Re: Method LsaCallAuthenticationPackage fails on Windows server 2003

From: Jason McCoal (slavek_at_slavojpisek.cz)
Date: 04/29/04

  • Next message: Óliver: "EncryptMessage problem in windows Me(II)" 
    Date: Thu, 29 Apr 2004 11:45:44 +0200

    Hi Amit,
    thanks for your response.
    The base scenario I use is as follow:

    /***************************************************************************
    **********/
    krb5Authenticate(const std::string &user, const std::string &realm, const
    std::string &password) const
    {
     NTSTATUS stat;
     LSA_STRING pkgName;
     HANDLE handle;
     ULONG packageId;
     ULONG retBufSize;
     void *retBuf = NULL;
     NTSTATUS subStat = 0;
     NTSTATUS retVal;

     stat = LsaConnectUntrusted(&handle);
     if (stat != STATUS_SUCCESS) {
      return authNo;
     }

     pkgName.Buffer = "Kerberos";
     pkgName.Length = strlen(pkgName.Buffer);
     pkgName.MaximumLength = pkgName.Length + 1;
     stat = LsaLookupAuthenticationPackage(handle, &pkgName, &packageId);
     if (stat != STATUS_SUCCESS) {
      return authNo;
     }

     Krb5TicketRequest request(user, realm, password);

     retVal = lib.LsaCallAuthenticationPackage(handle, packageId,
    request.getRequest(), request.getRequestSize(),
                 &retBuf, &retBufSize, &subStat);

     LsaDeregisterLogonProcess(handle);

     if(subStat == STATUS_SUCCESS) {
      return authYes;

     }
     return authNo;

    /***************************************************************************
    **********/

    Krb5TicketRequest is a class that holds a ticket request. The constructor of
    this class looks like this:

    /***************************************************************************
    **********/

     KERB_RETRIEVE_TKT_REQUEST *krbRequest;

     if (this->getCredentials() != SEC_E_OK) {
      throw Exception("Unable to get credentials");
     }

     std::string utf8(this->user);
     utf8 += '@';
     utf8 += this->domain;

     name.set(utf8);
     nameUS = name.getUS();

     this->requestSize = sizeof(KERB_RETRIEVE_TKT_REQUEST) + nameUS->Length;

     this->allocRequest();

     krbRequest = (KERB_RETRIEVE_TKT_REQUEST *) this->request;

     stringBuffer = (wchar_t *) (krbRequest + 1);
     memmove(stringBuffer, nameUS->Buffer, nameUS->Length);

     krbRequest->MessageType = KerbRetrieveEncodedTicketMessage;
     krbRequest->LogonId.LowPart = 0;
     krbRequest->LogonId.HighPart = 0;

     krbRequest->TargetName.Buffer = stringBuffer;
     krbRequest->TargetName.MaximumLength = nameUS->Length;
        krbRequest->TargetName.Length = nameUS->Length;

     krbRequest->TicketFlags = 0;
     krbRequest->CacheOptions = KERB_RETRIEVE_TICKET_USE_CREDHANDLE;
     krbRequest->EncryptionType = 0;
     krbRequest->CredentialsHandle = this->credentials;
    /***************************************************************************
    **************************/

    And finally method getCredentials() works like this:

    /***************************************************************************
    **************************/
    SECURITY_STATUS Krb5TicketRequest::getCredentials(void)
    {
     SEC_WINNT_AUTH_IDENTITY additionalCredentials;
     TimeStamp expiration;
     SECURITY_STATUS retVal;

     if (this->haveCredentials) {
      FreeCredentialsHandle(&(this->credentials));
     }

     additionalCredentials.User = (unsigned char *) this->user.c_str();
     additionalCredentials.UserLength = this->user.length();
     additionalCredentials.Domain = (unsigned char *) this->domain.c_str();
     additionalCredentials.DomainLength = this->domain.length();
     additionalCredentials.Password = (unsigned char *) this->password.c_str();
     additionalCredentials.PasswordLength = this->password.length();
     additionalCredentials.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;

     retVal = AcquireCredentialsHandle(NULL, "Kerberos",
         SECPKG_CRED_INBOUND, NULL, &additionalCredentials,
         NULL, NULL, &(this->credentials), &expiration);

     if (retVal == SEC_E_OK) {
      this->haveCredentials = true;
     }

     return retVal;
    }
    /***************************************************************************
    **************************/

    Thank you very much for any suggestion. I have been dealing with it for
    nearly two weeks and you can imagine how desperate I am. :-(

    Jason

    > Jason, What package are you targeting? What function are you invoking
    > through LsaCallAuthPackage? Can you describe your scenario in a little bit
    > more detail so that we can look into the exact cause for the failure you
    are
    > seeing?
    >
    > --
    > Thanks,
    > Amit Rahul [MS]
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
    >
    > "Jason McCoal" <slavek@slavojpisek.cz> wrote in message
    > news:es5Cb8FLEHA.3684@TK2MSFTNGP12.phx.gbl...
    > > Hi,
    > > I have a problem with method LsaCallAuthenticationPackage. When I use
    > > windows 2000 domain controler everything is fine. But when I use Windows
    > > server 2003 the function returns an error code.
    > > I have converted the error code to system error code and MSDN says that
    > > error means: "The security database on the server does not have a
    computer
    > > account for this workstation trust relationship. "
    > >
    > > Does anybody have any idea how to solve it?
    > >
    > > thanks a lot.
    > >
    > > Jason
    > >
    > >
    >
    >

  • Next message: Óliver: "EncryptMessage problem in windows Me(II)"