I have developed custom authentication package that I would like to use for interactive logon. It creates the access token in the LsaApUserLogon
function.
When I call LsaUserLogon
from an application I can enumerate new user sessions, but when I used it for logon (also I have created a custom credential provider) I can see in Windows Event log that I was successfully logged in and then logged out.
When I select my specific Credential and try to logon, it enters into LsaApLogonUser
API of my Authentication Package. If I check log file, LsaApLogonUser
return STATUS_SUCCESS
. But Windows is not logged on. After leaving LsaAPLogonUser
, LSA calls LsaApLogonTerminated
API and back LogonUI
.
When I prepared the TokenInformation
I got LookupPrivilegeValueW
failed for the SeInteractiveLogonRight
. I don't know if this is important for logon.
LsaApLogonUser(...){
......
// NetUserGetInfo
// AllocateLocallyUniqueId (LogonId)
err = GetTokenInformationv2(pdi?pdi->DomainControllerName:NULL,wszDomain,wszUser,&LocalTokenInformation,LogonId);
err = g_pSec->CreateLogonSession(LogonId);
if(ProfileBuffer)
{
*ProfileBuffer=NULL;
*ProfileBufferLength=0;
}
(*TokenInformationType)=LsaTokenInformationV2;
(*TokenInformation)=LocalTokenInformation;
return STATUS_SUCCESS;
}
GetTokenInformationv2(...){
....
....
// Call LsaEnumerateAccountRights
// check LookupPrivilegeValueW // It failed for "SeInteractiveLogonRight"
//
return STATUS_SUCCESS;
}
Is ProfileBuffer
important for logon? I don't know why LSA cannot logon.
The documentation does not say that the profile buffer can be set to
NULL
and it seems that it is indeed mandatory. The OP reports that allocating and returning a profile buffer (just a single byte was enough) resolved the problem. [Addendum: see the comment by Nehluxhes below, who reports that the buffer needs to contain valid data.]The error when attempting to retrieve a LUID for
SeInteractiveLogonRight
was not relevant; the user's logon rights do not need to be included in theTOKEN_PRIVILEGES
structure, so no LUID is needed, and as documented, theLookupPrivilegeValue
function only accepts privileges:(Note that the relevant section of
winnt.h
only contains definitions for SeXxxPrivilege; the definitions for SeXxxLogonRight are inntsecapi.h
.)