Mirror

LogonUser() Win API call vs SSPI call (Views: 101)


Problem/Question/Abstract:

LogonUser() Win API call vs SSPI call

Answer:

In my NT/W2000 Net Admin Unit I have the following call ...

function ValidateUserLogonAPI(const UserName: string;
  const Domain: string;
  const PassWord: string): boolean;
var
  Retvar: boolean;
  LHandle: THandle;
begin
  Retvar := LogonUser(PChar(UserName),
    PChar(Domain), PChar(PassWord),
    LOGON32_LOGON_NETWORK,
    LOGON32_PROVIDER_DEFAULT,
    LHandle);
  if Retvar then
    CloseHandle(LHandle);
  Result := Retvar;
end;

This call can fail with "INSUFFICIENT_PRIVILEGES". On searching the web the following text was found ...
"The LogonUser API has been available and documented since Windows NT 3.51, and is commonly used to verify user credentials. This API is available on Windows NT, Windows 2000, and Windows XP. Unfortunately, there are some restrictions on using LogonUser that are not always convenient to satisfy.

The first and biggest of these restrictions is that on Windows NT and Windows 2000, the process that is calling LogonUser must have the SE_TCB_NAME privilege (in User Manager, this is the "Act as part of the Operating System" right). The SE_TCB_NAME privilege is very powerful and should not be granted to any arbitrary user just so that they can run an application that needs to validate credentials. The recommended method is to call LogonUser from a service that is running in the local system account, because the local system account already has the SE_TCB_NAME privilege.

NOTE:         LogonUser Win32 API does not require TCB privilege in .NET Server, however, for downlevel                                
                                captibility, this is still the best approach.

On Windows XP, it is no longer required that a process have the SE_TCB_NAME privilege in order to call LogonUser. Therefore, the simplest method to validate a user's credentials on Windows XP, is to call the LogonUser API.

One other problem with LogonUser is that the API is not implemented on Windows 95, Windows 98, or Windows Millennium Edition.

As another option, you can use the Security Support Provider Interface (SSPI) to do a network style logon with provided user credentials. This method of validation has the advantage of not requiring any special privilege. The end result of using the SSPI services to validate the credentials is a logon that is analogous to calling the LogonUser API with the LOGON32_LOGON_NETWORK logon type. The biggest downside to this type of logon is that you cannot access remote network resources after impersonating a network type logon. If your application is calling LogonUser with the LOGON32_LOGON_INTERACTIVE logon type to workaround Windows NT's inability to perform delegation, then the SSPI logon/validation will probably not be a viable alternative."

The following function encapsulates SECUR32.DLL and uses the SSPI calls. (SECURITY.DLL is also available on W95 etc. if anyone wants to map to this as well)

unit ValLogonW2000;

interface
uses Windows;

// Prototype
function LogonUserSSPI(const UserName, Domain, Password: string): boolean;

// -------------------------------------------------------------------------
implementation

type
  // Secur32.dll function prototypes
  TQueryPackageInfo = function(PackageName: PChar;
    var PackageInfo: pointer): integer; stdcall;

  TFreeContextBuffer = function(pBuffer: pointer): integer; stdcall;

  TFreeCredentialsHandle = function(var hCred: Int64): integer; stdcall;

  TDeleteSecurityContext = function(var hCred: Int64): integer; stdcall;

  TAcquireCredentialsHandle = function(pszPrincipal: PChar;
    pszPackage: PChar;
    fCredentialUse: DWORD;
    pvLogonID: DWORD;
    pAuthData: pointer;
    pGetKeyFn: DWORD;
    pvGetKeyArgument: pointer;
    var phCredential: Int64;
    var ptsExpiry: DWORD): integer; stdcall;

  TInitializeSecurityContext = function(var phCredential: Int64;
    phContext: pointer;
    pszTargetName: PChar;
    fContextReq: DWORD;
    Reserved1: DWORD;
    TargetDataRep: DWORD;
    pInput: pointer;
    Reserved2: DWORD;
    var phNewContext: Int64;
    pOutput: pointer;
    var pfContextAttr: Int64;
    var ptsExpiry: DWORD): integer; stdcall;

