All geek questions in one place

How to check domain credentials (from native code)?

I want to check the credential set for a domain controller. eg:.

Username: joel Password: splotchy Domain: STACKOVERFLOW

In .NET 3.5 and later, you can use PrincipalContext.ValidateCredentials(username, password) .

Otherwise, you have a problem.

Following the code in the Microsoft Knowledge Base article How to Verify User Credentials on Microsoft Operating Systems , I will get to the point where you are calling AcceptSecurityContext :

 ss = AcceptSecurityContext( @pAS._hcred, //[in]CredHandle structure phContext, //[in,out]CtxtHandle structure @InBuffDesc, //[in]SecBufferDesc structure 0, //[in]context requirement flags SECURITY_NATIVE_DREP, //[in]target data representation @pAS._hctxt, //[in,out]CtxtHandle strcture @OutBuffDesc, //[in,out]SecBufferDesc structure ContextAttributes, //[out]Context attribute flags @Lifetime); //[out]Timestamp struture

except that the function fails:

SEC_E_NO_AUTHENTICATING_AUTHORITY (0x80090311)

Function failed. No authentication is allowed with anyone. This may be due to the following conditions:

  • Authenticator domain name is invalid.
  • Domain not available.
  • Trust relationships failed.

This will be a useful error, except that I can verify the same credentials from .NET 3.5 using:

 using (PrincipalContext context = new PrincipalContext(ContextType.Domain, domain)) { valid = context.ValidateCredentials(username, password); }

What can happen that allows .NET to validate a set of credentials while native code cannot?

Update : LogonUser also fails:

 LogonUser(" joel@stackoverflow.com ", null, "splotchy", LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_WINNT50, out token);

from

 1311 - There are currently no logon servers available to service the logon request

Update two . I tried both the preferred Negotiate provider and the legacy Windows NT NTLM provider

 String package = "Negotiate"; //"NTLM" QuerySecurityPackageInfo(package, [out] packageInfo); ... AcquireCredentialsHandle( null, //[in] principle package, //[in] package SECPKG_CRED_OUTBOUND, //[in] credential use null, //[in] LogonID pAuthIdentity, //[in] authData null, //[in] GetKeyFn, not used and should be null null, //[in] GetKeyArgument, not used and should be null credHandle, //[out] CredHandle structure expires); //[out] expiration TimeStamp structure
+6
source share
1 answer

I suppose this should solve the same problem as the other question you posted.

I understand what you are trying to do now. Let me recall what you wrote in another post.

 Username Password Domain Machine on domain? Validate as ======== ======== ================= ================== ============== iboyd pass1 . No Local account iboyd pass1 (empty) No Local account iboyd pass1 stackoverflow.com No Domain account iboyd pass1 . Yes Local account iboyd pass1 (empty) Yes Domain account iboyd pass1 stackoverflow.com Yes Domain account

Do you want to

  • Authentication of a user from a domain that your computer does not trust.
  • Authenticating a user from a domain that your computer trusts.
  • Local User Authentication

You can complete the first two cases by correctly connecting to SSPI with a domain controller. The KB article you are talking about in another question does SSPI feedback with feedback. It will not work in case number one, because the client machine does not trust the domain you are authenticating to. That is why you see SEC_E_NO_AUTHENTICATING_AUTHORITY .

To cut it, if you want to do the same thing as

 PrincipalContext.ValidateCredentials(username, password);

you need to treat the local user differently from the domain user. For a domain user, you need to call ldap_bind_s to bind to the domain controller using the specified credentials. For a local user, you need to use ADsOpenObject to bind to WinnT: // YourComputerName using the specified credentials. This is what PrincipalContext.ValidateCredentials does from what I read in the reflector.

I do not see any equivalent one native API doing the same for you.

0
source

Source: https://habr.com/ru/post/910825/

More articles:


All Articles