Domain Controller SubAuthentication Filter

Can anyone from MS provide guidance and suggestions on writing Domain
Controller SubAuthentication Filter? Is it acceptable for a third-
party to register as Auth0? As I understand a subauthentication DLL
must be registered as Auth0 if it intends to intercept all Kerberos
and NTLM authentication attempts on the domain controller.

According to the Vista Platform SDK, "DLL number zero is reserved for
the Domain Controller SubAuthentication Filter. This DLL allows the
package to do additional password or logon validation on a domain
controller in addition to that normally done by the MSV1_0 or Kerberos
packages. DLL numbers 1 through 127 are reserved Microsoft DLL
numbers. Numbers 128 through 254 are available to independent software
vendors."

To correctly register the subauthentication DLL on Windows 2003
Server, it appears that it must be registered as both:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\Auth0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Auth0

And provide the exports:
Msv1_0SubAuthenticationRoutine
Msv1_0SubAuthenticationFilter
Msv1_0SubAuthenticationRoutineEx

From testing with windbg it appears that a subauthentication dll
registered as Auth0 must export Msv1_0SubAuthenticationRoutineEx, but
that this export is not called. It was observed that the subauth would
load, but would then be unloaded after failing some validation test
logic.

This was verified with windbg commands "sxeld subauth" at the initial
prompt, and then "sxeud" after the subauth.dll was loaded. With a
break point on kernel32!GetProcAddress I could see that LSASS was
attempting load the exported function Msv1_0SubAuthenticationRoutineEx.

.