|
|
|
date: 12 Jun 2008 17:19:20 GMT,
group: microsoft.public.platformsdk.security
back
Basics of Implementing a new authentication provider
Hi,
I'm having an inordinate number of problems just trying to replace the
Windows authentication process. It's been a number of years since I've
done Windows development, so maybe I'm missing something obvious.
As a minimal first step, I'm looking at replacing authentication with one
that ignores the password, picks a random number, and has a 50% chance of
either failing or succeeding. Here's what I'm doing:
1. I'm building a DLL that implements all of the functions at
http://msdn.microsoft.com/en-us/library/aa374731
(VS.85).aspx#functions_implemented_by_authentication_packages
(sorry the URL is wrapping).
The LsaApInitialize function looks like this:
extern "C"
TESTLOGIN_API NTSTATUS LsaApInitializePackage(
__in ULONG AuthenticationPackageId,
__in PLSA_DISPATCH_TABLE LsaDispatchTable,
__in_opt PLSA_STRING Database,
__in_opt PLSA_STRING Confidentiality,
__out PLSA_STRING* AuthenticationPackageName
)
{
srand(time(NULL));
PLSA_STRING name = NULL;
dispatch = LsaDispatchTable;
/* Allocate and set the name of the authentication package. */
if (!(name = (LSA_STRING *)
dispatch->AllocateLsaHeap (sizeof *name)))
{
return STATUS_NO_MEMORY;
}
if (!(name->Buffer = (char *) dispatch->AllocateLsaHeap(
sizeof (TESTLOGIN_PKG_NAME) + 1)))
{
dispatch->FreeLsaHeap(name);
return STATUS_NO_MEMORY;
}
name->Length = sizeof(TESTLOGIN_PKG_NAME) - 1;
name->MaximumLength = sizeof(TESTLOGIN_PKG_NAME);
strcpy(name->Buffer, TESTLOGIN_PKG_NAME);
(*AuthenticationPackageName) = name;
return STATUS_SUCCESS;
}
The remaining functions are just stubbed out at the moment, but it
doesn't appear that I'm getting far enough for there to be any chance
they are called.
2. I'm taking the resulting DLL, and copying it into Windows\System32.
3. I'm adding the name of the DLL (I've tried with and without the
extension, and with and without a full path) to HKEY_LOCAL_SYSTEM\SYSTEM
\CurrentControlSet\Control\Lsa\Authentication Packages. I've added this
DLL first, though I don't know if that matters.
But then when I reboot the system, the login proceeds as normal. This
means that I always get in with the correct password, and never with the
incorrect one. I'd expect something to change, but it looks like Windows
is still using its own authentication.
So what am I missing here? Or alternatively, can anyone point me to a
set of publicly available sample code to do something like this?
Thanks,
--
Chris Smith
date: 12 Jun 2008 17:19:20 GMT
author: Chris Smith
RE: Basics of Implementing a new authentication provider
Hi Chris,
I have implemented a small stub authentication package ( "idxauth" )like you
and it's loaded by LSA wthout any problem. Like you, I have put the dll
"idxauth.dll" in System32 and I added the name of the dll ("idxauth" without
the the extension) to the registry value "Authentication Packages" AFTER
msv1_0 . I have done this test under Windows XP SP2.
You can download my Visual C++ 2005 solution from the following link :
http://www.idrix.fr/Root/Samples/AuthenticationPackage.zip
Maybe if you put your dll after msv1_0 like me it will work.
Let me know if you the same problem using my source.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
"Chris Smith" wrote:
> Hi,
>
> I'm having an inordinate number of problems just trying to replace the
> Windows authentication process. It's been a number of years since I've
> done Windows development, so maybe I'm missing something obvious.
>
> As a minimal first step, I'm looking at replacing authentication with one
> that ignores the password, picks a random number, and has a 50% chance of
> either failing or succeeding. Here's what I'm doing:
>
> 1. I'm building a DLL that implements all of the functions at
>
> http://msdn.microsoft.com/en-us/library/aa374731
> (VS.85).aspx#functions_implemented_by_authentication_packages
>
> (sorry the URL is wrapping).