  TAcceptSecurityContext = function(var phCredential: Int64;
    phContext: pointer;
    pInput: pointer;
    fContextReq: DWORD;
    TargetDataRep: DWORD;
    var phNewContext: Int64;
    pOutput: pointer;
    var pfContextAttr: Int64;
    var ptsExpiry: DWORD): integer; stdcall;

  // AcquireCredentialsHandle() Internal Structure
  PAuthIdentity = ^TAuthIdentity;
  TAuthIdentity = packed record
    User: PChar;
    UserLength: DWORD;
    Domain: PChar;
    DomainLength: DWORD;
    Password: PChar;
    PasswordLength: DWORD;
    Flags: DWORD;
  end;

  // QuerySecurityPackageInfo Internal Structure
  PSecPkgInfo = ^TSecPkgInfo;
  TSecPkgInfo = packed record
    Capabilities: DWORD;
    Version: WORD;
    RPCID: WORD;
    MaxToken: DWORD;
    Name: PChar;
    Comment: PChar;
  end;

  // InitializeSecurityContext() Internal structure
  PSecBuffer = ^TSecBuffer;
  TSecBuffer = packed record
    cbBuffer: DWORD;
    BufferType: DWORD;
    pvBuffer: pointer;
  end;

  PSecBuffDesc = ^TSecBuffDesc;
  TSecBuffDesc = packed record
    ulVersion: DWORD;
    cBuffers: DWORD;
    pBuffers: PSecBuffer;
  end;

function LogonUserSSPI(const UserName, Domain, Password: string): boolean;
var
  Retvar: boolean;
  FSecHandle: THandle;
  AuthIdentity: TAuthIdentity;
  pIdentity: PAuthIdentity;
  ContextAttr,
    hcTxt2, hCred2,
    hcTxt, hCred: Int64;
  pBuffer: pointer;
  E: integer;
  MaxToken,
    LifeTime: DWORD;
  InSecBuff, InSecBuff2,
    OutSecBuff, OutSecBuff2: TSecBuffer;
  InBuffDesc, InBuffDesc2,
    OutBuffDesc, OutBuffDesc2: TSecBuffDesc;
  pOut, pOut2,
    pBuffDesc, pBuffDesc2: pointer;
  FQueryPackageInfo: TQueryPackageInfo;
  FFreeContextBuffer: TFreeContextBuffer;
  FAcquireCredHandle: TAcquireCredentialsHandle;
  FFreeCredHandle: TFreeCredentialsHandle;
  FInitSecContext: TInitializeSecurityContext;
  FDelSecContext: TDeleteSecurityContext;
  FAcceptSecContext: TAcceptSecurityContext;
begin
  Retvar := false;
  FSecHandle := LoadLibrary('SECUR32.DLL');
  FQueryPackageInfo := nil;
  FFreeContextBuffer := nil;
  FAcquireCredHandle := nil;
  FFreeCredHandle := nil;
  FInitSecContext := nil;
  FDelSecContext := nil;
  FAcceptSecContext := nil;

  if FSecHandle <> 0 then
  begin
    @FQueryPackageInfo := GetProcAddress(FSecHandle, 'QuerySecurityPackageInfoA');
    @FFreeContextBuffer := GetProcAddress(FSecHandle, 'FreeContextBuffer');
    @FAcquireCredHandle := GetProcAddress(FSecHandle, 'AcquireCredentialsHandleA');
    @FInitSecContext := GetProcAddress(FSecHandle, 'InitializeSecurityContextA');
    @FFreeCredHandle := GetProcAddress(FSecHandle, 'FreeCredentialsHandle');
    @FDelSecContext := GetProcAddress(FSecHandle, 'DeleteSecurityContext');
    @FAcceptSecContext := GetProcAddress(FSecHandle, 'AcceptSecurityContext');
  end;

  if FSecHandle <> 0 then
  begin
    AuthIdentity.User := PChar(UserName);
    AuthIdentity.UserLength := length(UserName);
    AuthIdentity.Domain := PChar(Domain);
    AuthIdentity.DomainLength := length(Domain);
    AuthIdentity.Password := PChar(Password);
    AuthIdentity.PasswordLength := length(Password);
    AuthIdentity.Flags := 1; // SEC_WINNT_AUTH_IDENTITY_ANSI
    pIdentity := @AuthIdentity;

    if FQueryPackageInfo('NTLM', pBuffer) = NO_ERROR then
    begin
      MaxToken := PSecPkgInfo(pBuffer).MaxToken;
      FFreeContextBuffer(pBuffer);

