Re: How to get credentials for network access in authentication package?
- From: Corinna Vinschen <corinna@xxxxxxxxxxxxxxxx>
- Date: Wed, 25 Jun 2008 16:35:29 +0000 (UTC)
Does nobody have an answer?
Maybe I'm just too dumb, but I don't get how a LSA authentication
package is supposed to allow the calling logon package to get a complete
interactive token including all necessary credentials for network
access. MSDN states:
"The LSA calls the authentication package interface functions in the
custom package which, in turn, call the functions in MSV1_0. The custom
package must be able to pass the incoming logon information using data
structures supported by MSV1_0."
So, when my authentication package function LsaApLogonUser is called,
it's supposed to call CallPackageEx (AuthenticationPackage == MSV1_0,
....) with... what? A MSV1_0_INTERACTIVE_LOGON buffer? MSDN doesn't
tell.
How is that supposed to work at all, if the new authentication mechanism
does not use nor provide a password at any point?
Is there sample code or documentation (besides MSDN) available which
shows how to do that?
Corinna Vinschen wrote:
Hi,
maybe my question is a bit weird, but I guess I just don't understand
the whole logon process good enough. Bear with me.
My situation is this. I created a custom authentication package which
is supposed to be used by OpenSSH with public key authentication. The
public key is stored in the user's home dir and checked by the ssh
daemon, just like on any UNIX machine. When the authentication was
successful, the ssh daemon calls the authentication package which in
turn creates a user token. The resulting user token looks fine and the
user is correctly identified by, for instance, the whoami tool.
However, there was never a password exchanged in this process and the
credentials for network access are missing. The user can't access the
usual network shares, unless `net use' is called with explicitely
specifying the user's password. Or, when trying to get information from
AD using LDAP with default credentials, ldap_bind_s (ld, NULL, NULL,
LDAP_AUTH_NEGOTIATE) fails with error 0x01.
So here's the question. Is there a way to fetch and add the necessary
credentials in the authentication package or in the logon application,
without the need to specify the password? Is there some example code
which shows how to do it?
Thanks in advance,
Corinna
--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat
.
- References:
- How to get credentials for network access in authentication package?
- From: Corinna Vinschen
- How to get credentials for network access in authentication package?
- Prev by Date: CreateProcessAsUser and Delegation
- Next by Date: What are registry values ProfileUnloadTimeHigh and ProfileUnloadTimeLow for?
- Previous by thread: How to get credentials for network access in authentication package?
- Next by thread: RSA Encryption without Session Keys - (I know it's a bad idea)
- Index(es):
Relevant Pages
|