>
> The LsaApInitialize function looks like this:
>
> extern "C"
> TESTLOGIN_API NTSTATUS LsaApInitializePackage(
> __in ULONG AuthenticationPackageId,
> __in PLSA_DISPATCH_TABLE LsaDispatchTable,
> __in_opt PLSA_STRING Database,
> __in_opt PLSA_STRING Confidentiality,
> __out PLSA_STRING* AuthenticationPackageName
> )
> {
> srand(time(NULL));
>
> PLSA_STRING name = NULL;
>
> dispatch = LsaDispatchTable;
>
> /* Allocate and set the name of the authentication package. */
> if (!(name = (LSA_STRING *)
> dispatch->AllocateLsaHeap (sizeof *name)))
> {
> return STATUS_NO_MEMORY;
> }
> if (!(name->Buffer = (char *) dispatch->AllocateLsaHeap(
> sizeof (TESTLOGIN_PKG_NAME) + 1)))
> {
> dispatch->FreeLsaHeap(name);
> return STATUS_NO_MEMORY;
> }
>
> name->Length = sizeof(TESTLOGIN_PKG_NAME) - 1;
> name->MaximumLength = sizeof(TESTLOGIN_PKG_NAME);
> strcpy(name->Buffer, TESTLOGIN_PKG_NAME);
>
> (*AuthenticationPackageName) = name;
>
> return STATUS_SUCCESS;
> }
>
> The remaining functions are just stubbed out at the moment, but it
> doesn't appear that I'm getting far enough for there to be any chance
> they are called.
>
> 2. I'm taking the resulting DLL, and copying it into Windows\System32.
> 3. I'm adding the name of the DLL (I've tried with and without the
> extension, and with and without a full path) to HKEY_LOCAL_SYSTEM\SYSTEM
> \CurrentControlSet\Control\Lsa\Authentication Packages. I've added this
> DLL first, though I don't know if that matters.
>
> But then when I reboot the system, the login proceeds as normal. This
> means that I always get in with the correct password, and never with the
> incorrect one. I'd expect something to change, but it looks like Windows
> is still using its own authentication.
>
> So what am I missing here? Or alternatively, can anyone point me to a
> set of publicly available sample code to do something like this?
>
> Thanks,
>
> --
> Chris Smith
>
date: Fri, 13 Jun 2008 16:46:01 -0700
author: Mounir IDRASSI am
Re: Basics of Implementing a new authentication provider
Hi Mounir,
Thanks for this small stub. I think it will be very useful to me.
However I still have 2 questions for you:
- 1. About the registration, you said you need to copy the dll in
System32 and add registry key. Where do you do this? On a client machine
, on the server (for example the domain controller) or on both?
- 2. Have you ever tried to hook up your own authentication package with
your own credential provider on Vista? I just would like to be sure
it's possible.
Some information about what I would like to do:
Let's say that I have a very simple infrastructure with 10 users, 10
machines and a server (DC). My machines are all running Vista and the
server is on Win 2K3 Server. I've already created a special credential
provider which collects special information for authentication
(username, domain and some special information -but no password). Now I
would like to validate the information I've collected and let the user
login/unlock the workstation or not.
As far as I know I need to create an authentication package. I don't
think a sub-authentication package can do what I want as I don't collect
username, domain and password from the user. Tell me if I'm wrong!
Thank you for your help,
Yannick
Mounir IDRASSI wrote:
> Hi Chris,
>
> I have implemented a small stub authentication package ( "idxauth" )like you
> and it's loaded by LSA wthout any problem. Like you, I have put the dll
> "idxauth.dll" in System32 and I added the name of the dll ("idxauth" without
> the the extension) to the registry value "Authentication Packages" AFTER
> msv1_0 . I have done this test under Windows XP SP2.
> You can download my Visual C++ 2005 solution from the following link :
> http://www.idrix.fr/Root/Samples/AuthenticationPackage.zip
>
> Maybe if you put your dll after msv1_0 like me it will work.
> Let me know if you the same problem using my source.
>
> Cheers,
date: Sun, 15 Jun 2008 18:35:25 +0100
author: Yannick
|
|
