2

I am writing a credential provider in Windows and I am trying to add UPN name login support to it and doing so I used TranslateNameW TranslateNameW(UPName, NameUserPrincipal, NameSamCompatible, buffer, &size);which gives me SAM account name when provided with UPN name and vice versa and this works only when the domain is online and won't work when the domain is offline.

The problem here is when the domain user is cached and when the domain is offline I am not able to convert that UPN to SAM name and then windows is throwing me an error saying We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organisation's network and try again if you previously signed on this device with another credential you can sign in with that credential. Windows password credential provider works just fine in this scenario it is able to translate UPN to SAM even when the domain is offline.

I can't parse the UPN name and convert it into SAM name cause it is not guaranteed that UPN name always matches with SAM name i.e if UPN is johndoe@example.com SAM Name need not necessarily be johndoe it can be jdoe or anything.

So, my question is how can I access SAM account name of that cached domain user when the domain is offline, Is there any function in VC++ that returns SAM name when provided with UPN when the domain is offline? How can I handle this scenario?

Mohit
  • 343
  • 5
  • 18
  • Hi Mohit, can you reproduce this issue in a general application instead of a credential provider? And could you show a mini, reproducible sample including a working *Windows password credential*? – Rita Han Jul 13 '20 at 06:57
  • I can provide a sample credential provider with this issue, how can I reach out to you to send the sample? @RitaHan-MSFT – Mohit Jul 13 '20 at 07:13
  • Add sample code in your question and make sure keep your private information unexposed. – Rita Han Jul 13 '20 at 07:16
  • @RitaHan-MSFT question of course not related to credential provider. `TranslateNameW` clear say - *fails if it cannot bind to Active Directory on a domain controller.*, in case password login - call to `NetILogonSamLogon` (called from `LsaApLogonUserEx2`) in this case of course too return `STATUS_NO_LOGON_SERVERS` but then cased credential for user used – RbMm Jul 13 '20 at 07:36
  • Here is the link to code https://github.com/multiOTP/multiOTPCredentialProvider/blob/master/MultiotpCredential.cpp please check out `GetSerialization` method where UPN name format is handled. @RitaHan-MSFT – Mohit Jul 13 '20 at 08:15
  • @Mohit Could you help to confirm the following information. **1.** Can you reproduce this issue in a general application instead of a credential provider? **2.** And what do you mean by "*Windows password credential*"? **3.** And how do you observe "*Windows password credential*" works well in offline mode? – Rita Han Jul 13 '20 at 09:13
  • 1. I didn't try with the general application and how can I do it? Like, create a normal C++ application that can use LogonUser() (https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera) and pass credentials to it and see if it is working? 2. Sorry it is a typing mistake by windows credential I've meant Generic Windows Password credential provider. – Mohit Jul 13 '20 at 09:40
  • 3. I tried to log in to a cached domain user with UPN format and the user SAM account name and UPN name are different i.e UPN: `johndoe.example.com` and SAM: `jdoe`, FlatName: `Example\jdoe` and while trying to log in, the domain is offline. In this case windows CP worked and logged in user but my CP throws an error message that is mentioned in the question, And when I use flat name instead of UPN from my CP that works. So my question is how can I exchange the UPN for the flat name of the user when the domain is offline? @RitaHan-MSFT – Mohit Jul 13 '20 at 10:28

0 Answers0