1

I have developed custom authentication package that I would like to use for interactive logon. It creates the access token in the LsaApUserLogon function.

When I call LsaUserLogon from an application I can enumerate new user sessions, but when I used it for logon (also I have created a custom credential provider) I can see in Windows Event log that I was successfully logged in and then logged out.

When I select my specific Credential and try to logon, it enters into LsaApLogonUser API of my Authentication Package. If I check log file, LsaApLogonUser return STATUS_SUCCESS. But Windows is not logged on. After leaving LsaAPLogonUser, LSA calls LsaApLogonTerminated API and back LogonUI.

When I prepared the TokenInformation I got LookupPrivilegeValueW failed for the SeInteractiveLogonRight. I don't know if this is important for logon.

LsaApLogonUser(...){
    ......
    // NetUserGetInfo

    // AllocateLocallyUniqueId (LogonId)

    err = GetTokenInformationv2(pdi?pdi->DomainControllerName:NULL,wszDomain,wszUser,&LocalTokenInformation,LogonId);

    err = g_pSec->CreateLogonSession(LogonId);      

    if(ProfileBuffer)
    {
        *ProfileBuffer=NULL;
        *ProfileBufferLength=0;
    }

    (*TokenInformationType)=LsaTokenInformationV2;
    (*TokenInformation)=LocalTokenInformation;

    return STATUS_SUCCESS;
}

GetTokenInformationv2(...){
    ....
    ....
    // Call LsaEnumerateAccountRights 
    // check LookupPrivilegeValueW // It failed for "SeInteractiveLogonRight"
    // 
    return STATUS_SUCCESS;
}

Is ProfileBuffer important for logon? I don't know why LSA cannot logon.

theB
  • 6,450
  • 1
  • 28
  • 38
Jasim Uddin
  • 33
  • 3
  • While rights and privileges are usually interchangeable, I believe this is one of the cases where they aren't. Rights aren't added to the user's token, so presumably aren't needed in the TOKEN_PRIVILEGES structure. I can confirm that (as documented) LookupPrivilegeValue does not work for SeInteractiveLogonRight. Presumably, LsaApLogonUser is instead expected to validate the user's right to logon itself. – Harry Johnston Oct 28 '15 at 01:40
  • As for the profile buffer, the documentation doesn't say that you can set it to `NULL` so I would recommend creating a buffer as documented. Give it a reasonable size, say 32 bytes, and fill it with zeros. Once you've got it all working, you can experiment with this again. – Harry Johnston Oct 28 '15 at 01:43
  • @HarryJohnston, thanks, I have solved my problem. profile buffer must be allocated with a minimum size(1byte). – Jasim Uddin Oct 29 '15 at 12:51

1 Answers1

0

The documentation does not say that the profile buffer can be set to NULL and it seems that it is indeed mandatory. The OP reports that allocating and returning a profile buffer (just a single byte was enough) resolved the problem. [Addendum: see the comment by Nehluxhes below, who reports that the buffer needs to contain valid data.]

The error when attempting to retrieve a LUID for SeInteractiveLogonRight was not relevant; the user's logon rights do not need to be included in the TOKEN_PRIVILEGES structure, so no LUID is needed, and as documented, the LookupPrivilegeValue function only accepts privileges:

The LookupPrivilegeValue function supports only the privileges specified in the Defined Privileges section of Winnt.h.

(Note that the relevant section of winnt.h only contains definitions for SeXxxPrivilege; the definitions for SeXxxLogonRight are in ntsecapi.h.)

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
  • 3
    From my experience returning just a single byte is not sufficient, you need to return a proper MSV1_0_INTERACTIVE_PROFILE or KERB_INTERACTIVE_PROFILE. Wasted a *lot* of time on this. – Nehluxhes Apr 13 '23 at 11:19