CODEWITHSUNDEEP
c++.netactive-directorykerberos
Andy March
Andy March

Reputation: 586

Kerberos password change protocol

I'm trying to perform a number of password operations on a user within ActiveDirectory from a C++/CLI library (which will in turn be called by another service) using the Kerberos password protocol as in RFC 3244.

I mocked up a sequence in C# (being my preferred language) using LogonUser to impersonate an admin then use the DirectoryServices.AccountManagement namespace to call SetPassword on the user's entry. SetPassword uses three approaches to attempt the change LDAPS, Kerberos and RPC. If I look at the Wireshark trace I can see the Kerberos handshake when the admin is impersonated, then LDAP attempt (which fails due to lack of SSL) then the kerberos password exchange.

Trying to replicate this is C++ LogonUser does not initiate a Kerberos exchange so when SetPassword is called the method falls through to RPC (which succeeds but does not meet our requirement of using Kerberos).

Is there an way I can force the use of Kerberos?

Is there a better solution to interact with the Kerberos password protocol from .net rather than relying on SetPassword?

Minimal code example:

C#

SafeTokenHandle handle;
LogonUser("serviceAccount", "Test", "aPassw0rd", 2, 0, out handle);
WindowsIdentity.Impersonate(handle.DangerousGetHandle());
DirectoryEntry usr = new DirectoryEntry();
usr.Path = "LDAP://"+"dctest.test.com/"+"CN=testuser,CN=Users,DC=test,DC=com";
usr.AuthenticationType = AuthenticationTypes.Sealing | AuthenticationTypes.Secure;
object ret = usr.Invoke("SetPassword", "aPassw0rd");

usr.CommitChanges();
usr.Close();
Console.WriteLine("Completed");

This approach successfully impersonates the service account then performs the setpassword using KPASSWD over 464.

C++/CLI

HANDLE _handle;
LogonUser(L"serviceAccount",L"Test",L"aPassw0rd",LOGON32_LOGON_INTERACTIVE,LOGON32_PROVIDER_DEFAULT,&_handle)
ImpersonateLoggedOnUser(_handle);
DirectoryEntry^ usr = gcnew DirectoryEntry();
usr->Path = "LDAP://"+"dctest.test.com/"+"CN=testuser,CN=Users,DC=test,DC=com";
usr->AuthenticationType = AuthenticationTypes::Sealing | AuthenticationTypes::Secure;
Object^ ret = usr->Invoke("SetPassword", "aPassw0rd");

usr->CommitChanges();
usr->Close();
Console::WriteLine("Completed");

This approach impersonates the admin account, then when set password is calls does a kerberos exchange (over 88 so i'm guessing this is auth) but then falls back to using RPC.

If I take the C# code and call it from a C++/CLI wrapper the behaviour changes to that displayed as when the code was in C++.

Upvotes: 0

Views: 998

Answers (1)

Andy March
Andy March

Reputation: 586

Finally managed to trace this the other day by running the output back through a reflector. The project properties for C++/CLI class included setting the character set to unicode. With this set the output uses the LogonUserW method. However if this setting changed to "Not Set" then the LogonUser method is used and the Kerberos authentication path for setPassword behaves as normal.

Upvotes: 1

Related Questions