Re: Authenticating a user on Windows Server 2003

From: Paul Todd (reg_todd_at_hotmail.com)
Date: 09/12/03


Date: Fri, 12 Sep 2003 00:15:43 +0100


Hi,

Am actually going on anecdotal evidence from customers who have deployed our
product. This is not 100% reliable as they use the negotiate SSPI rather
than NTLM.

Are you running this application on the 2003 box or on a separate computer?

I have had a 2003 server setup today so when I get into the office I will
run a test and see what happens.

In the meantime there is a bug that's been reported with 2003 and NTLM .

In the ***Machine Local security Policy***, security options, you must
change the "Network Security: LAN Manager Authentication Level" from "Send
NTLM response only" to "Send LM & NTLM responses".

"Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
news:%234liYfGeDHA.1700@TK2MSFTNGP10.phx.gbl...
> Hi Paul,
>
> > b) Ensure "Access this computer from the network" right is assigned to
> > everyone and is effective for all those who needs to login.
>
> Everyone has this right.
>
>
> I finally implemented the code from
>
> http://www.develop.com/kbrown/security/code/sspi_auth.cpp
>
> and still get the same results (which did not surprise me
> because I already used two different implementations
> that produced the same result.)
But now I know that there is code that I can test on our box that I know
does now work on yours.
>
> Do you use Win2003 yourself? Can anyone confirm that
> any of those implementations does work on W2k3 DC Server
> with default installation?
>
> > a) Enable Auditing of Failed Logon Events and post the login failure
here
> or
> > email it to my hotmail account:
>
> (translated from German)
> EventID: 529
>
> Failed Logon:
> Reason: Unknown Username or invalid password
> User: administrator
> Domain: TEST
> LogonType: 3
> LogonProcedure: NtLmSsp
> Auth Package: NTLM
> Name of Workstation: OFFICE
> Aufruferbenutzername: -
> Aufruferdomäne: -
> Aufruferanmeldekennung: -
> Aufruferprozesskennung: -
> Übertragene Dienste: -
> Quellnetzwerkadresse: -
> Quellport: -
>
>
> The Username and password I supply are correct. I call the
> application with:
>
> authenticate DOMAIN administrator PASSWORD
>
> Anyone an idea?
>
> Thanks,
>
> --
> Matthias Moetje
> -------------------------------------
> TERASENS GmbH
> Ehrenbreitsteiner Straße 32
> 80993 München
> -------------------------------------
> Fon: +49 89 143370-0
> Fax: +49 89 143370-22
> e-mail: moetje at terasens dot de
> www: www.terasens.de
> -------------------------------------
> "Paul Todd" <reg_todd@hotmail.com> wrote in message
> news:%23$w5W7xdDHA.1932@TK2MSFTNGP10.phx.gbl...
> > Okay I would suggest Three things:
> > a) Enable Auditing of Failed Logon Events and post the login failure
here
> or
> > email it to my hotmail account.
> > b) Ensure "Access this computer from the network" right is assigned to
> > everyone and is effective for all those who needs to login.
> > c) Try the code at this link and see if it works.
> > http://www.develop.com/kbrown/security/code/sspi_auth.cpp
> >
> > Paul
> >
> > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
> > news:OONz31hdDHA.904@TK2MSFTNGP11.phx.gbl...
> > > Hi,
> > >
> > > the code is taken from the KB article basically it's:
> > >
> > > // Prepare client message (negotiate) .
> > > if (!GenClientContext(&asClient, &ai, NULL, 0, pClientBuf,
> > > &cbOut, &fDone)) __leave;
> > >
> > > // Prepare server message (challenge) .
> > > if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf,
> > > &cbOut, &fDone)) __leave;
> > >
> > > // Prepare client message (authenticate) .
> > >
> > > if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn,
pClientBuf,
> > > &cbOut,&fDone)) __leave;
> > >
> > > // Prepare server message (authentication) .
> > > if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf,
> > > &cbOut, &fDone)) __leave;
> > >
> > > Here's the outline of GenServerContext:
> > >
> > > ss = _AcquireCredentialsHandle(NULL, _T("NTLM"),
> SECPKG_CRED_INBOUND,
> > > NULL, NULL, NULL, NULL, &pAS->hcred, &tsExpiry);
> > >
> > > ss = _AcceptSecurityContext(&pAS->hcred, pAS->fInitialized ?
> > &pAS->hctxt
> > > : NULL,
> > > &sbdIn, 0, SECURITY_NATIVE_DREP, &pAS->hctxt, &sbdOut,
fContextAttr,
> > > &tsExpiry);
> > >
> > > if (ss == SEC_I_COMPLETE_NEEDED || ss ==
> SEC_I_COMPLETE_AND_CONTINUE)
> > {
> > > if (_CompleteAuthToken) {
> > > ss = _CompleteAuthToken(&pAS->hctxt, &sbdOut);
> > > }
> > > }
> > >
> > > Here's the outline of GenClientContext:
> > >
> > > ss = _AcquireCredentialsHandle(NULL, _T("NTLM"),
> > SECPKG_CRED_OUTBOUND,
> > > NULL, pAuthIdentity, NULL, NULL, &pAS->hcred, &tsExpiry);
