Creating a Kerberos or NTLM logon to an Active Directory Domain Controller at will.

Ask your Windows PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
ErnieB
Posts: 56
Joined: Thu Jan 19, 2017 2:14 pm

Creating a Kerberos or NTLM logon to an Active Directory Domain Controller at will.

Post by ErnieB » Thu Mar 14, 2019 1:42 am

Can someone please assist with the following question
I want to be able to force either an NTLM logon or Kerberos logon to an Active Directory Domain controller as a separate user principle
Initially, I simply tried the Windows NET command as follows

net use \DCName\Sharename /user:DomainName\Username password01 and net use \10.10.10.10\Sharename /user:DomainName\Username password01

the first one for Kerberos as the SPN (service principal name) can be obtained and therefore the hash to use with Kerbberos ticket encryption
The second one for NTLM as no SPN can be retrieved based on IP address and therefore fall back to NTLM

I have had very mixed results with the above, therefore I want to look for an alternative method (as I need to feed in lots or username and password to create lots of logons at the
DC e.g. Kerberos or NTLM at will)

So next I tried

[system.reflection.assembly]::LoadWithPartialName('System.DirectoryServices.AccountManagement')
$D = [system.DirectoryServices.AccountManagement.ContextType]::Domain
$PC = [system.DirectoryServices.AccountManagement.PrincipalContext]$D
$M = [system.DirectoryServices.AccountManagement.ContextOptions]::Negotiate

$PC.ValidateCredentials('User01','Password01',$m)

However as one might imagine this only validated the username password combination it did not create a Kerberos TGT for the user for example (which is what I want to do when forcing a kerberos logon)

So my question is please, if there a .NET namespace when given a know username and password you can force the issuance of a TGT (for Kerberos authentication) or NTLM token, logon ?

PS,
I found the following

https://docs.microsoft.com/en-us/previo ... spi_topic1

which allows you to chose the authentication package etc to do a logon, which is basically what I am trying to do, however this is a compiled C++ GUI program and I am looking to do this in a script (PowerShell/C#)

basically pass a Powershell function a username and password and a switch parameter Kerberos or NTLM so the DC authenticates the user with my protocol of choice and it shows up in the DCs security event log as normal (e.g. TGT issued or NTLM)

Thanks very much in advance EB

User avatar
davidc
Posts: 5913
Joined: Thu Aug 18, 2011 4:56 am

Re: Creating a Kerberos or NTLM logon to an Active Directory Domain Controller at will.

Post by davidc » Thu Mar 14, 2019 7:03 am

[TOPIC MOVED TO WINDOWS POWERSHELL FORUM BY MODERATOR]
David
SAPIEN Technologies, Inc.

User avatar
ErnieB
Posts: 56
Joined: Thu Jan 19, 2017 2:14 pm

Re: Creating a Kerberos or NTLM logon to an Active Directory Domain Controller at will.

Post by ErnieB » Fri Mar 15, 2019 3:04 am

Can you please give me the link to the location where my question has been moved as I cannot find it, thanks

User avatar
davidc
Posts: 5913
Joined: Thu Aug 18, 2011 4:56 am

Re: Creating a Kerberos or NTLM logon to an Active Directory Domain Controller at will.

Post by davidc » Fri Mar 15, 2019 7:06 am

Sure, its the Windows PowerShell forum:

viewforum.php?f=18
David
SAPIEN Technologies, Inc.

User avatar
jvierra
Posts: 13792
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Creating a Kerberos or NTLM logon to an Active Directory Domain Controller at will.

Post by jvierra » Fri Mar 15, 2019 8:38 am

The remoting create remote session. There is no local session or logon event. All parts of the session are on the remote system only. That is what remoting means.

User avatar
ErnieB
Posts: 56
Joined: Thu Jan 19, 2017 2:14 pm

Re: Creating a Kerberos or NTLM logon to an Active Directory Domain Controller at will.

Post by ErnieB » Mon Mar 18, 2019 5:32 am

Hello,
Thanks for the replies

I am not trying to remote to the DC as it were, but rather create an authentication event. For example, I want to emulate (in a very crude sense) load on a DC when say 1000 users authentication to the DC (either via Kerberos and therefore the user obtains a TGT or NTLM). I have fudged this by mapping a drive to the DC using the DCs IP address (NTLM) or name (so SPN can be looked up) Kerberos. However, this is a very crude method and I wanted a more elegant way. I post I found uses SSPI and authentication pages and used a compiled C++ program. However, as I am doing this in PowerShell ideally I wanted a C# class to active the same thing.


Thanks very much

User avatar
jvierra
Posts: 13792
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Creating a Kerberos or NTLM logon to an Active Directory Domain Controller at will.

Post by jvierra » Mon Mar 18, 2019 6:25 am

Using alternate credentials is the same as remoting. You are asking the remote system to authenticate for you using a different account. There will be no TKT in your session. It will only exists during the remote connection in the remote session.

To use the Account Management classes we would do this:

Code: Select all

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ctx = [system.DirectoryServices.AccountManagement.PrincipalContext]::new('Domain', 'TESTNET','Negotiate')
$ctx.ValidateCredentials('user01', 'password01')
"TESTNET" is the domain name and "Negotiate" is the connection options. You can use more than one like this:

$ctx = [system.DirectoryServices.AccountManagement.PrincipalContext]::new('Domain', 'TESTNET','Negotiate,Signed')

Once you have the CTX you can run the "Validate" in a loop. This will not load test as each validate does not create a session. It just ask the server to check the credentials. To load test you will likely use a query to cause a session the be created and authenticated. This would have to be done from a multi=threaded application to cause concurrency and produce load. There are numerous tools that can be downloaded that can do this. The tools are usually run from multiple PCs to force a load. Each PC can handle a group of tests in parallel ad run them continuously. These are standard load testing tools for AD. They mostly use the raw ADSI API and are faster and more efficient than the Net classes.

User avatar
jvierra
Posts: 13792
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Creating a Kerberos or NTLM logon to an Active Directory Domain Controller at will.

Post by jvierra » Mon Mar 18, 2019 6:58 am

Please also understand that "ValidateCredentials" does NOT create a login session. The only login that is used is the user account executing the call.

There is no create session for AD. Sessions are validated via the TKT that a user obtains when logging into Windows. All authentication is don by Windows. An ADSI call can use credentials but each ADSI call only passes a TKT if Kerberos is used. If Kerberos is down then NTLM will be tried next. That will do a full NTLM authentication and that will show on the DC event log. The NTLM session will disappear immediately after the command completes. That is why for both mapping a drive to the DC targeted will allow all connections for the user authenticated by the mapping.

User avatar
ErnieB
Posts: 56
Joined: Thu Jan 19, 2017 2:14 pm

Re: Creating a Kerberos or NTLM logon to an Active Directory Domain Controller at will.

Post by ErnieB » Sun Mar 24, 2019 2:37 am

Thanks very much for your time and the excellent details I appreciate it :)

Locked