LsaGetLogonSessionData. This reports details of the logon session used to run the process you are executing. The way that this logon session was created probably has the largest effect on the authentication package used to verify the credentials.

When logging into Windows the first time, Winlogon.exe establishes an interactive logon by calling LsaLogonUser. It queries the authentication packages in HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages in order until it finds one that can authenticate the given credentials. Once an interactive logon has been established, you can create new processes using noninteractive logons under different credentials, and in this case, the LogonUser function is likely called. One of the parameters to this function is dwLogonProvider which has the following default (which is likely the one used):

LOGON32_PROVIDER_DEFAULT 

Use the standard logon provider for the system. 
The default security provider is negotiate, unless you pass NULL 
for the domain name and the user name is not in UPN format. 
In this case, the default provider is NTLM.

So, the package reported for the logon session the process is running under depends on how the logon session was created. (It isn't clear from your question exactly how you create the logon sessions you are testing... doing "Run As" in all cases? Logoff / Logon Windows for some cases?) It also depends on which package Winlogon was able to successfully authenticate with first for the interactive logon session. Ultimately, though, note that the authentication mechanisms all call down to some authentication package, and if Negotiate is used, Kerberos is preferred, though Negotiate is what is reported.

Here is an old but still relevant diagram which shows how all the authentication fits together in Windows:

Windows Authentication Architecture

Source

like image 119
codekaizen Avatar answered Sep 25 '22 18:09

codekaizen
Sign in to Comment

Related questions

ActiveDirectory Current Username in ASP.NET
angular cli + windows authentication backend
Windows Authentication in IIS 7.5 Fails with Trust Relationship Exception
Web application to use window domain accounts for authentication
Connect to SQL Server Express Database with Python (Windows Authentication)
Windows Authentication Credential box asking multiple times in IE8 and IIS7
Understanding WCF Windows Authentication
ADFS SSO SAML Windows Integrated authentication does not work
How to connect to SQL Server with Windows Authentication when not logged in with that username?
SignalR not working with Windows-integrated authentication
How to provide ntlm authentication while calling any url?
Get username of client who connected to web server
Windows Authentication via Web Request C++ / Node.js
Custom 401 error page for ASP.NET MVC application
ASP.NET MVC 3 Intranet site on IIS7.5 w Windows Authentication gives 401.3 and File authorization failed for the request when trying to log in
Windows authentication of an application hosted in Windows Container
Hybrid of Windows Authentication and Forms Authentication in ASP.NET MVC 4
Redirect to custom Windows Authentication login page if user anonymous in ASP.NET MVC
IIS App Pool Identity vs. Windows Account
Nodejs or ExpressJS Windows Authentication

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!