Hi,
Thank you for posting.
According to your description, I understand that:
You need to get some clarification about the CredSSP and delegation of
kerberos smart-card credentials. Another question is how CredSSP works.
If I have misunderstood the problem, please don't hesitate to let me know.
First, I would like to summary what's CredSSP and how it works.
The Credential Security Support Provider (CredSSP) Protocol enables an
application to securely delegate a user's credentials from a client to a
target server. For example, the Microsoft Terminal Server uses the CredSSP
Protocol to securely delegate the user's password or smart card PIN from
the client to the server to remotely log on the user and establish a
terminal services session
The CredSSP Protocol is a composite protocol that relies on other
standards-based security protocols. It first uses the Transport Layer
Security (TLS) Protocol to establish an encrypted channel between the
CredSSP client and the CredSSP server. (The client is anonymous at this
point; the client and the server may have no common trusted certification
authority root.)
All subsequent messages are sent over this channel. The CredSSP Protocol
then uses the Simple and Protected Generic Security Service Application
Program Interface Negotiation Mechanism (SPNEGO) to authenticate the user
and server in the encrypted TLS session.
By default, SPNEGO has the Kerberos Protocol and NTLM available. The
Kerberos Protocol is always preferred over NTLM. In Windows XP SP3,
Windows
Vista, and Windows 7, the SPNEGO client negotiates Kerberos or NTLM.
The CredSSP Protocol introduces the TSRequest message. The client and
server use this message to encapsulate the SPNEGO tokens and TSCredentials
message that the client uses to delegate the user's credentials to the
CredSSP server over a TLS connection.
=========================
Briefly compare of Kerberos and CredSSP.
Like the Kerberos authentication protocol, CredSSP can delegate
credentials
from the client to the server, but it does so by using a completely
different mechanism and with different usability and security
characteristics. With CredSSP, when policy specifies that credentials
should be delegated, users will be prompted for credentials-unlike
Kerberos
delegation-which means the user has some control over whether the
delegation should occur and (more importantly) what credentials should be
used. With Kerberos delegation, only the user's Active Directory?
credentials can be delegated.
=========================
As for your questions:
1. Generally, CredSSP is not directly related to Kerberos. They are just
two different SSPI.
2. CredSSP server and clients send TSRequest to exchange messages. For
detailed information, please refer to the "Protocol Examples" section of
the following articles:
[MS-CSSP]: Credential Security Support Provider (CredSSP) Protocol
Specification
http://msdn.microsoft.com/en-us/library/cc226764(PROT.10).aspx
You can also find other detailed information about CredSSP.
Windows Vista Authentication Features and Changes for Developers
http://msdn.microsoft.com/en-us/library/cc540483.aspx
Hope it helps.
Sincerely,
Mervyn Zhang
Microsoft Online Community Support
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
