New Authentication Functionality in Windows Vista

re: New Authentication Functionality in Windows Vista

olt — Mon, 20 Mar 2006 14:31:34 GMT

Interesting. From an IT management / user point of view - does allow further development of the RunAs (secondary logon) theme to allow task based authorisation within windows generally?

The push towards least privileged user accounts is great but it's not easily supported in the OS for day to day users. For example, if they need to install a new application (and it's not been deployed via GP) it would be great if the OS would prompt them to elevate their privileges temporarily; or, if they needed to change their IP address - rather than simply saying "please contact your system administrator".

Dare I say this: the users' experience of "least privilege" in OSX is good - they get prompted to confirm or enter credentials when they try to perform an "elevated" task in the OS which means that they can actually get on with life without "contacting your system administrator". I believe this should at least be an option in a Windows environment as it would encourage organisations who currently don't implement a decent security policy for their desktop PCs (running as local admins for example is very common) to make some steps in the right direction.

re: New Authentication Functionality in Windows Vista

Authentication — Tue, 21 Mar 2006 01:35:39 GMT

Indeed we are working in Vista to improve the Least privilege user experience. Please take a look at the UAC blog for more details
http://blogs.msdn.com/uac

re: New Authentication Functionality in Windows Vista

BkCloud — Thu, 08 Mar 2007 11:13:14 GMT

Hi,

I would like to create new cipher suite and then plug it into Schannel. But I Couldn't find the way how to do it.

Could you tell me where I can get it or how to do it?

thanks,

Hyun

re: New Authentication Functionality in Windows Vista

BkCloud — Thu, 08 Mar 2007 11:16:40 GMT

Furthermore, I'd like to use new cipher suite at windows xp. If you know the way to plug the new cipher suite into XP, please let me know.

re: New Authentication Functionality in Windows Vista

GordT. — Tue, 10 Apr 2007 18:14:21 GMT

"Windows Vista includes new authentication feature changes to support the branch office DC feature in Longhorn."

Are there more details on this? I thought it would be possible to use the Branch Office DC features with WinXP as well - is this not to be?

re: New Authentication Functionality in Windows Vista

Authentication — Mon, 30 Apr 2007 20:14:20 GMT

GordT,

Sorry for the confusion. This was authored a while back before we knew Vista was just client. We have updated the text to avoid future confusion.

- The Windows Authentication Team

re: New Authentication Functionality in Windows Vista

cxu123 — Wed, 20 Jun 2007 23:22:50 GMT

Unfortunately the new AES encryption for SSL/TLS is not compatible with OpenSSL library! Many people experience this problem.

http://www.mail-archive.com/openssl-users@openssl.org/msg48968.html

re: New Authentication Functionality in Windows Vista

Authentication — Thu, 21 Jun 2007 01:54:23 GMT

Interestingly enough - this is an interop issue that we have seen previously. The problem is occurs only in the following scenario:

TLS Enabled Client --> SSL3.0 only server

The SSL3.0 server responds to a TLS client hello with a SSL3.0 server hello trying to negotiate an AES cipher. Unfortunately AES ciphers were not even defined for SSL3.0 and obviously the client closes the connection.

The server in this case is misconfigured to negotiate AES over SSL3.0

This will be a bigger problem if not fixed when TLS 1.2 is implemented and SSL3.0 servers try to negotiate new TLS1.2 ciphersuites like TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.

re: New Authentication Functionality in Windows Vista

cxu123 — Fri, 29 Jun 2007 17:53:34 GMT

This seems to be happened in TLS also.

I had tried to use SDK sample web server from:

C:\Program Files\Microsoft Platform SDK\Samples\Security\SSPI\SSL\WebServer

If I connected it with AES128-SHA from client using Microsoft CryptoAPI, it works without any problem.

But if I connected it with cipher AES128-SHA from client using openssl, TLS negotiation can success. The WebServer using Microsoft CryptoAPI can not decrypt message from openssl client. However, openssl client can decrypt message from CryptoAPI WebServer.

Is the SDK example outdated with Windows Vista?

re: New Authentication Functionality in Windows Vista

Authentication — Tue, 03 Jul 2007 03:59:29 GMT

We run a full interop test spectrum with OpenSSL and the implementations have been interoperable for a while now. Could you report the specifics of the failure you are experiencing?

The SDK sample should be current as no changes were needed to calling applications to take advantage of AES on Vista\LH.

re: New Authentication Functionality in Windows Vista

cxu123 — Thu, 05 Jul 2007 17:30:45 GMT

It was easy to setup.

I used nmake to compile the SDK sample, the one in the "Samples\Security\SSPI\SSL\WebServer". My environment is visual studio .net 2003. I ran it in verbose mode and TLS 1.0.

I am using the windows wget at the link

http://users.ugent.be/~bpuype/wget/ as the client. This one uses openssl library.

I created a self-signed certificate and let the SDK WebServer uses this certificate.

wget can successfully finish the handshake with WebServer, but the HTTP request it sent to WebServer can not be decrypted. It is something to do with cipher AES. It will have no problem if using IE as client or uses openssl but not uses AES cipher. I had tried other openssl client and got the same result.

I ran Vista Business in the virtual machine. But I tried both VMWare and Virtual PC 2007 and they both had the same result. I had also tried the latest Windows 2008 beta and got the same result.

I suspect it has something to do with SDK example, but many programs using CryptoAPI followed this SDK example.

re: New Authentication Functionality in Windows Vista

Authentication — Thu, 05 Jul 2007 20:46:38 GMT

Is TLS enabled on the server app? What error\errcode do you get on failure?

Which version of OpenSSL?

Could you use IIS instead for testing to eliminate the possibility of an error in the sample?

re: New Authentication Functionality in Windows Vista

cxu123 — Thu, 05 Jul 2007 21:09:57 GMT

Yes, the SDK WebServer sample has an option to use TLS 1.0.

I had tried using the latest version of openssl.

I had tried to use the new IIS beta in Windows 2008. IIS beta works with openssl AES cipher without this problem. That's the reason that I suspected the SDK sample program probably won't work with AES cipher in Vista.

re: New Authentication Functionality in Windows Vista

Authentication — Mon, 09 Jul 2007 09:17:30 GMT

cxu123 let's move this discussion to the MSDN forum. We are not making good use of the comments section here :)

I've started a thread here: http://forums.microsoft.com/technet/showpost.aspx?postid=1833975&siteid=17