Re: Method LsaCallAuthenticationPackage fails on Windows server 2003

From: Amit Rahul [MS] (arahul_at_online.microsoft.com)
Date: 04/29/04

  • Next message: BRCKCC_at_novell.com: "Re: Get AD name from SID" 
    Date: Thu, 29 Apr 2004 14:09:10 -0700

    Jason, Will it be possible for you to get us Kerb logging for this issue? I
    discussed this with the Kerberos/LSA developers here and we would need more
    information than what we have. If possible send us the spew from your
    debugger when you try to repro this after turning on the kerberos debug
    spews. You can also send us the netmon sniff for this repro. If you need
    information on how to turn on the kerb debug spew please send me a mail
    directly and I will send you information on reg keys you need to enable. 

    -- 
Thanks,
Amit Rahul [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Jason McCoal" <slavek@slavojpisek.cz> wrote in message
news:eN4X$6cLEHA.1340@TK2MSFTNGP12.phx.gbl...
> Hi Amit,
> thanks for your response.
> The base scenario I use is as follow:
>
>
/***************************************************************************
> **********/
> krb5Authenticate(const std::string &user, const std::string &realm, const
> std::string &password) const
> {
>  NTSTATUS stat;
>  LSA_STRING pkgName;
>  HANDLE handle;
>  ULONG packageId;
>  ULONG retBufSize;
>  void *retBuf = NULL;
>  NTSTATUS subStat = 0;
>  NTSTATUS retVal;
>
>  stat = LsaConnectUntrusted(&handle);
>  if (stat != STATUS_SUCCESS) {
>   return authNo;
>  }
>
>  pkgName.Buffer = "Kerberos";
>  pkgName.Length = strlen(pkgName.Buffer);
>  pkgName.MaximumLength = pkgName.Length + 1;
>  stat = LsaLookupAuthenticationPackage(handle, &pkgName, &packageId);
>  if (stat != STATUS_SUCCESS) {
>   return authNo;
>  }
>
>  Krb5TicketRequest request(user, realm, password);
>
>  retVal = lib.LsaCallAuthenticationPackage(handle, packageId,
> request.getRequest(), request.getRequestSize(),
>              &retBuf, &retBufSize, &subStat);
>
>  LsaDeregisterLogonProcess(handle);
>
>  if(subStat == STATUS_SUCCESS) {
>   return authYes;
>
>  }
>  return authNo;
>
>
/***************************************************************************
> **********/
>
>
> Krb5TicketRequest is a class that holds a ticket request. The constructor
of
> this class looks like this:
>
>
/***************************************************************************
> **********/
>
>  KERB_RETRIEVE_TKT_REQUEST *krbRequest;
>
>  if (this->getCredentials() != SEC_E_OK) {
>   throw Exception("Unable to get credentials");
>  }
>
>  std::string utf8(this->user);
>  utf8 += '@';
>  utf8 += this->domain;
>
>  name.set(utf8);
>  nameUS = name.getUS();
>
>  this->requestSize = sizeof(KERB_RETRIEVE_TKT_REQUEST) + nameUS->Length;
>
>  this->allocRequest();
>
>  krbRequest = (KERB_RETRIEVE_TKT_REQUEST *) this->request;
>
>  stringBuffer = (wchar_t *) (krbRequest + 1);
>  memmove(stringBuffer, nameUS->Buffer, nameUS->Length);
>
>  krbRequest->MessageType = KerbRetrieveEncodedTicketMessage;
>  krbRequest->LogonId.LowPart = 0;
>  krbRequest->LogonId.HighPart = 0;
>
>  krbRequest->TargetName.Buffer = stringBuffer;
>  krbRequest->TargetName.MaximumLength = nameUS->Length;
>     krbRequest->TargetName.Length = nameUS->Length;
>
>  krbRequest->TicketFlags = 0;
>  krbRequest->CacheOptions = KERB_RETRIEVE_TICKET_USE_CREDHANDLE;
>  krbRequest->EncryptionType = 0;
>  krbRequest->CredentialsHandle = this->credentials;
>
/***************************************************************************
> **************************/
>
> And finally method getCredentials() works like this:
>
>
/***************************************************************************
> **************************/
> SECURITY_STATUS Krb5TicketRequest::getCredentials(void)
> {
>  SEC_WINNT_AUTH_IDENTITY additionalCredentials;
>  TimeStamp expiration;
>  SECURITY_STATUS retVal;
>
>  if (this->haveCredentials) {
>   FreeCredentialsHandle(&(this->credentials));
>  }
>
>  additionalCredentials.User = (unsigned char *) this->user.c_str();
>  additionalCredentials.UserLength = this->user.length();
>  additionalCredentials.Domain = (unsigned char *) this->domain.c_str();
>  additionalCredentials.DomainLength = this->domain.length();
>  additionalCredentials.Password = (unsigned char *)
this->password.c_str();
>  additionalCredentials.PasswordLength = this->password.length();
>  additionalCredentials.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
>
>  retVal = AcquireCredentialsHandle(NULL, "Kerberos",
>      SECPKG_CRED_INBOUND, NULL, &additionalCredentials,
>      NULL, NULL, &(this->credentials), &expiration);
>
>  if (retVal == SEC_E_OK) {
>   this->haveCredentials = true;
>  }
>
>  return retVal;
> }
>
/***************************************************************************
> **************************/
>
>
> Thank you very much for any suggestion. I have been dealing with it for
> nearly two weeks and you can imagine how desperate I am. :-(
>
> Jason
>
>
>
>
> > Jason, What package are you targeting? What function are you invoking
> > through LsaCallAuthPackage? Can you describe your scenario in a little
bit
> > more detail so that we can look into the exact cause for the failure you
> are
> > seeing?
> >
> > -- 
> > Thanks,
> > Amit Rahul [MS]
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Jason McCoal" <slavek@slavojpisek.cz> wrote in message
> > news:es5Cb8FLEHA.3684@TK2MSFTNGP12.phx.gbl...
> > > Hi,
> > > I have a problem with method LsaCallAuthenticationPackage. When I use
> > > windows 2000 domain controler everything is fine. But when I use
Windows
> > > server 2003 the function returns an error code.
> > > I have converted the error code to system error code and MSDN says
that
> > > error means: "The security database on the server does not have a
> computer
> > > account for this workstation trust relationship. "
> > >
> > > Does anybody have any idea how to solve it?
> > >
> > > thanks a lot.
> > >
> > > Jason
> > >
> > >
> >
> >
>
>
>
  • Next message: BRCKCC_at_novell.com: "Re: Get AD name from SID"