windows域控身份认证原理

ldap

rfc4511 http://tools.ietf.org/html/rfc4511

keberos

rfc1510 http://www.faqs.org/rfcs/rfc1510.html

pkinit

rfc4556 http://www.ietf.org/rfc/rfc4556.txt

Processing Domain Controller Certificates

http://technet.microsoft.com/en-us/library/cc787009(WS.10).aspx

pc/sc winlogon

The Smart Card Cryptographic Service Provider Cookbook

http://msdn.microsoft.com/en-us/library/ms953432.aspx

You should have following key into registry::

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Calais/SmartCards/Your

Card name

with values:

ATR, ATRMask, CryptoProvider

You should provide ATR and ATRMask of your card and you should provide

CryptoProvider name of your CSP. This name should be exactly the same you

have in

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Defaults/Provider.

When you insert card, winlogon recognize your card by ATR. ATR must match

ATR with ATRMask in registry. If Winlogon recognize your Smart Card

correctly, it starts CSP which is registered under

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Calais/SmartCards/Your

Card name/CryptoProvider value.

1. Find out for which card you want to retrieve the certificates. You may

want to use the SCardListReaders function to get a list of all readers, and

then call SCardGetStatusChange() to find out which readers contain cards.

Alternatively, if you want to build and interactive application, you can use

a card select dialog box, using SCardUIDlgSelectCard().

2. Then you need to get the name of the CSP for the selected smart card.

You can use SCardGetCardTypeProviderName() to do that.

3. Call CryptAcquireContext() with the the CSP for the card you want to

read. As a containername, pass //./<ReaderName>/ , this will instruct the

CSP to open the default container on the smart card on that particular

reader.

4. Call CryptGetProvParam() with dwParam = PP_ENUMCONTAINERS repeatedly

until you get ERROR_NO_MORE_ITEMS, to get a list of all key containers on

the card.

5. For each of the key containers, call CryptAcquireContext(), with the

previously obtained CSP name and as a containername

//./<ReaderName>/<ContainerName> (without the '<>' naturally) to open the

container.

6. Call CryptGetUserKey to get a handle to the key (you may need to do this

twice, because the key can be either a signature or a key exchange key).

7. Call CryptGetKeyParam() with dwParam = KP_CERTIFICATE to retrieve the

certificate.

8. Go back to 5 until you have looped over all containers.

智能卡到CSP的关联：

1 CardReader：HKLM/SOFTWARE/Microsoft/Cryptography/Calais/Readers

2 通过ATR可以得到Card名字

3 Card：HKLM/SOFTWARE/Microsoft/Cryptography/Calais/SmartCards 里面的Crypto Provider指明CSP

Interactive Logons Using Kerberos Authentication

Authenticate:

1 LogonUser

2 ADS

3 SSPI

Iads authentication:

#include <Iads.h>

IADsOpenDSObject *pDSO = NULL;

HRESULT hr = S_OK;

hr = ADsGetObject(L"LDAP:", IID_IADsOpenDSObject, (void**) &pDSO);

if (SUCCEEDED(hr))

{

    IDispatch *pDisp;

    hr = pDSO->OpenDSObject(CComBSTR("LDAP://DC=Fabrikam, DC=com"),

                       CComBSTR("[email protected]"),

                       CComBSTR("passwordhere"),

                       ADS_SECURE_AUTHENTICATION,

                       &pDisp);

    pDSO->Release();

    if (SUCCEEDED(hr))

    {

        IADs *pADs;

        hr = pDisp->QueryInterface(IID_IADs, (void**) &pADs);

        pDisp->Release();

        if (SUCCEEDED(hr))

        {

        // Perform an object manipulation here.

            pADs->Release();

        }

    }

}