none
Use custom security provider to override msv1_0/kerberos RRS feed

  • Question

  • I'm trying to implement a custom security provider, that let user login even if msv1_0/kerberos fails. So I implemented SpAcceptCredentials, returned STATUS_SUCCESS and added my DLL to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.

    But it does not work, I still need to pass msv1_0 to login

    Then I tried to use subauth module (Auth0), but from this article:
    https://docs.microsoft.com/en-us/windows/win32/api/subauth/nf-subauth-msv1_0subauthenticationfilter

    It seems impossible either:

    After the MSV1_0 or Kerberos authentication package has validated a logon, the Msv1_0SubAuthenticationFilter function can perform additional validation to determine whether a user can log on to a network account

    Any thoughts?

    Tuesday, October 22, 2019 12:58 PM

All replies

  • Hi Dev,

    >>I'm trying to implement a custom security provider, that let user login even if msv1_0/kerberos fails. So I implemented SpAcceptCredentials, returned STATUS_SUCCESS and added my DLL to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.

    Would you mind describing the detailed authentication flow for your scenario? Based on my understanding, if the customer choose the custom authentication package, then the authentication routines are customized by yourself to meet the special business requirements.  

    Below is the details about LSA authentication mode, please feel free to let me know if there any special requirement for your scenario:

    LSA Authentication Model

    Regards & Fei


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Thursday, October 24, 2019 9:26 AM
  • I'm trying to implement a Google authenticator like authentication. 

    e.g Without know the local SAM password, I'd like the user to login with my own password. 

    At this moment, I'm unable to override local password authentication. What could the problem be?

    Saturday, October 26, 2019 6:33 AM
  • I'm trying to implement a Google authenticator like authentication. 

    e.g Without know the local SAM password, I'd like the user to login with my own password. 

    At this moment, I'm unable to override local password authentication. What could the problem be?

    Anyone??
    Tuesday, November 19, 2019 9:43 AM