windows域控身份認證原理

ldap

rfc4511 http://tools.ietf.org/html/rfc4511

 

keberos

rfc1510 http://www.faqs.org/rfcs/rfc1510.html

 

pkinit

rfc4556 http://www.ietf.org/rfc/rfc4556.txt

 

Processing Domain Controller Certificates

http://technet.microsoft.com/en-us/library/cc787009(WS.10).aspx

 

pc/sc winlogon

The Smart Card Cryptographic Service Provider Cookbook

http://msdn.microsoft.com/en-us/library/ms953432.aspx

 

You should have following key into registry::
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Calais/SmartCards/Your
Card name
with values:
ATR, ATRMask, CryptoProvider
You should provide ATR and ATRMask of your card and you should provide
CryptoProvider name of your CSP. This name should be exactly the same you
have in
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Defaults/Provider.

When you insert card, winlogon recognize your card by ATR. ATR must match
ATR with ATRMask in registry. If Winlogon recognize your Smart Card
correctly, it starts CSP which is registered under
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Calais/SmartCards/Your
Card name/CryptoProvider value.

 

 

 

1. Find out for which card you want to retrieve the certificates. You may
want to use the SCardListReaders function to get a list of all readers, and
then call SCardGetStatusChange() to find out which readers contain cards.
Alternatively, if you want to build and interactive application, you can use
a card select dialog box, using SCardUIDlgSelectCard().
2. Then you need to get the name of the CSP for the selected smart card.
You can use SCardGetCardTypeProviderName() to do that.
3. Call CryptAcquireContext() with the the CSP for the card you want to
read. As a containername, pass //./<ReaderName>/ , this will instruct the
CSP to open the default container on the smart card on that particular
reader.
4. Call CryptGetProvParam() with dwParam = PP_ENUMCONTAINERS repeatedly
until you get ERROR_NO_MORE_ITEMS, to get a list of all key containers on
the card.
5. For each of the key containers, call CryptAcquireContext(), with the
previously obtained CSP name and as a containername
//./<ReaderName>/<ContainerName> (without the '<>' naturally) to open the
container.
6. Call CryptGetUserKey to get a handle to the key (you may need to do this
twice, because the key can be either a signature or a key exchange key).
7. Call CryptGetKeyParam() with dwParam = KP_CERTIFICATE to retrieve the
certificate.
8. Go back to 5 until you have looped over all containers.

 

智能卡到CSP的關聯：

1 CardReader：HKLM/SOFTWARE/Microsoft/Cryptography/Calais/Readers

2 通過ATR可以得到Card名字

3 Card：HKLM/SOFTWARE/Microsoft/Cryptography/Calais/SmartCards 裏面的Crypto Provider指明CSP

 

Interactive Logons Using Kerberos Authentication

 

Authenticate:

1 LogonUser

2 ADS

3 SSPI

 

Iads authentication:

#include <Iads.h>

IADsOpenDSObject *pDSO = NULL;
HRESULT hr = S_OK;
 
hr = ADsGetObject(L"LDAP:", IID_IADsOpenDSObject, (void**) &pDSO);
if (SUCCEEDED(hr))
{
    IDispatch *pDisp;
    hr = pDSO->OpenDSObject(CComBSTR("LDAP://DC=Fabrikam, DC=com"),
                       CComBSTR("[email protected]"),
                       CComBSTR("passwordhere"),
                       ADS_SECURE_AUTHENTICATION,
                       &pDisp);
    pDSO->Release();
    if (SUCCEEDED(hr))
    {
        IADs *pADs;
        hr = pDisp->QueryInterface(IID_IADs, (void**) &pADs);
        pDisp->Release();
        if (SUCCEEDED(hr))
        {
        // Perform an object manipulation here.
            pADs->Release();
        }
    }
}