STATUS_ACCESS_DENIED out of LsaLogonUser when NTLM used RRS feed

  • Question

  • I'm trying to learn different flavors of LsaLogonUser. Using Windows 10 PC which does not connect to Domain.

    1. Wrote simple C++ program:

    Calling LsaLogonUser with LogonType = Unlock. Passing filled MSV1_0_INTERACTIVE_LOGON structure with User name, Password and "Workgroup" as Domain. Got successful authentication with NTSTATUS code 0 returned from LsaLogonUser.

    2. Then wrote another program:

    Used SSPI functions InitializeSecurityContext and AcceptSecurityContex to generate NTLM messages (Negotiate, Challenge, Authenticate). NTLM login was successful because the last call of AcceptSecurityContex returned NTSTATUS code 0. I used same user credentials as in an example #1.

    3. "Merge" #1 and #2

    I copied the following information form NTLM messages:

    • ServiceChallenge from NTLM Challenge message
    • User Name, Domain, Workstation, NTChallengeResponse and LMChallengeResponce from NTLM Authenticate message

    I placed those values into MSV1_0_LM20_LOGON structure and call LsaLogonUser with LogonType = Network. Function returned NTSTATUS code 0xC000022 STATUS_ACCESS_DENIED. I used same user credentials as in an example #1 and #2.

    From #1 I learned that user can be logged to this computer.
    From #2 I learned that NTLM is working fine and a user can be logged remotely.

    What can be a problem with LsaLogonUser to process good formed NTLM?

    • Edited by Maxim P Thursday, November 15, 2018 5:59 AM
    Wednesday, November 14, 2018 4:19 AM