How to implement a customized Security Support Provider to auth a user on a cloud?

Shelby Yang 1 Reputation point
2023-01-07T06:11:40.05+00:00

I want to provide an authentication mechanism on Windows for a user on a cloud.
The credential provider mostly satisfies this requirement with the premise that the user is a local user, Microsoft account or a domain user of this PC.
But I also would like to get escalated privilege as the user, even the user is only on a cloud, not a domain user or Microsoft account.

As far as I know, Microsoft provide a mechanism, SSP(Security Support Provider), kerberos and NTLM implements it.
There are few documents describing about SSP, such as The Windows Negotiation Extension and Writing NegoEx SSPs.
Futhermore, Spgetextendedinformationfn in my current implementation is called though.
But I cannot find any further information about what the data I should response to the LSA.

Is there any sample code about SSP, or I should try another way to achieve my goal?

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
7,755 questions
Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,711 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,979 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jeanine Zhang-MSFT 10,436 Reputation points Microsoft Vendor
    2023-01-09T03:10:36.637+00:00

    Hello,

    Welcome to Microsoft Q&A!

    I suggest you could start form the following Docs:
    SSP Packages Provided by Microsoft
    LSA Authentication
    Security Support Provider Interface (SSPI)

    Thank you.

    Jeanine


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Limitless Technology 44,561 Reputation points
    2023-01-10T08:45:28.64+00:00

    Hello there,

    SSP (Security Support Provider) is a mechanism in Windows that allows the operating system to support multiple authentication protocols. The Windows Negotiation Extension (WLN) is a Microsoft extension to the SSP framework that allows a client to negotiate the authentication protocol to be used with a server.

    To implement an SSP, you will need to write code that handles the communication with the Local Security Authority (LSA) and implements the authentication protocol you want to support. The LSA will call your SSP's SpGetExtendedInformationFn function to request information about the authentication protocol and to initiate the authentication process.

    I'm not aware of any sample code specifically for implementing an SSP, but you may find the documentation on the Windows Negotiation Extension and Writing NegoEx SSPs helpful in understanding the overall process.

    Alternatively, you might consider using a different approach to achieve your goal of providing authentication for a cloud user with escalated privileges. One possibility could be to use a third-party authentication solution that integrates with Windows and supports the functionality you need.

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.