local-security-authority

Implementation of Custom Windows Authentication Package - LsaApUserLogonEx

阅读更多关于 Implementation of Custom Windows Authentication Package - LsaApUserLogonEx

问题 I have been working on LSA auth package for introducing my custom logon mechanism in windows 10. So far, I have been successful in registering the auth package and get my LsaLogonUserEx method called by LSA. Now the thing which I am stuck at is how to prepare the OUT parameters of LsaApLogOnUser method. NTSTATUS NTAPI LsaApLogonUserEx( IN PLSA_CLIENT_REQUEST ClientRequest, IN SECURITY_LOGON_TYPE LogonType, IN PVOID ProtocolSubmitBuffer, IN PVOID ClientBufferBase, IN ULONG SubmitBufferSize,

How to programmatically figure out if a user account is a member of a particular group in Windows?

阅读更多关于 How to programmatically figure out if a user account is a member of a particular group in Windows?

问题 Given a group name and a user account, I would like to know if the supplied user belongs to a particular group. The user can be a local user or a domain user and the group could be a local group or a domain group and the group could also be nested inside other groups. In short I am looking for a function like bool IsUserMemberOf(User, Group) that will internally call the appropriate Win32 APIs to do the search. I guess the process making the above query should have the necessary privileges to

How do I correctly call LsaLogonUser for an interactive logon?

阅读更多关于 How do I correctly call LsaLogonUser for an interactive logon?

问题 I'm trying to use LsaLogonUser to create an interactive logon session, but it always returns STATUS_INVALID_INFO_CLASS (0xc0000003). From what I have found in searching online, the memory layout of the KERB_INTERACTIVE_LOGON structure is tricky, but I'm pretty sure I've done that right. I've also tried using MSV1.0 instead of Kerberos, with MSV1_0_INTERACTIVE_LOGON for the authentication structure and MSV1_0_PACKAGE_NAME as the package name, but that fails with STATUS_BAD_VALIDATION_CLASS

How do I correctly call LsaLogonUser for an interactive logon?

阅读更多关于 How do I correctly call LsaLogonUser for an interactive logon?

I'm trying to use LsaLogonUser to create an interactive logon session, but it always returns STATUS_INVALID_INFO_CLASS (0xc0000003). From what I have found in searching online, the memory layout of the KERB_INTERACTIVE_LOGON structure is tricky, but I'm pretty sure I've done that right. I've also tried using MSV1.0 instead of Kerberos, with MSV1_0_INTERACTIVE_LOGON for the authentication structure and MSV1_0_PACKAGE_NAME as the package name, but that fails with STATUS_BAD_VALIDATION_CLASS (0xc00000a7). Can anyone tell what I'm doing wrong here? Here's the code, with most of the error handling

How to programmatically figure out if a user account is a member of a particular group in Windows?

阅读更多关于 How to programmatically figure out if a user account is a member of a particular group in Windows?

Given a group name and a user account, I would like to know if the supplied user belongs to a particular group. The user can be a local user or a domain user and the group could be a local group or a domain group and the group could also be nested inside other groups. In short I am looking for a function like bool IsUserMemberOf(User, Group) that will internally call the appropriate Win32 APIs to do the search. I guess the process making the above query should have the necessary privileges to query local and AD groups. I guess runing the process under enterprise admin account should do the job