locked
LsaLogonUser and KERB_SMART_CARD_LOGON : a working sample on Windows 2K, XP, Vista and 7 RRS feed

  • General discussion

  • Hi,

    I have managed to get LsaLogonUser working with KERB_SMART_CARD_LOGON in order to authenticate a user using a smart card.
    The advantage of this approach over using KERB_CERTIFICATE_LOGON is that it is working for all Windows versions starting from Windows 2000 to Windows 7...so it's very portable!
    As for my previous posting concerning the usage of KERB_CERTIFICATE_LOGON , the main difficulty was the lack of documentation from Microsoft about its usage, so I had to guess the correct format (especially for the CspData filed) through extensive debugging. For example, here is the undocumented format for the CspData field :
    #pragma pack(push, KerbCspInfo2, 1)
    typedef struct _KERB_SMARTCARD_CSP_INFO_2
    {   
       DWORD dwCspInfoLen; 
       DWORD dwUnknown; 
       ULONG nCardNameOffset; 
       ULONG nReaderNameOffset; 
       ULONG nContainerNameOffset; 
       ULONG nCSPNameOffset; 
       TCHAR bBuffer;
    } KERB_SMARTCARD_CSP_INFO_2,  *PKERB_SMARTCARD_CSP_INFO_2;
    #pragma pack(pop, KerbCspInfo2)

    You can get the source code of a working sample from the following link :

    http://www.idrix.fr/Root/Samples/LsaSmartCardLogon2.cpp

    I hope this will be useful.

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr
    Sunday, August 30, 2009 4:05 AM

All replies

  • Hi Mounir,
    It seems that the DWORD dwUnknown field of your KERB_SMARTCARD_CSP_INFO_2 structure is the last dwEventState of the smart card returned by SCardGetStatusChanged.
    Isn't it ?
    T2
    Monday, March 15, 2010 1:44 PM
  • Hi T2,

    In all the data I collected during my reverse engineering of the Kerberos Authentication Package, the dwUnknown filed was always set to 0.
    There is no indication that this field is linked to the state of the PC/SC reader and I have tested my sample on all cited platforms using 0 as a value for dwUnknown and it worked perfectly.

    How did you come to this conclusion?

    Cheers
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr
    Monday, March 15, 2010 3:05 PM
  • Using windows smart card credential provider on win7 x64

    I put a breakpoint on *LsaLogonUser with windbg on the winlogon desktop and I see the breakpoint hit, however, I never see MessageType of the struct set to anything other than 13 (decimal) KERB_LOGON_SUBMIT_TYPE.KerbCertificateLogon.

    If I try Mounir's code with KerbSmartCardLogon I always get Invalid Parameter.

    I do have is other scard auth implementation working.

    I also never see the networkprovider called.  Does anyone know what triggers that to happen?  I want to make decisions in network provider regarding, KERB_LOGON_SUBMIT_TYPE but it never gets there.

    Thanks

    Wednesday, February 29, 2012 6:22 PM
  • Using windows smart card credential provider on win7 x64

    I put a breakpoint on *LsaLogonUser with windbg on the winlogon desktop and I see the breakpoint hit, however, I never see MessageType of the struct set to anything other than 13 (decimal) KERB_LOGON_SUBMIT_TYPE.KerbCertificateLogon.

    If I try Mounir's code with KerbSmartCardLogon I always get Invalid Parameter.

    I do have is other scard auth implementation working.

    I also never see the networkprovider called.  Does anyone know what triggers that to happen?  I want to make decisions in network provider regarding, KERB_LOGON_SUBMIT_TYPE but it never gets there.

    Thanks

    i have the same problem.  and when iam using KerbCertificateLogon on win7 x86 with same code, I always get Invalid Parameter. But on win 7 x64 its ok. wtf?
    Tuesday, May 15, 2012 8:35 AM
  • U know how we can fix this?

    Point it out to the EU as an antitrust case.

    Basis: MS public api is providing ms with functionality that it does not provide anyone else.

    That'll get it fixed.  As MS will tell you.  Engineers are worthless unless there is a lawyer attached.

    Wednesday, May 16, 2012 1:55 PM
  • Hi Chupper,

    You said you have a working smart card credential provider. Would it be possible for you to share it? I tried Mounir's code and  I am getting a similar "invalid parameter" error.  Please help!

    Friday, June 14, 2013 3:11 AM
  • Hello, did you manage to overcome the "invalid parameter" error?

    Regards

    Wednesday, July 27, 2016 12:06 AM