Is it possible to enforce a specific Credential Provider per Active Directory user?

windows active-directory credentials

I have a credential provider that does not act the way I want it to. It provides secondary authentication, but it's scope is for all interactive Windows logins host-wide, not for a specific user.

In addition to the credential provider, a credential provider filter is installed. The credential provider filter restricts the use of credential providers on the login screen to just this credential provider. However, if the credential provider filter is removed (via deletion of the key below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters), then a user can change the credential provider to any other available credential provider (including our good old friend PasswordProvider).

My intention is to enforce the use of credential provider for certain users. For instance, it's fine if this user attempts to login with another credential provider, but I'd like AD to reject this request... only allowing requests if they are called from the correct credential provider.

Is this possible? I'm hoping there is a way to configure a user object in AD to restrict the acceptable credential providers.

Thanks


Solution 1:

Good question. As noted here and without better sources the answer appears to be no.

Quote:

It is important to note that credential providers are not enforcement mechanisms.

Because:

Credential providers are registered on a Windows machine and are responsible for the following.

  • Describing the credential information required for authentication.
  • Handling the communication and logic with any external authentication authorities.
  • Packaging the credentials for interactive and network logon.

That is, they are client side mechanisms.

Also a best practice is described not to completely disallow access to at least one host wide provider, so as not to cause complete lockout:

While third-party credential providers may fulfill additional authentication requirements for particular groups of users, it is very important to ensure that the user can always regain access to their machine when a breaking change occurs. System credential providers provide this guarantee.

So... the recommendation appears to be not to exclude access to host wide providers. Simple solution if you want to restrict anyway: do not grant the users permission to delete the registry key.

The Protected Users Security Group does not do what you ask, but is one way of hardening the authentication process server side.

Related

sshd.service: Got notification message from PID, but reception only permitted for main PID
Cannot port forward with UFW on Ubuntu
Looking for a lightweight NTLM HTTP proxy server
AWS and RAM ballooning
Causes of RTP jitter at the server
"protocol version mismatch — is your shell clean?" rsync error when the shell IS clean
Can't change NGINX timeout
Mirroring 2 Host with their own local storage
What's the correct way of having a GCP account without a GSuit account?
Docker 18.09 not talking IPv6 (on Ubuntu 18.04)
AWS API Gateway Lambda Authorizers + Client certificates
Systemd - How do I automatically reload a unit, when another oneshot service is fired by timer?