> > >
> > > ss = _InitializeSecurityContext(&pAS->hcred, pAS->fInitialized ?
> > > &pAS->hctxt : NULL,
> > > NULL, 0, 0, SECURITY_NATIVE_DREP, pAS->fInitialized ? &sbdIn :
> NULL,
> > > 0, &pAS->hctxt, &sbdOut, &fContextAttr, &tsExpiry);
> > >
> > >
> > > The complete code can be found on page
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;180548
> > > or tell me if you need more details
> > >
> > > Thanks very much for your help,
> > > best regards,
> > >
> > > --
> > > Matthias Moetje
> > > -------------------------------------
> > > TERASENS GmbH
> > > Ehrenbreitsteiner Straße 32
> > > 80993 München
> > > -------------------------------------
> > > Fon: +49 89 143370-0
> > > Fax: +49 89 143370-22
> > > e-mail: moetje at terasens dot de
> > > www: www.terasens.de
> > > -------------------------------------
> > > "Paul Todd" <reg_todd@hotmail.com> wrote in message
> > > news:%23$fxBNhdDHA.1728@TK2MSFTNGP09.phx.gbl...
> > > > Maybe you can post some of your code. We use SSPI for authentication
> and
> > > > have not had a problem with 2003 - many of our customers are using
it
> > now.
> > > >
> > > > Paul
> > > >
> > > > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
> > > > news:eXb%23mKbdDHA.1532@TK2MSFTNGP10.phx.gbl...
> > > > > Hi Nick, thanks for your reply.
> > > > >
> > > > > I am executing this code directly on the DC.
> > > > > I deactivated the option you mentioned and rebooted.
> > > > > The effective policy settings for the DC machine show that
> > > > > the option is really deactivated. But the problem was not
> > > > > solved, I keep getting the same error.
> > > > >
> > > > > If the problem was about signed communication
> > > > > wouldn't the code fail on some function before
> > > > > AcceptSecurityContext anyway?
> > > > >
> > > > > Thanks very much for your help,
> > > > >
> > > > > --
> > > > > Matthias Moetje
> > > > > -------------------------------------
> > > > > TERASENS GmbH
> > > > > Ehrenbreitsteiner Straße 32
> > > > > 80993 München
> > > > > -------------------------------------
> > > > > Fon: +49 89 143370-0
> > > > > Fax: +49 89 143370-22
> > > > > e-mail: moetje at terasens dot de
> > > > > www: www.terasens.de
> > > > > -------------------------------------
> > > > > "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
> > > > > news:uRgnoUZdDHA.1712@tk2msftngp13.phx.gbl...
> > > > > > One difference with WS2003 is that sign/seal for SMB has been
> > enabled
> > > by
> > > > > > default on DCs. This will cause WinNT and Win9x clients to fail
> in
> > > > their
> > > > > > authentication attempt. Try turning off the "Microsoft network
> > > server:
> > > > > > Digitally sign communications (always)" option on your DC.
> > > > > >
> > > > > > N
> > > > > >
> > > > > > --
> > > > > > This posting is provided "AS IS" with no warranties, and confers
> no
> > > > > rights.
> > > > > > Use of included script samples are subject to the terms
specified
> at
> > > > > > http://www.microsoft.com/info/cpyright.htm
> > > > > >
> > > > > >
> > > > > > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
> > > > > > news:uqizmoMdDHA.1044@TK2MSFTNGP10.phx.gbl...
> > > > > > > Hi,
> > > > > > >
> > > > > > > I have previously been using code derived from KB article
> > > > > > > Q180548 HOWTO: Validate User Credentials on Microsoft
Operating
> > > > Systems.
> > > > > > >
> > > > > > > This code always worked well on W2k and WinXP but on Windows
> > Server
> > > > 2003
> > > > > > the
> > > > > > > code fails at function AcceptSecurityContext with error
> > > > > SEC_E_LOGON_DENIED
> > > > > > > although the specified credentials are valid.
> > > > > > >
> > > > > > > The same problem occurs with the VB version from article
> > > > > > > Q279815 HOWTO: Validate User Credentials from Visual Basic by
> > Using
> > > > > SSPI,
> > > > > > > so there must have been some kind of change in Windows 2003.
> > > > > > >
> > > > > > > How can I get this to work? I know, that for security reasons
> > > normally
> > > > > > this
> > > > > > > type
> > > > > > > of authentication should not be used, but we need this
function
> > for
> > > a
> > > > > > setup
> > > > > > > program
> > > > > > > that needs to check that the credentials provided ar logon
> > > information
> > > > > for
> > > > > > a
> > > > > > > service
> > > > > > > are valid. (Otherwise the Windows Installer based setup will
> > > fail...)
> > > > > > >
> > > > > > > Thanks for any help!
> > > > > > >
> > > > > > > Best regards,
> > > > > > >
> > > > > > > Matthias Moetje
> > > > > > > TERASENS GmbH
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>