I am trying to open cmd.exe with "Run as different user" from right click context menu. choosing certificate based authentication for authentication and user is azure user. it throws error "username or password is incorrect". But with password it works.
Machine is Azure only joined. With same user, windows login works with certificate based authentication to AzureAD.
I have also verified with virtual smart card. Behavior is same. Windows login works but Run as different user throws same error.
azure user is member of local administrators group.
Is there any additional configuration is required for this scenario? Thanks for the help
I am trying to open cmd.exe with "Run as different user" from right click context menu. choosing certificate based authentication for authentication and user is azure user. it throws error "username or password is incorrect". But with password it works.
Machine is Azure only joined. With same user, windows login works with certificate based authentication to AzureAD.
I have also verified with virtual smart card. Behavior is same. Windows login works but Run as different user throws same error.
azure user is member of local administrators group.
Is there any additional configuration is required for this scenario? Thanks for the help
Share Improve this question asked Mar 14 at 8:50 HNRHNR 1011 silver badge4 bronze badges 3- The error "username or password is incorrect" when using "Run as different user" with Azure AD and certificate-based authentication likely occurs due to incompatibility between certificate authentication and the specific process. Ensure that the Azure AD credential provider is correctly configured, and check if MFA or local security policies are blocking the authentication. Consider updating Windows and reviewing Event Viewer for specific authentication errors. – Rukmini Commented Mar 14 at 11:01
- In what problem look under debugger all process internal, and exactly view at which point was error – RbMm Commented Mar 14 at 11:18
- Thanks @Rukmini . Windows is uptodate. Where can I check this error info in event viewer – HNR Commented Mar 15 at 9:52
1 Answer
Reset to default 2in case "Run as different user" windows use CreateProcessWithLogonW for start process. here we can pass credentials only in form lpDomain\lpUsername + lpPassword wich is packed to MSV1_0_INTERACTIVE_LOGON with MsV1_0InteractiveLogon
you can ask, how is this work with smart cards/certificate ? in case certificate system assume that certifcate is stored in MY store for current user. system take SHA1 hash of cerificate and use it in call
CERT_CREDENTIAL_INFO cci; // here is sha1 hash of cert
CredMarshalCredential(CertCredential, &cci, &lpUserName);
so in case certificate system pass in place lpUsername sha1 hash of your cert, special encoding as string. and in place lpPassword used pin for your smart card.
and then such credentials passed to lsass. when it passed to different authentication packages, with SECPKG_FLAG_LOGON Capabilities.
negoexts, kerberos, msv1_0, .. in such order
negoexts have some subpackages, but it not work with MsV1_0InteractiveLogon and return STATUS_INVALID_PARAMETER lsass is continue try another auth package after this error.
next kerberos is used. kerberos special check user name for encoded certificate hash - try CredUnmarshalCredential on user name string. and if it return CertCredential, it understand that really this is certificate logon. if impersonate caller, open it MY store, search here certificate by hash. if found - try acquire private key for this certificate and go by this login path. this will be work for classic DC. but for Azure only DC this probably return error STATUS_NO_LOGON_SERVERS ( We can't sign you in with this credential because your domain isn't available ). after this error lsass again continue process.
after this next package which is used - msv1_0. it, unlike kerberos, not check user name for special string (cert hash) and use it as is. of course your system have no user with such name (this can not be even random, because string containing not allowed symbols). and msv1_0 return error STATUS_LOGON_FAILURE ( The attempted logon is invalid. This is either due to a bad username or authentication information.)
after this error, lsass stop proccessing and return error to caller. again - after package return
STATUS_INVALID_PARAMETER, STATUS_NO_LOGON_SERVERS or yet several special error codes - process continue to next registered package. but after error STATUS_LOGON_FAILURE process is stop.
Windows login works but Run as different user throws same error.
because in case separate windows login (with credential providers) credentials not restricted to MSV1_0_INTERACTIVE_LOGON with MsV1_0InteractiveLogon but in case Run as different user logon is used restricted set of credentials.