Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Fri, 20 Jun 2008 10:45:34 -0700 (PDT),    group: microsoft.public.platformsdk.security        back       


Using DPAPI under NPLogonNotify processing    
I have a service running under local system account that processes
NPLogonNotify calls. As part of its processing my service uses DPAPI
to unprotect data for the logged on user.

.....
ImpersonateLoggedOnUser(hUserToken) ;
if (CryptUnprotectData(auth, &pDescOut, optionalEntropy, NULL, NULL,
CRYPTPROTECT_UI_FORBIDDEN, &external_data))
{
           bContinueAuth = TRUE ;
}

The data was protected as part of Logon event (Wilogon Notification
Package) for the same user that is received in NPLogonNotify. Since
this processing is done in a service, I do impersonate the user both
during protection and unprotection.

However the call to unprotect data fails with FILE NOT FOUND error.

I logged the Application Data path for the current user at the time of
failure and it shows the Network Service profile's application data
path.

To get around this I tried LoadUserprofile for the just logged in
user) and even that hangs.

Does anyone know how I can get around these problems? All I want to do
is to unprotect some data for the user logging into the system at the
time NPLogonNotify call is received.

Just a note if it helps: User has roaming profile.

Thanks
Brijesh Mishra
date: Fri, 20 Jun 2008 10:45:34 -0700 (PDT)   author:   brijesh mishra

RE: Using DPAPI under NPLogonNotify processing    
Hi,

When NPLogonNotify is called, the user profile is not loaded into memory 
yet. DPAPI relies on the user profile information to do its computations. So, 
you can't call DPAPI functions inside NPLogonNotify and LoadUserprofile will 
also fail for the same reason. 

I advise you to use a cryptographic API other then DPAPI in order to 
protect/unprotect the users data during logon notifications. 

Cheers,
-- 
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot 
characters respectively)


"brijesh mishra" wrote:

> I have a service running under local system account that processes
> NPLogonNotify calls. As part of its processing my service uses DPAPI
> to unprotect data for the logged on user.
> 
> ......
> ImpersonateLoggedOnUser(hUserToken) ;
> if (CryptUnprotectData(auth, &pDescOut, optionalEntropy, NULL, NULL,
> CRYPTPROTECT_UI_FORBIDDEN, &external_data))
> {
>            bContinueAuth = TRUE ;
> }
> 
> The data was protected as part of Logon event (Wilogon Notification
> Package) for the same user that is received in NPLogonNotify. Since
> this processing is done in a service, I do impersonate the user both
> during protection and unprotection.
> 
> However the call to unprotect data fails with FILE NOT FOUND error.
> 
> I logged the Application Data path for the current user at the time of
> failure and it shows the Network Service profile's application data
> path.
> 
> To get around this I tried LoadUserprofile for the just logged in
> user) and even that hangs.
> 
> Does anyone know how I can get around these problems? All I want to do
> is to unprotect some data for the user logging into the system at the
> time NPLogonNotify call is received.
> 
> Just a note if it helps: User has roaming profile.
> 
> Thanks
> Brijesh Mishra
>
date: Sat, 21 Jun 2008 16:59:00 -0700   author:   Mounir IDRASSI am

Re: Using DPAPI under NPLogonNotify processing    
Not sure if it would work, but if you had the username/password/domain
from the NPLogonNotify event, you could try the following functions to
load the user's profile from your service:
   LogonUser()
   LoadUserProfile()
   (and if needed) ImpersonateLoggedOnUser()

Keep in mind that this would create a "loop" in your LogonNotify
event, but you can check the lpStationName param in NPLogonNotify() to
see if the logon was done programmatically (L"SvcCtl") and ignore it.
Here's the NPLogonNotify documentation: http://msdn.microsoft.com/en-us/library/aa378804(VS.85).aspx

   -Gregg

PS - Apologies for replying via email Mounir!
date: Mon, 23 Jun 2008 08:01:57 -0700 (PDT)   author:   Gregg

Re: Using DPAPI under NPLogonNotify processing    
On Jun 23, 10:01 am, Gregg  wrote:
> Not sure if it would work, but if you had the username/password/domain
> from theNPLogonNotifyevent, you could try the following functions to
> load the user's profile from your service:
>    LogonUser()
>    LoadUserProfile()
>    (and if needed) ImpersonateLoggedOnUser()
>
> Keep in mind that this would create a "loop" in your LogonNotify
> event, but you can check the lpStationName param inNPLogonNotify() to
> see if the logon was done programmatically (L"SvcCtl") and ignore it.
> Here's theNPLogonNotifydocumentation:http://msdn.microsoft.com/en-us/library/aa378804(VS.85).aspx
>
>    -Gregg
>
> PS - Apologies for replying via email Mounir!

This is exactly what I did to get it working. Since I was using
roaming profile, I had to call the LoadUserProfile with profile path
set to path on local machine. And that worked.

thanks
Brijesh Mishra
date: Tue, 24 Jun 2008 15:36:22 -0700 (PDT)   author:   brijesh mishra

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us