Search code examples
c++winapiwindows-authenticationwinlogonlocal-security-authority

Custom Windows Authentication Package Logon Failed

I have developed custom authentication package that I would like to use for interactive logon. It creates the access token in the LsaApUserLogon function.

When I call LsaUserLogon from an application I can enumerate new user sessions, but when I used it for logon (also I have created a custom credential provider) I can see in Windows Event log that I was successfully logged in and then logged out.

When I select my specific Credential and try to logon, it enters into LsaApLogonUser API of my Authentication Package. If I check log file, LsaApLogonUser return STATUS_SUCCESS. But Windows is not logged on. After leaving LsaAPLogonUser, LSA calls LsaApLogonTerminated API and back LogonUI.

When I prepared the TokenInformation I got LookupPrivilegeValueW failed for the SeInteractiveLogonRight. I don't know if this is important for logon.

LsaApLogonUser(...){
    ......
    // NetUserGetInfo

    // AllocateLocallyUniqueId (LogonId)

    err = GetTokenInformationv2(pdi?pdi->DomainControllerName:NULL,wszDomain,wszUser,&LocalTokenInformation,LogonId);

    err = g_pSec->CreateLogonSession(LogonId);      

    if(ProfileBuffer)
    {
        *ProfileBuffer=NULL;
        *ProfileBufferLength=0;
    }

    (*TokenInformationType)=LsaTokenInformationV2;
    (*TokenInformation)=LocalTokenInformation;

    return STATUS_SUCCESS;
}

GetTokenInformationv2(...){
    ....
    ....
    // Call LsaEnumerateAccountRights 
    // check LookupPrivilegeValueW // It failed for "SeInteractiveLogonRight"
    // 
    return STATUS_SUCCESS;
}

Is ProfileBuffer important for logon? I don't know why LSA cannot logon.

Solution

  • The documentation does not say that the profile buffer can be set to NULL and it seems that it is indeed mandatory. The OP reports that allocating and returning a profile buffer (just a single byte was enough) resolved the problem. [Addendum: see the comment by Nehluxhes below, who reports that the buffer needs to contain valid data.]

    The error when attempting to retrieve a LUID for SeInteractiveLogonRight was not relevant; the user's logon rights do not need to be included in the TOKEN_PRIVILEGES structure, so no LUID is needed, and as documented, the LookupPrivilegeValue function only accepts privileges:

    The LookupPrivilegeValue function supports only the privileges specified in the Defined Privileges section of Winnt.h.

    (Note that the relevant section of winnt.h only contains definitions for SeXxxPrivilege; the definitions for SeXxxLogonRight are in ntsecapi.h.)