SSPI authentication with data from CredUIPromptForWindowsCredentials



I know that a new api was designed in windows 7 to provide credentials
for SSPI
authentication. Its name is SspiPromptForCredentials.

However in Vista, I want the user to be asked for its credential in a
standard way
and then use this credential to logon him using SSPI.

Why ? Because I'm developping a credential provider / SSPI and I want
that my credential provider
is able to work with terminal server in a NLA (network level
authentication) scenario.
Indeed, my credential provider work inside the terminal server session
with LsaLogonUser.
But first, the terminal server client ask for the credential which is
then passed to CredSSP.
And CredSSP wrap a SSPI Logon.

First step : ask credential using CredUIPromptForWindowsCredentials
and then use SSPI logon.
And to be sure that everything works, I'm using the Negotiate package.

But CredUIPromptForWindowsCredentials return a
KERB_INTERACTIVE_LOGON or a KERB_CERTIFICATE_LOGON and
AcquireCredentialsHandle requires a SEC_WINNT_AUTH_IDENTITY
structure.

How the credential are converted ?
I found the function CredUnPackAuthenticationBuffer to convert
KERB_INTERACTIVE_LOGON to SEC_WINNT_AUTH_IDENTITY.
But this logic is specific to login/password scenario.
And it doesn't work with smart card logon.

So : how to convert credential retrieved from
CredUIPromptForWindowsCredentials to AcquireCredentialsHandle ?

Regards,
Vincent Le Toux

NB : my work is open source and available in http://eidauthenticate.sourceforge.net
.



Relevant Pages

  • Re: AcquireCredentialsHandle always succeed under Windows 2000
    ... How are you determining that the credentials are those of the local user? ... SSPI is sometimes tricky this way. ... I have Windows 2000 Professional in a Novell Network. ...
    (microsoft.public.platformsdk.security)
  • RE: Custom Authentication
    ... I have been able to modify the SSPI wrapper found in the following article: ... I can prompt for a users username, password and domain, pass it to ... credentials, I had to rely on the current users interactive session. ... > provide my own security authority to use the SSPI sample with, ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: Custom Authentication
    ... >I have been able to modify the SSPI wrapper found in the following article: ... > credentials, I had to rely on the current users interactive session. ... >> I said I must use my own custom credential cache. ... >> provide my own security authority to use the SSPI sample with, ...
    (microsoft.public.dotnet.framework.remoting)
  • Programmatically creating a user account.
    ... account. ... I have looked at SSPI which specifically does not ... LogonUser also only seems to validate ... existing credentials. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Default credentials
    ... > comes up on my client site requires NTLM or Basic authentication? ... > a web browser - I assume it must be something they have set up ... If your receive a Dialog asking for your creds with NTLM auth ... credentials of the current security context. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)