Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include AD/non-AD status in certificate #44549

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
+17 −0
Open

Include AD/non-AD status in certificate #44549

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f8b19c1
ad/non-ad
probakowski Jul 22, 2024
2a699d2
Merge remote-tracking branch 'origin/master' into probakowski/ad-and-…
probakowski Oct 22, 2024
dabbff4
Merge remote-tracking branch 'origin/master' into probakowski/ad-and-…
probakowski Feb 24, 2025
9d0b9cc
use separate OID for AD status
probakowski Feb 24, 2025
7a1c3fa
Merge branch 'master' into probakowski/ad-and-non-ad
probakowski Feb 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions lib/auth/windows/windows.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,13 @@ func getCertRequest(req *GenerateCredentialsRequest) (*certRequest, error) {
csr.ExtraExtensions = append(csr.ExtraExtensions, createUser)
}

if req.AD {
csr.ExtraExtensions = append(csr.ExtraExtensions, pkix.Extension{
Id: tlsca.ADStatusOID,
Value: []byte("AD"),
})
}

if req.ActiveDirectorySID != "" {
adUserMapping, err := asn1.Marshal(SubjectAltName[adSid]{
otherName[adSid]{
Expand Down Expand Up @@ -194,6 +201,9 @@ type GenerateCredentialsRequest struct {
// CRL Distribution Point (CDP). CDPs are required in user certificates
// for RDP, but they can be omitted for certs that are used for LDAP binds.
OmitCDP bool

// AD is true if we're connection to AD-joined desktop
AD bool
}

// GenerateWindowsDesktopCredentials generates a private key / certificate pair for the given
Expand Down
4 changes: 4 additions & 0 deletions lib/srv/desktop/windows_server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1311,6 +1311,7 @@ func (s *WindowsService) generateUserCert(ctx context.Context, username string,
return s.generateCredentials(ctx, generateCredentialsRequest{
username: username,
domain: desktop.GetDomain(),
ad: !desktop.NonAD(),
ttl: ttl,
activeDirectorySID: activeDirectorySID,
createUser: createUsers,
Expand All @@ -1324,6 +1325,8 @@ type generateCredentialsRequest struct {
username string
// domain is the Windows domain
domain string
// ad is true if we're connection to AD-joined desktop
ad bool
// ttl for the certificate
ttl time.Duration
// activeDirectorySID is the SID of the Windows user
Expand Down Expand Up @@ -1355,6 +1358,7 @@ func (s *WindowsService) generateCredentials(ctx context.Context, request genera
CAType: types.UserCA,
Username: request.username,
Domain: request.domain,
AD: request.ad,
TTL: request.ttl,
ClusterName: s.clusterName,
ActiveDirectorySID: request.activeDirectorySID,
Expand Down
3 changes: 3 additions & 0 deletions lib/tlsca/ca.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -567,6 +567,9 @@ var (
// JoinAttributesASN1ExtensionOID is an extension that encodes the
// attributes that resulted from the Bot/Agent join process.
JoinAttributesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 21}

// ADStatusOID is an extension OID used to indicate that we're connecting to AD-joined desktop.
ADStatusOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 22}
)

// Device Trust OIDs.
Expand Down
Loading