Re: LogOnUser with Smart Card Credentials

Here is my scenario. We have an application that has its own logon
dialog for logging into our application. (This is completely separate
from the Windows logon dialog and serves our application only). To
verify the user credentials when the user logons to our application, we
call LogonUser with the credentials provided in the dialog. For a
SmartCard logon, we pass on the marshalled credentials and the pin #.
Everythiong works fine and the user has successfully logged onto our
application.

Now, a little later in our application the user wants to do something
that requires us to impersonate his credentials. Since he has already
successfully logged-in to our application, we should not need his
credentials again. However, the only way I know to impersonate him as a
user is to call LogonUser with the same credentials and then call
ImpersonateLoggedOnUser with the token returned from LogonUser.
However, this is a problem because if the user removed the card from
the reader, then LogonUser will fail. I have tried to cache to token
from the original LogonUser call that is made when the user first
logs-on but this isn't working. Is there a special handling for caching
the LogonUser token? Is this even possible, to cache iot for later use?
Is there another way to get this same result -- have the SmartCard user
logon to our app only once and somehow be able to retain a logon token
that can be used for impersonation later.

Thanks for your help,
Cindy


Eric wrote:
The entire point of smartcard logon is the dual factor (PIN & card).
The card needs to be present to verify the PIN and also to obtain a token.
The token will be valid on the local machine until reboot, but the TGT
associated with it will expire and this will affect acces to network
resources.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Eric Perlin [MSFT]


"cindy.fisher@xxxxxxxxxxxxxxxxxx" wrote:

I am doing #1, calling LogonUser with the marshalled form of smartcard
credentials and the user pin # that goes with the card. If this
requires the card to be present, then can I hold onto the handle
returned in LogonUser and use it later to impersonate the user? Or is
there another (better?) way to impersonate a user with smart card
credentials without requiring the card to present after the initial
logon?

Thanks,
Cindy

Eric wrote:
I'm not really sure which of the 2 following scenarios you're doing:
1/ Calling LogonUser with the marshalled form of smartcard credentials, and
the PIN provided by the user (not the card), which is a real PKI logon, in
which case the card clearly needs to be present.
2/ Calling LogonUser with username/password retrieved from a smartcard, in
which case the smartcard should be required once the information was
extracted from the card.

Can you please clarify?
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Eric Perlin [MSFT]


"cindy.fisher@xxxxxxxxxxxxxxxxxx" wrote:

I have an application that must do impersonation with a smart card
logon. I call LogonUser with the card credentials (card ID and pin #
retrieved from SCard APIs) and then call ImpersonateLoggedOnUser with
the token returned from the LogonUser call. Everything works fine if
the card remains in the card reader. However, if the card is removed
from the reader after the user logs on, then the LogonUser call fails
with "Logon Failure: Unknown username or bad password." Since the
credentials are passed in as parameters, I don't understand why it
should go to the card reader for credentials. Can anyone explain to me
why this happens? Is there a way around this?

Here is the LogonUser call I use:

BOOL bRet = LogonUser(strCardIdName, strComputer, strUserPassword,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hLogon);
if (bRet)
{
bRet = ImpersonateLoggedOnUser(hLogon);
}

Thanks,
Cindy





.

Relevant Pages

  • Re: LogOnUser with Smart Card Credentials
    ... from the Windows logon dialog and serves our application only). ... call LogonUser with the credentials provided in the dialog. ... The card needs to be present to verify the PIN and also to obtain a token. ...
    (microsoft.public.platformsdk.security)
  • Re: LogOnUser with Smart Card Credentials
    ... The handle obtained by the first call to LogonUser will remain valid untile ... call LogonUser with the credentials provided in the dialog. ... SmartCard logon, we pass on the marshalled credentials and the pin #. ... this is a problem because if the user removed the card from ...
    (microsoft.public.platformsdk.security)
  • Re: LogOnUser with Smart Card Credentials
    ... All kernel objects (not only tokens) obey to this rule. ... The handle obtained by the first call to LogonUser will remain valid untile ... call LogonUser with the credentials provided in the dialog. ... this is a problem because if the user removed the card from ...
    (microsoft.public.platformsdk.security)
  • Re: LogOnUser with Smart Card Credentials
    ... Handles to kernel objects (like tokens) don't expire. ... The handle obtained by the first call to LogonUser will remain valid untile ... call LogonUser with the credentials provided in the dialog. ... this is a problem because if the user removed the card from ...
    (microsoft.public.platformsdk.security)
  • LogOnUser with Smart Card Credentials
    ... I have an application that must do impersonation with a smart card ... the token returned from the LogonUser call. ... with "Logon Failure: ... credentials are passed in as parameters, ...
    (microsoft.public.platformsdk.security)