Re: Accessing security information from an authentication provider

Corinna Vinschen wrote:
But, here's the problem I have with ConvertAuthDataToToken. It sounds a
nice idea to call it, and when it returns, you have a token. But...
what next?

The call to LsaApLogonUser has no way to return the token to the
caller. Instead, there's the TokenInformation pointer which has to
be filled with a LSA_TOKEN_INFORMATION_V2 structure which in turn
is used to create a token by MSV1_0. And *that* token is returned
to the calling logon process. What's suppsoed to happen with the token
returned by ConvertAuthDataToToken?

In the meantime it occured to me how to transmit the token to the
calling logon process and I hacked happily away. Alas, the result is
just disappointing.

For some reason GetAuthDataForUser() only works for local machine
accounts. I have to give the plain username to the function. If I try
to get the auth data for a domain account by using the domain\username
syntax and SecNameSamCompatible as type, or using the
username@xxxxxxxxxx syntax and SecNameFlat as type, I'm invariably
getting a return code of STATUS_NO_SUCH_USER from GetAuthDataForUser().

Even when running on a DC, it only works half. The token returned by
ConvertAuthDataToToken() does not contain the groups not defined in the
local SAM, and the credentials required to access network resources are
*still* missing.

If you only need a machine local account and no network credentials,
it's an easy solution, provided you have a way to transmit the results
to the calling logon application. Personally I called DuplicateHandle()
on the token and transmitted the new handle value in the profile buffer.

If you need to authenticate against AD or if you need network
credentials, you're still stuck like me.

Hello? Microsoft? Help? Please?


Corinna

--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat
.

Relevant Pages

  • Re: How do you wintrolls...
    ... the system will automatically log in with those credentials from then on. ... account credentials, exactly what files do you think he wants to access? ... When Vista asks you if a newly discovered network is 'Public' or 'Private', this is one of the things it is doing. ... I have not found any necessary functionality in the menu bar; as far as I can see the only the functions that are in the menu bar are the greybeard switch for the old-style status bar and, oddly, the 'Invert Selection' command- which strictly speaking can always by done manually. ...
    (comp.sys.mac.advocacy)
  • Re: Trusted SQL Connections & NT AUTHORITYNETWORK SERVICE
    ... SYSTEM account in terms of the credentials it uses on the network. ... hitting a SQL Server on the same machine as the web app. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: XP and Outlook 2000
    ... account on the pc to match his network ID and set the account up with a ... password to match his network password. ... it would override the login box from the Exchange server with this info, ... gets an error that the credentials are incorrect. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Active Directory call for contractors VPNing into our network
    ... When the users VPN in, the credentials will only give them the ability to connect via the VPN, and not any access to your network. ... I believe the easiest cure would be to have them attempt to access one of your servers after VPNing in, and when prompted for credentials, enter the user account details for your network in the format DOMAIN\Username. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem: No Network Connections under Guest Account
    ... The Guest Account on my other computer seems to ... Sounds like you might have more of an issue with your network than with the ... network connection settings. ...
    (microsoft.public.windowsxp.security_admin)