Deprecation of Integration with Windows Authentication feature.

MAthieu Fialon
Follow

SUBJECT / PROBLEM DESCRIPTION

 

Starting in Windows 11, version 24H2, Microsoft has planned to disable the inclusion of password payload in MPR notifications, making it impossible to retrieve the user password from the “Integration with Windows authentication” feature of EAM.

More information is available here: https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features.

According to Microsoft, the primary reason for disabling this feature is to enhance security, because it presents potential risks for password exposure and harvesting by malicious users.
Consequences: With this change, the “Integration with Windows authentication” feature cannot work anymore. When the Windows session is started, the EAM components running within the Windows session (ESSOCredentialManager and SSOEngine) cannot be launched anymore automatically using the user password.

An authentication dialog will be displayed at session opening.

 

ANSWER / SOLUTION

To work around this issue, two options are possible:
1 - Revert this change though a registry setting
2 - Change the authentication method to Session mode

Revert this change:
The following registry value can be set:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
“EnableMPR”=dword:00000001

This can be deployed through GPO: “Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options”

The setting name is “Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.”

To make this parameter available, you may need the “WinLogon.admx” from the Administrative Templates (.admx) for Windows 11 2024 Update (24H2). You can get them here:
https://www.microsoft.com/en-us/download/details.aspx?id=106254

 

Session mode authentication:
You can enable the “Session” authentication, as described here:
https://support.evidian.com/knowledge_base/index.php?path=Global_Area/Q009335.htm

 

The password won't be used anymore to launch ESSOCredentialManager and SSOEngine. They will use the Kerberos token of the session to authenticate. 

 

Enterprise Access Management VERSION(S)

All versions

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk