windows-authenticationkerberosntlmwindows-securitynegotiate

Windows Executable File Authentication


Searching around the windows authentication methods and protocols, i decided to understand the exact difference between Negotiate, Kerberos, and NTLM used in a simple executable file before liking it with IIS and Web Authentication.

I reached to good results, BUT I still need more details about the Negotiate and Kerberos.

I have the following scenario :

I have created very simple C# windows forms application that shows a message box displays the value for :

System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType

Note that i'm a domain user with admin privileges on my local machine, I have the following results :

  1. When i run the exe file (double click) while i'm actively connected to the DC, i got "Negotiate".

  2. When i run the exe file (run as differnet user / using local user) while i'm actively connected to the DC, i got "NTLM".

  3. When i run the exe file using "Run as Administrator", or "Run as Different User" i got "Kerberos".

  4. When i run the exe file while i'm locally logged in using local account, i got "NTLM".

I understand that the LSA will use NTLM for local accounts. Also i understand that Active Directory uses Kerberos to authenticate domain users and computers.

My question is, why i'm getting the Negotiate Authentication Type when i run the exe using my account either by (Double Click), or "run as different user" using my Same account ?

Update : I noticed the following :

- If local user is running the exe then it is NTLM
- If domain user run the exe then it is Negotiate (If that user is local admin) but is is Kerberos (if that user is not local admin)
- If domain admin run the exe then it is Kerberos

I just a clarification about this behavior.


Solution

  • First off, (which you seem to understand in the question, but just to be clear) an EXE doesn't have any authentication - it is just an executable. The OS creates a process object which executes it within a logon session identified by a principal. It's this principal which has been authenticated by NTLM or Kerberos (or some other protocol).

    Next, Negotiate means that when the logon session was created the Negotiate authentication package was used to decide which authentication package - Kerberos or NTLM - would be used.

    When you query the WindowsIdentity.AuthenticationType value, you are ultimately calling a function in the Local Security Authority (LSA) called LsaGetLogonSessionData. This reports details of the logon session used to run the process you are executing. The way that this logon session was created probably has the largest effect on the authentication package used to verify the credentials.

    When logging into Windows the first time, Winlogon.exe establishes an interactive logon by calling LsaLogonUser. It queries the authentication packages in HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages in order until it finds one that can authenticate the given credentials. Once an interactive logon has been established, you can create new processes using noninteractive logons under different credentials, and in this case, the LogonUser function is likely called. One of the parameters to this function is dwLogonProvider which has the following default (which is likely the one used):

    LOGON32_PROVIDER_DEFAULT 
    
    Use the standard logon provider for the system. 
    The default security provider is negotiate, unless you pass NULL 
    for the domain name and the user name is not in UPN format. 
    In this case, the default provider is NTLM.
    

    So, the package reported for the logon session the process is running under depends on how the logon session was created. (It isn't clear from your question exactly how you create the logon sessions you are testing... doing "Run As" in all cases? Logoff / Logon Windows for some cases?) It also depends on which package Winlogon was able to successfully authenticate with first for the interactive logon session. Ultimately, though, note that the authentication mechanisms all call down to some authentication package, and if Negotiate is used, Kerberos is preferred, though Negotiate is what is reported.

    Here is an old but still relevant diagram which shows how all the authentication fits together in Windows:

    Windows Authentication Architecture

    Source