Obtain Windows Logon Token using WebAuthN API

Question

I am on an Azure domain where users are able to logon using their FIDO2 security keys. I would like to be able to obtain a user's Windows Logon token using their security key.

There are some very good C++ samples of Authentication (Assertion) of keys ( https://github.com/aseigler/HelloSample/blob/master/hello/hello.cpp ) but I have not found any way of using the returned Assertion information to obtain a user's logon token that can then be used for impersonation. This should be possible since a user can use that same security key login or unlock the Windows workstation.

I see some very interesting exported functions in the Windows WebAuthN.dll like WebAuthNGetPlatformCredentials or WebAuthNDecodeAccountInformation. Unfortunately, these functions do not seem to be documented.

Has anyone managed to obtain a Windows Logon Token using WebAuthN or have any idea of how this can be done?

Answer 1

This is how I use Impersonation when users access IIS web apps and connect to Web services or SQL Server on the IIS server.

        impersonationContext = currentWindowsIdentity.Impersonate

        'Insert your code that runs under the security context of the authenticating user here. 

        impersonationContext.Undo()

PS: If you're asking users for their credentials,...ever, the systems you're using should be burned and you should be fired immediately.