RE: GINA - exception in winlogon

From: Babji (Babji_at_discussions.microsoft.com)
Date: 10/28/05 

Date: Fri, 28 Oct 2005 02:17:02 -0700

Hi Johnny & Serji,
I've been following your discussion and found to be interesting. I am a
learner in this domain and I have couple of doubts that I think can be
clarified here.

I have a question regarding extracting real credentials from smart card and
using them for login.

Does smartcard login(cert based) and 'password/dmain/username' login coexist
?.
i.e., if i've marked a user for smart card login, can he log into the system
using 'password/dmain/username' . Do they exist in the AD at all ?.

Assuming that the smart card stores the ''password/dmain/username'
credentials in it and presents it to the LsaLogonUser to login to the system.
In that case Is user also aware of these credentials ? Or all he is only
aware of the PIN.

If user is aware of these credentials he can avoid the smart card login by
directly enterig those crednetials (by replacing the GINA).

If the user is not aware of these credentials , i think that there would be
a problem . What if system asks him to enter these credentials at some other
point ? like accessing some network resource .. etc?.

In case of 'username/domain/password', once after authenticating via
interactive login, Can I assume that the user will nver be asked to enter his
credentials again ?.

Thanks in advance
-Babji

"Johnny Liu" wrote:

> I see. Write your own gina is a possible way to avoid unlock delay.
>
> I don't really understand how you to do for "unlock system only via smart
> card PIN authentication" ? But I guess you will unlock system by user name
> and password after PIN verification has been done, right? If so, then you
> have to hook the dialog box procedure of WlxWkstaLockedSAS, not on the
> procedure of WlxLoggedOnSAS. And capture the event IDOK to get the entered
> PIN from the dialog, and then, doing PIN verification procedure and get the
> real user's credential by youself. And most important, don't hand the
> password over to MSGina, just close this dialog directly. Just like below:
>
> If (uMsg == WM_COMMAND && LOWORD(wParam) == IDOK)
> {
> BOOL bSuccess = FALSE;
>
> // Get PIN number from edit box
> GetDlgItemText(hwndDlg, IDC_EDITBOX_PIN, pPassword, sizeof(pPassword));
>
> // Add your PIN verification procedure code here .....
> bSuccess = DoPINVerification(pPassword);
>
> if (bSuccess == TURE)
> {
> // Get real user's credential from somewhere
> GetRealCredential();
> }
>
> EndDialog(hwndDlg, IDCANCEL);
> return FALSE;
> }
>
> Then, you will return to the task of WlxWkstaLockedSAS, then you have to
> simulate a WLX_SAS_TYPE_CTRL_ALT_DEL for unlock system, after the dialog of
> WLX_SAS_TYPE_CTRL_ALT_DEL event has been created, posting real user's
> credential to the edit box and then simulate an action for press "OK" button.
>
> Does this be helpful for you ?
>
> Johnny
>

Quantcast