[boggus documentation] Write a compatible NegoEx security package. RRS feed

  • Question

  • I'm trying to implement a NegoEx (Negoextender) compatible SSP.

    I've opened a ticket on the support [REG:111060145633598] in 2011 and it was closed because I didn't implement the required changes in 2 weeks. I was unable to reopen it a few weeks later.

    (quote As Mark mentioned, we can probably close the case if it’s going to take much longer.  We can re-open the case at any time. quote)

    The ticket was close at the same time the documentation was released : writing NegoEx SPPs.

    I've tried to implement a NegoEx SSP, but I'm still failing at reading the credential in my SSP :

    • The PSEC_WINNT_OPAQUE structure mentioned in the documentation doesn't exist.
    • AcquireCredentialHandle is called, but not with SEC_WINNT_AUTH_IDENTITY.
      The structure is in the LSA address space (do not call CopyFromClientBuffer) and it is NOT a PSEC_WINNT_AUTH_IDENTITY_OPAQUE (SspiEncodeAuthIdentityAsStrings returns an error), NOT a PSEC_WINNT_AUTH_IDENTITY, NOT a PSEC_WINNT_AUTH_IDENTITY_EX, NOT a PSEC_WINNT_AUTH_IDENTITY_EX2.

    However I can decode immediately the credentials returned by MS Credential Providers in user space after SspiPromptForCredentials using SspiEncodeAuthIdentityAsStrings. The strings returned are user/hash, domain/null, password/pin (protected by credprotect or in clear text). This method doesn't work in the SSP and can crash LSA.

    => how to read the credentials forwarded by negoexts.dll in SpAcquireCredentialHandle ?

    • Edited by Le Toux Saturday, May 4, 2013 6:40 PM
    Saturday, May 4, 2013 4:58 PM

All replies

  • Thanks to Luke Howard : the structure is a SECPKG_CREDENTIAL.

    "in AcquireCredentialsHandle if the caller is using NegoEx (i.e. SECPKG_CALL_NEGO_EXTENDER is set in the caller flags), then the input buffer is a SECPKG_CREDENTIAL. You need to unpack the SECPKG_SUPPLIED_CREDENTIAL from that, and then SEC_WINNT_AUTH_PACKED_CREDENTIALS from that."

    Friday, May 10, 2013 9:32 AM
    • Edited by vletoux2 Monday, May 13, 2013 2:04 PM
    Monday, May 13, 2013 2:04 PM
  • Hello,

    Nice to see that somebody also has issues with documentation about NegoExtender.

     I have read your wiki and I have one comment to make. I would also like to ask you one question regarding this topic.

    I am not setting the flag SECPKG_NEGOTIABLE - I am doing another thing, what I have found from debugger. First of all in server side I am excluding NTLM and Kerberos Packages by SspiExcludePackage(). It results with negoExt getting working. Secondly, when Negotiate receives the SpNego structure with "guess token" it doesn't call negoExtender.

    I have made ugly hack and remove the "guess token", and it is working.

    BUT, here is my question. after my SpAcceptLsaModeContext() function returns finally 0x0 after authentication complete, the Negotiate Package returns 0x80090302 error.

    I am completelly stucked and don't know why it behaves this way.

    I will also try to set up the the Negotiable flag and see if it is working without that hack.

    Thanks in advance,

    Stanislaw Wawszczak

    Thursday, May 23, 2013 11:15 AM
  • I will also try to set up the the Negotiable flag and see if it is working without that hack.

    Hi again,

    I have added the the Negotiable flag, but it doesn't help. I still have to make this ugly thing with removing "guess token" from spNego structure on first call to Negotiate AcceptSecurityContext() function.



    Thursday, May 23, 2013 11:23 AM
  • Hi Stanislaw,

    You can contact me directly at "contact at mysmartlogon.com".

    Thanks for your remark about SspiExcludePackage, but I don't understand what you mean by "guess token".

    For the NEGOTIATE flag, maybe I'm wrong.

    I'm stuck at SpQueryMetaDataFn and SpExchangeMetaDataFn. Luke told me to allocate the memory from the Lsa private heap instead of the public heap. Have you been able to get further ?

    Also, did your security package works when using directly the security package instead of using Negotiate ? (in AcquireCredentialsHandle)



    Thursday, May 23, 2013 11:39 AM
  • Hi Vincent,

    Thanks for your reply. I will contact you directly, but first want to explain what i have mean. NegTokenInit is defined as follow:

    NegTokenInit ::= SEQUENCE {
       mechTypes     [0]  MechTypeList  OPTIONAL,
       reqFlags      [1]  ContextFlags  OPTIONAL,
       mechToken     [2]  OCTET STRING  OPTIONAL,
       mechListMIC   [3]  OCTET STRING  OPTIONAL


    In mechTypes, there are Oids of all supported mechanizms: NTLM, Kerberos (two types) and NegoExtender.

    reqFlags is ommited according to documentation.

    the mechToken is the NTLM or Kerberos token and the type is Guessed by the originating system.

    When the mechToken is ommited from structure and other mechanizms are excluded , the server side is calling NegoExtender. Otherwise, it returns to the calling server application error 0x8009030E.

    My security package is stricty NegoExt compatible and I dropped the client side support. ( I only implement three exported function :


    ; Explicit exports can go here

    DllRegisterServer PRIVATE

    DllUnregisterServer PRIVATE

    SpLsaModeInitialize PRIVATE



    Thursday, May 23, 2013 11:48 AM
  • Hi Stanislaw,

    Stupid question : I understand that you don't have to implement your own credential provider but a negoex SSP shouldn't be able to act both as a client and a server ?

    As I understand, negoex just negotiate which security package should be used. I doesn't do anything related to create a new session for example.



    Thursday, May 23, 2013 11:54 AM
  • Hi Vincent,

    I guess we missed with the terms.

    I am implementing the NegoEx Compatible SSP (Security Service Provider).

    And second, I am NOT implementing Security Package.

    It means, I am writting the code for exchange'ing auth data between client and server.



    Thursday, May 23, 2013 12:00 PM
  • Hi Stanislaw,

    I'm lost because "Security Package" and "SSP" is the same thing for me.

    Did you implement (eventually empty) SpQueryMetaData and SpExchangeMetaData to see if there are called ?



    Thursday, May 23, 2013 12:09 PM
  • Hi,

    Yes, I did. I have sent it to you on private.

    If somebody else would be interested in this subject please contact me.



    Thursday, May 23, 2013 12:12 PM