Re: Authenticating a user on Windows Server 2003

From: Paul Todd (reg_todd_at_hotmail.com)
Date: 09/10/03 

Date: Tue, 9 Sep 2003 23:07:10 +0100

Okay I would suggest Three things:
a) Enable Auditing of Failed Logon Events and post the login failure here or
email it to my hotmail account.
b) Ensure "Access this computer from the network" right is assigned to
everyone and is effective for all those who needs to login.
c) Try the code at this link and see if it works.
http://www.develop.com/kbrown/security/code/sspi_auth.cpp

Paul

"Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
news:OONz31hdDHA.904@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> the code is taken from the KB article basically it's:
>
> // Prepare client message (negotiate) .
> if (!GenClientContext(&asClient, &ai, NULL, 0, pClientBuf,
> &cbOut, &fDone)) __leave;
>
> // Prepare server message (challenge) .
> if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf,
> &cbOut, &fDone)) __leave;
>
> // Prepare client message (authenticate) .
>
> if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn, pClientBuf,
> &cbOut,&fDone)) __leave;
>
> // Prepare server message (authentication) .
> if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf,
> &cbOut, &fDone)) __leave;
>
> Here's the outline of GenServerContext:
>
> ss = _AcquireCredentialsHandle(NULL, _T("NTLM"), SECPKG_CRED_INBOUND,
> NULL, NULL, NULL, NULL, &pAS->hcred, &tsExpiry);
>
> ss = _AcceptSecurityContext(&pAS->hcred, pAS->fInitialized ?
&pAS->hctxt
> : NULL,
> &sbdIn, 0, SECURITY_NATIVE_DREP, &pAS->hctxt, &sbdOut, fContextAttr,
> &tsExpiry);
>
> if (ss == SEC_I_COMPLETE_NEEDED || ss == SEC_I_COMPLETE_AND_CONTINUE)
{
> if (_CompleteAuthToken) {
> ss = _CompleteAuthToken(&pAS->hctxt, &sbdOut);
> }
> }
>
> Here's the outline of GenClientContext:
>
> ss = _AcquireCredentialsHandle(NULL, _T("NTLM"),
SECPKG_CRED_OUTBOUND,
> NULL, pAuthIdentity, NULL, NULL, &pAS->hcred, &tsExpiry);
>
> ss = _InitializeSecurityContext(&pAS->hcred, pAS->fInitialized ?
> &pAS->hctxt : NULL,
> NULL, 0, 0, SECURITY_NATIVE_DREP, pAS->fInitialized ? &sbdIn : NULL,
> 0, &pAS->hctxt, &sbdOut, &fContextAttr, &tsExpiry);
>
>
> The complete code can be found on page
> http://support.microsoft.com/default.aspx?scid=kb;en-us;180548
> or tell me if you need more details
>
> Thanks very much for your help,
> best regards,
>
> --
> Matthias Moetje
> -------------------------------------
> TERASENS GmbH
> Ehrenbreitsteiner Straße 32
> 80993 München
> -------------------------------------
> Fon: +49 89 143370-0
> Fax: +49 89 143370-22
> e-mail: moetje at terasens dot de
> www: www.terasens.de
> -------------------------------------
> "Paul Todd" <reg_todd@hotmail.com> wrote in message
> news:%23$fxBNhdDHA.1728@TK2MSFTNGP09.phx.gbl...
> > Maybe you can post some of your code. We use SSPI for authentication and
> > have not had a problem with 2003 - many of our customers are using it
now.
> >
> > Paul
> >
> > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
> > news:eXb%23mKbdDHA.1532@TK2MSFTNGP10.phx.gbl...
> > > Hi Nick, thanks for your reply.
> > >
> > > I am executing this code directly on the DC.
> > > I deactivated the option you mentioned and rebooted.
> > > The effective policy settings for the DC machine show that
> > > the option is really deactivated. But the problem was not
> > > solved, I keep getting the same error.
> > >
> > > If the problem was about signed communication
> > > wouldn't the code fail on some function before
> > > AcceptSecurityContext anyway?
> > >
> > > Thanks very much for your help,
> > >
> > > --
> > > Matthias Moetje
> > > -------------------------------------
> > > TERASENS GmbH
> > > Ehrenbreitsteiner Straße 32
> > > 80993 München
> > > -------------------------------------
> > > Fon: +49 89 143370-0
> > > Fax: +49 89 143370-22
> > > e-mail: moetje at terasens dot de
> > > www: www.terasens.de
> > > -------------------------------------
> > > "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
> > > news:uRgnoUZdDHA.1712@tk2msftngp13.phx.gbl...
> > > > One difference with WS2003 is that sign/seal for SMB has been
enabled
> by
> > > > default on DCs. This will cause WinNT and Win9x clients to fail in
> > their
> > > > authentication attempt. Try turning off the "Microsoft network
> server:
> > > > Digitally sign communications (always)" option on your DC.
> > > >
> > > > N
> > > >
> > > > --
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > > Use of included script samples are subject to the terms specified at
> > > > http://www.microsoft.com/info/cpyright.htm
> > > >
> > > >
> > > > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
> > > > news:uqizmoMdDHA.1044@TK2MSFTNGP10.phx.gbl...
> > > > > Hi,
> > > > >
> > > > > I have previously been using code derived from KB article
> > > > > Q180548 HOWTO: Validate User Credentials on Microsoft Operating
> > Systems.
> > > > >
> > > > > This code always worked well on W2k and WinXP but on Windows
Server
> > 2003
> > > > the
> > > > > code fails at function AcceptSecurityContext with error
> > > SEC_E_LOGON_DENIED
> > > > > although the specified credentials are valid.
> > > > >
> > > > > The same problem occurs with the VB version from article
> > > > > Q279815 HOWTO: Validate User Credentials from Visual Basic by
Using
> > > SSPI,
> > > > > so there must have been some kind of change in Windows 2003.
> > > > >
> > > > > How can I get this to work? I know, that for security reasons
> normally
> > > > this
> > > > > type
> > > > > of authentication should not be used, but we need this function
for
> a
> > > > setup
> > > > > program
> > > > > that needs to check that the credentials provided ar logon
> information
> > > for
> > > > a
> > > > > service
> > > > > are valid. (Otherwise the Windows Installer based setup will
> fail...)
> > > > >
> > > > > Thanks for any help!
> > > > >
> > > > > Best regards,
> > > > >
> > > > > Matthias Moetje
> > > > > TERASENS GmbH
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>