remote console, WlxQueryConsoleSwitchCredentials, and WlxGetConsoleSwitchCredentials

From: Ivailo Petrov (ipetrov_at_san.rr.com)
Date: 02/22/05 

Date: Tue, 22 Feb 2005 07:59:33 GMT

Hi,

I implemented a custom Gina (full implementation, not a stub) but haven't
found a way to overcome the described below problem yet. It appears during
Remote console logon.
Others experienced similar issues a while ago but nobody provided any
solution:

http://groups-beta.google.com/group/microsoft.public.platformsdk.security/browse_thread/thread/60be6a9ddd852233/2cab8b2c7efccfa2?q=WlxGetConsoleSwitchCredentials&_done=%2Fgroup%2Fmicrosoft.public.platformsdk.security%2Fsearch%3Fgroup%3Dmicrosoft.public.platformsdk.security%26q%3DWlxGetConsoleSwitchCredentials%26qt_g%3D1%26searchnow%3DSearch+this+group%26&_doneTitle=Back+to+Search&&d#2cab8b2c7efccfa2

http://groups-beta.google.com/group/microsoft.public.platformsdk.security/browse_thread/thread/5bda3b16945d1af0/03c83352063cdea6?q=WlxGetConsoleSwitchCredentials&_done=%2Fgroup%2Fmicrosoft.public.platformsdk.security%2Fsearch%3Fgroup%3Dmicrosoft.public.platformsdk.security%26q%3DWlxGetConsoleSwitchCredentials%26qt_g%3D1%26searchnow%3DSearch+this+group%26&_doneTitle=Back+to+Search&&d#03c83352063cdea6

http://groups-beta.google.com/group/microsoft.public.platformsdk.security/browse_thread/thread/5bda3b16945d1af0/03c83352063cdea6?q=WlxGetConsoleSwitchCredentials&_done=%2Fgroup%2Fmicrosoft.public.platformsdk.security%2Fsearch%3Fgroup%3Dmicrosoft.public.platformsdk.security%26q%3DWlxGetConsoleSwitchCredentials%26qt_g%3D1%26searchnow%3DSearch+this+group%26&_doneTitle=Back+to+Search&&d#03c83352063cdea6

http://groups-beta.google.com/group/microsoft.public.platformsdk.security/browse_thread/thread/78a3fa9595a6d8c9/967adf7e29eae124?q=WlxQueryConsoleSwitchCredentials+&_done=%2Fgroup%2Fmicrosoft.public.platformsdk.security%2Fsearch%3Fgroup%3Dmicrosoft.public.platformsdk.security%26q%3DWlxQueryConsoleSwitchCredentials+%26qt_g%3D1%26searchnow%3DSearch+this+group%26&_doneTitle=Back+to+Search&&d#967adf7e29eae124

So the problem is:

Case A. A user is logged on locally and you try to login remotely using the
same user. Everything seems to work fine - the local consol session
transparently gets passed to the remote consol (actually the sessions
switch). The weird thing is that the local consol goes in "log off" state -
if you use msgina it goes to "lock computer"

Case B. Nobody is logged in locally or you try to login with different user
then the one logged on locally. Something gets wrong. The following sequence
of events occur:

On the Remote console:
1. WlxInitialize
2. WlxLoggedOutSAS, WLX_SAS_TYPE_CTRL_ALT_DEL(1) - credentials acquired and
verified; WLX_SAS_ACTION_LOGON returned
3. WlxGetConsoleSwitchCredentials - credentials passed and TRUE returned

On the Local console:
4. WlxDisconnectNotify

Now sessions get switched (remote become local and vice versa)

On the Remote (old local) console
5a. WlxLoggedOutSAS, WLX_SAS_TYPE_AUTHENTICATED(7) - I try to call
WlxQueryConsoleSwitchCredentials but it fails with ERROR_IO_PENDING
5b. WlxReconnectNotify (almost immediately after 4a)

On the Local (old remote) console:
6. WlxInitialize - WHY???
7. WlxLoggedOutSAS, WLX_SAS_TYPE_CTRL_ALT_DEL(1)

And now the interesting part - second time credentials supplied!
On the Remote (old local) console:
8. WlxLoggedOutSAS, WLX_SAS_TYPE_CTRL_ALT_DEL(1) - credentials acquired and
verified; WLX_SAS_ACTION_LOGON returned
9. Remote console opens!!!!!

Why the local console goes in "log off" state?
Why does WlxQueryConsoleSwitchCredentials fails?
Why WlxInitialize is called again?
Why the after supplying credentials for a second time is succeeds?

I know the answer of the forth question. It works as Case A (see above)
works - the logon session already exists and it just attaches to it.

Having said all that, have anyone found a solution of that problem? Can
anyone help me?

Thanks,
Ivailo

Relevant Pages

  • emote console, WlxQueryConsoleSwitchCredentials, and WlxGetConsole
    ... Remote console logon. ... The weird thing is that the local consol goes in "log off" state - ... works - the logon session already exists and it just attaches to it. ...
    (microsoft.public.platformsdk.security)
  • Custom GINA logon failing for Remote Desktop sessions
    ... Remote console logon. ... The weird thing is that the local consol goes in "log off" state - ... works - the logon session already exists and it just attaches to it. ...
    (microsoft.public.platformsdk.security)
  • RE: emote console, WlxQueryConsoleSwitchCredentials, and WlxGetConsole
    ... logout from TS Session, you have to do same on workstation. ... Remote console logon. ... The weird thing is that the local consol goes in "log off" state - ...
    (microsoft.public.platformsdk.security)
  • Re: Updating status - REMOTE INTERACTIVE LOGON vs. INTERACTIVE
    ... There is no built-in way to have XP automatically update the user's security token because of a session state change. ... What specific resources/objects are you attempting to secure based on console versus RDP? ... you connect via Remote Desktop. ... LOGON. ...
    (microsoft.public.windows.terminal_services)
  • Re: microsoft RDP client control
    ... The locally logged in user is typically on the "console" session. ... always log in to the console, whether locally or remote. ... On Windows Server 2003 the behavior is different. ...
    (microsoft.public.dotnet.languages.vb.controls)