User Token for Authentication Package Proxy... RRS feed

  • Question

  • Hello there!

    I've developed a Authentication Package Proxy to "msv1_0".

    By now I'm just interested on "LsaApLogonUserEx2" method on which I've added some authentication and sincronization logic with a logical access control platform we have.

    The problem is that after a successful "login" execution, our "login" service needs to store some critical information on user's personnal app data folder.

    To get the user's data folder I need the user token created after a successful login process by the LSA, but this will occurs only after I return from method "LsaApLogonUserEx2" (according to MSDN documentation).

    Without the token, method "SHGetFolderPath" returns the folder "C:\Windows\system32\config\systemprofile\AppData\Roaming".

    I've tried to get the token using WTSQueryUserToken and other methods and they always returns 1008 (ERROR_NO_TOKEN), what I think corroborates the assumption the token wasn't created by the LSA yet.

    Is there another way to create this token, or to get the correct user's app data folder from a Authentication Package Proxy ?

    Thanks and best regards,



    Friday, August 19, 2011 1:58 PM

All replies

  • Well, if I undertand you correctly, a quick fix is to simply test the return value of LsaApLogonUserEx2. If it is ERROR_NO_TOKEN, wait a while and then try the call again? Why wouldn't that work?
    Alvin Bruney ASP.NET MVP www.lulu.com/owc
    Friday, August 19, 2011 4:34 PM
  • Hi Vapordan, and thanks for the reply!

    On my Authentication Package Proxy I call the "LsaAPLogonUserEx2" method from original "msv1_0" AP and it returns successfully.

    The matter is that at this point I still don't have the final token that is returned to "LsaLogonUserX" caller.

    I think it's created at some place between the return of "LsaAPLogonUserEx2" to LSA and LSA return to "LsaLogonUserX" method caller.

    MSDN documentation states that the information returned by "LsaAPLogonUserEx2" will be used to create the user token.

    After calling "LsaAPLogonUserEx2" method from original "msv1_0" AP I've tried to get the token using some methods without success, and I think that this is because it wasn't created yet.

    Any thoughts ?

    Thanks and best regards,


    Friday, August 19, 2011 6:08 PM
  • Yes, you need to queue the token check so that it is called at a later point in time. I don't understand too much about the architecture of your system but that's the easiest way to fix this problem at this point. I would need to understand more about the design to be more helpfull because I don't see any other systems behaving in this way.
    Alvin Bruney ASP.NET MVP www.lulu.com/owc
    Saturday, August 20, 2011 11:49 PM
  • Hi Alvin, and thanks again for the reply.

    Unfortunatelly this is not an option. In fact I was thinking on handle this condition on a later point as you said but if I have no other alternative at all.

    Firstly I would like to have the certain that I can't do anything to have a valid user token while handling the "LsaAPLogonUserEx2" method on my "Authentication Package Proxy".

    If the final token was not created yet, is it possible to create a new one using "CreateToken" at this moment?

    Have someone did that or have a idea if this can be done?

    Thanks and best regards,


    Tuesday, August 23, 2011 5:26 PM
  • I think this is a bug. After reading the MSDN docs, there's this post at the bottom, I think it refers to  your situation:


    Broken SDK

    The 6.0A (at least) SDK is broken with regards to the type LSA_AP_LOGON_USER_EX2. It's missing the NTAPI calling convention. If you're loading the function in runtime from a library, and using a default calling convention other than __stdcall, this will bite you.

    The bug is in ntsecpkg.h.
    Have you tried using LsaApLogonUser, LsaApLogonUserEx instead of LsaApLogonUser, LsaApLogonUserEx2? The differences are pretty minor.

    Alvin Bruney ASP.NET MVP www.lulu.com/owc
    Wednesday, August 24, 2011 12:58 AM
  • Hi Alvin!

    Thank you very much Alvin for your effort and help, but I'm felling that you are missing the point here.

    As I've already said my Authentication Package Proxy is working perfectly including the method "LsaAPLogonUserEx2".

    This calling convention issue was detected really early on development of this guy.

    The issue I have is that considering what is documented and all what I've experienced while peforming this Authentication Package Proxy I don't have at hand the security user token that is returned to "LsaLogonUser" caller.

    And I need this token "at this point". While I'm handling the "LsaAPLogonUserEx2" method.

    This token allows, for example, to access the personnal application folder that on Windows Vista and 7 will be something like "C:\Users\jean.grey\AppData\Roaming". And is exactly for that I need the token. Without it I'm getting what I think is the SYSTEM user application folder that is "C:\Windows\system32\config\systemprofile\AppData\Roaming".

    MSDN states that this token is created at a further point between the return of "LsaAPLogonUserEx2" method to LSA and the final return from LSA to "LsaLogonUser" caller.

    My question is: Is there no way to overcome this "at this point"? Maybe creating another token given that the final one is created using peaces of information provided by "LsaAPLogonUserEx2"?

    Any thoughts?

    Thanks again for your help and best regards!


    Wednesday, August 24, 2011 11:59 AM