      // Negotiate Client Initialisation
      if FAcquireCredHandle(nil, 'NTLM', 2, 0, pIdentity, 0,
        nil, hCred, LifeTime) = NO_ERROR then
      begin
        pOut := HeapAlloc(GetProcessHeap, 8, MaxToken);
        pOut2 := HeapAlloc(GetProcessHeap, 8, MaxToken);
        OutSecBuff.pvBuffer := pOut;
        OutSecBuff.cbBuffer := MaxToken;
        OutSecBuff.BufferType := 2; // SEC_BUFFER_TOKEN
        OutBuffDesc.ulVersion := 0;
        OutBuffDesc.cBuffers := 1;
        OutBuffDesc.pBuffers := @OutSecBuff;
        pBuffDesc := @OutBuffDesc;
        E := FInitSecContext(hCred, nil, 'AuthSamp', 0, 0, 16, nil, 0,
          hcTxt, pBuffDesc, ContextAttr, LifeTime);

        // Challenge
        if (E >= 0) and
          (FAcquireCredHandle(nil, 'NTLM', 1, 0, nil, 0,
          nil, hCred2, LifeTime) = NO_ERROR) then
        begin

          InSecBuff2.cbBuffer := OutSecBuff.cbBuffer;
          InSecBuff2.pvBuffer := OutSecBuff.pvBuffer;
          InSecBuff2.BufferType := 2; // SEC_BUFFER_TOKEN
          InBuffDesc2.ulVersion := 0;
          InBuffDesc2.cBuffers := 1;
          InBuffDesc2.pBuffers := @InSecBuff2;
          OutSecBuff2.cbBuffer := MaxToken;
          OutSecBuff2.pvBuffer := pOut2;
          OutSecBuff2.BufferType := 2; // SEC_BUFFER_TOKEN
          OutBuffDesc2.ulVersion := 0;
          OutBuffDesc2.cBuffers := 1;
          OutBuffDesc2.pBuffers := @OutSecBuff2;
          pBuffDesc := @InBuffDesc2;
          pBuffDesc2 := @OutBuffDesc2;

          E := FAcceptSecContext(hCred2, nil, pBuffDesc, 0, 16, hcTxt2, pBuffDesc2,
            ContextAttr, LifeTime);
          if E >= 0 then
          begin
            // Authenticate
            InSecBuff.cbBuffer := OutSecBuff2.cbBuffer;
            InSecBuff.pvBuffer := OutSecBuff2.pvBuffer;
            InSecBuff.BufferType := 2;
            InBuffDesc.ulVersion := 0;
            InBuffDesc.cBuffers := 1;
            InBuffDesc.pBuffers := @InSecBuff;
            OutSecBuff.cbBuffer := MaxToken;
            pBuffDesc := @InBuffDesc;
            pBuffDesc2 := @OutBuffDesc;
            E := FInitSecContext(hCred, @hcTxt, 'AuthSamp', 0, 0, 16, pBuffDesc, 0,
              hcTxt, pBuffDesc2, ContextAttr, LifeTime);

            if E >= 0 then
            begin
              InSecBuff2.cbBuffer := OutSecBuff.cbBuffer;
              InSecBuff2.pvBuffer := OutSecBuff.pvBuffer;
              OutSecBuff2.cbBuffer := MaxToken;
              pBuffDesc := @InBuffDesc2;
              pBuffDesc2 := @OutBuffDesc2;

              E := FAcceptSecContext(hCred2, @hcTxt2, pBuffDesc,
                0, 16, hcTxt2, pBuffDesc2,
                ContextAttr, LifeTime);

              Retvar := (E >= 0);
            end;
          end;

          FDelSecContext(hcTxt2);
          FFreeCredHandle(hCred2);
        end;

        FDelSecContext(hcTxt);
        FFreeCredHandle(hCred);
        HeapFree(GetProcessHeap, 0, pOut);
        HeapFree(GetProcessHeap, 0, pOut2);
      end;
    end;
  end;

  if FSecHandle <> 0 then
  try
    FreeLibrary(FSecHandle);
  except
  end;

  Result := Retvar;
end;

end.

<< Back to main page