ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,156 questions
Is it possible to use LsaLogonUser with kerb_certificate_s4u_logon for a computer certificate for an identification level token for a computer?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 19%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
John Ashman
1
Reputation point
We want to use an enterprise issued computer certificate to authenticate to a web service by taking the public certificate on the remote server and passing it to LsaLogonUser in a kerb_certificate_s4u_logon structure to get an identification level token for the computer.
Firstly is this possible, or does that mechanism only work for Users?
Secondly what are the constraints on the certificate to allow implicit mapping of the certificate to the computer object?
Thanks
John
ASP.NET Core
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,112 questions
Windows Hardware Performance
Windows Hardware Performance
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Hardware Performance: Delivering / providing hardware or hardware systems or adjusting / adapting hardware or hardware systems.
1,541 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 78%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBZ%3C/text%3E%3C/svg%3E)
Brando Zhang-MSFT 2,881 Reputation points Microsoft Vendor2022-02-28T05:49:51.207+00:00 Could you please tell me which application you have used now? Asp.net Core web api, MVC or else? Do you have any codes which is related with your requirement?
-
John Ashman 1 Reputation point
2022-02-28T09:27:50.987+00:00 Currently we are just trying a console application, but eventually it will run in a service running as NETWORK SERVICE on a domain joined computer.
The error we are getting is: 1787: ERROR_NO_TRUST_SAM_ACCOUNT which leads me to believe that the certificate mapping is where is going wrong.
The current certificate we are using is a machine certificate that has the DNS entry in the SAN, rather than the UPN. Does this mean that we can't use "implicit" mapping to the account and should add the certificate to the account userCertificate attribute? Is there any way to get this to work without explicitly adding the certificate to the account, do does this require the UPN to be present in the cert? -
John Ashman 1 Reputation point
2022-02-28T14:27:59.507+00:00 So we got this to work with "explicit" certificate mapping, i.e. adding the certificate to the userCertificate attribute and providing the account name in the S4U request.
The question remains, is the only way to get this to work with "implicit" mapping, is to include the UPN in the SAN?
Sign in to comment