Windows LogonUser Function Works with Old Passwords? - winapi

I am using the LogonUser function (http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspx) to authenticate users. However i have found that if a user changes their password (ie from Password1 to Password2) both passwords will then work. However i would like it so that only the current password can be used. Is there something i need to set to get this to work like that?
I am using the following code snippet:
LogonUser(nt_id, NULL, nt_password, LOGON32_LOGON_NETWORK, 3, &hToken );
nt_id is going in in the format of USER#USERDOMAIN.SOMETHING.COM
and i have 3 there in place of LOGON32_PROVIDER_WINNT50, because i would get a compile error saying undeclaired identifier for LOGON32_PROVIDER_WINNT50 (could this be a symptom?) but i know it is defined as 3.
Thanks,
-Pete

This is a network setting. By default, windows passwords remain valid for one hour after they are changed. Your network admin can change this if required. (Note that this doesn't affect the interactive login, but it does affect all programmatic methods.)

The compile-time error is probably there because you haven't
#define _WIN32_WINNT 0x0500
before including windows.h or added it as a compile-time setting (-D_WIN32_WINNT=0x0500).
Why LogonUser would work with both the new and the old password is beyond me though. But since what you want is to authenticate users (as opposed to impersonating them) according to MSDN it's more appropriate to use the SSPI API (here's the recommended way).

Related

coturn cannot find credentials of user

I was trying to deploy a simple TURN server using coturn.
When I test it on Trickle ICE (turn:rtc.jackxujh.me:3478 [webrtc:mighty]), Trickle ICE says "Authentication failed?".
The coturn server keeps reporting this error:
ERROR: check_stun_auth: Cannot find credentials of user
Here is the complete turnserver.conf I am using (by uncommenting lines of the coturn sample conf):
external-ip=39.108.74.114/XXX.XXX.XXX.XXX #(XXX is internal IP)
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=XXXXXXXX... #(XXX is the secret)
realm=rtc.jackxujh.me
user=webrtc:0xXXXXXXXX... #(XXX is the key)
cert=/etc/letsencrypt/live/rtc.jackxujh.me/cert.pem
pkey=/etc/letsencrypt/live/rtc.jackxujh.me/privkey.pem
mobility
I find a related discussion on GitHub, but I don't feel there is a solution at the end.
In fact, I am confused whether my conf file is using TURN REST API or not.
Meanwhile, I tried to check if there was a user named webrtc in turndb, by using # turnadmin -l, but the output was nothing. (Is this command correct?)
In fact, I am confused whether my conf file is using TURN REST API or not.
I can confirm You use REST API because use-auth-secret is set
use-auth-secret
So you need to use a unixtimestamp as username, and the hashed password..
user=timestamp:userid
password=base64(hmac(secret key, user)
Read more about the difference of Long-Term-Credential and REST:
https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
If you want to use normal username/password use the long-term-credential so remove use-auth-secret
and set it statically or in db
user=username1:key1
turnadmin
turnadmin -l
list static and db users.
So in case of REST is correct the empty list.

OpenEvent, getlasterror returns 2

I'm building a windows UMDF 2.0 driver and when I call OpenEvent I get an error of 2. any help would be great. below is my code
HANDLE userEvent = OpenEvent(EVENT_ALL_ACCESS, FALSE, myUserEvent);
std::cout<
Windows 7,8 require security descriptors while wec does not. Their default security descriptors are different.
Also if your events are to be accessed by different users or by elevated processes you need to make it a global event, otherwise it will not be able to access it.
So I figured it out, when you create a driver user event it has a default security permissions as high, so you have to create a security descriptor and pass it in to override the the default. For some reason it gives spits out an error 2 which is cant find file. hope this helps someone in the future.
https://msdn.microsoft.com/en-us/library/windows/hardware/ff538907%28v=vs.85%29.aspx

AutoUnlock a Windows User Session

Recently, I have been working on a CredentialProvider in order to unlock automatically (the trigger can be any event, so let’s say the end of a timer) a Windows Vista (or more recent version) user session.
For that I read some useful articles on the subject, the change between GINA and this new architecture. http://msdn.microsoft.com/en-us/magazine/cc163489.aspx.
I think, like everyone in the process of creating a custom CredentialProvider, I didn’t start from scratch but from the sample code provided by Microsoft. And then I tried to change the behaviour (things like logging) in the different functions.
So in the end I can use the custom CredentialProvider, enter the SetUsageScenario methods but still I cannot reach the Set or GetSerialization method. From what I’ve understood in the technical documentation on CredentialProvider (still provided by Microsoft) theses two methods should be called automatically. Is there something I missed ?
Also, my original idea was to get an authentication package using Kerberos in order to perform an implicit user authentication. I got this idea by seeking information on other SO or MSDN threads like
Is this approach the good one ?
Thank you very much for your time answering my questions. Any clarifications are welcomed, even if they don’t directly resolve my problems :-)
First of all - you need to set autologon flag to true in your implementation of the ICredentialProviderCredential::SetSelected(BOOL *pbAutoLogon) and ICredentialProvider::GetCredentialCount methods.
Next, you need to call ICredentialProviderEvents::CredentialsChanged when your timer is hit.
LogonUI will recreate your credentials, and because autologon is set to true it will call your GetSerialization() method.
SetSerialization and GetSerialization functions are called from your provider by LogonUI. After user enters username/password and presses ENTER button, LogonUI calls GetSerialization function and provides a pointer, as one of the four parameters, that will point in future to CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure created and filled by you, and then this structure will be sent from LogonUI to Winlogon to perform authentication. I don't know how to make LogonUI to call GetSerialization from your credential provider code and as far as I know you can't call GetSerialization by your own because where will you pass your filled CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure if no one requested it, but only LogonUI can path it to Winlogon?
There is a document called "Credential Provider Technical Reference", there you can read some details about credential providers. In the Shell samples folder there is a strange folder called "Autologon", maybe it will help you! Good Luck!

Error when trying to register a task with task scheduler (Win7)

To enable my application to startup with admin rights at user login, I use a task in task scheduler. And it works fine. Mostly. Now I've received bug reports saying that this fails:
rootFolder->RegisterTaskDefinition( _bstr_t(name.toWideCharPointer()), task,
TASK_CREATE_OR_UPDATE, _variant_t(L"Builtin\\Administrators"), _variant_t(),
TASK_LOGON_GROUP, _variant_t(L""), &registeredTask) -> 0x80070534
0x80070534 seems to mean "No mapping between account names and security IDs was done". I'm following (pretty much verbatim) the example at:
http://msdn.microsoft.com/en-us/library/aa381911(v=VS.85).aspx
Ideas what has gone wrong, and how to fix it ? The application has manifest set so the user needs to be admin to run it.
Question: The "Builtin\\Administrators" group, it is language dependent, isn't it ? I think that the user in question might have a non-english Windows 7. If so I imagine it would work better with specifying "S-1-5-32-544" instead ( http://support.microsoft.com/kb/243330 )
Update: So the explicit call looks like:
rootFolder->RegisterTaskDefinition(
_bstr_t(name.toWideCharPointer()),
task,
TASK_CREATE_OR_UPDATE,
_variant_t(L"S-1-5-32-544"), // Language independent "BUILTIN\Administrators"
_variant_t(),
TASK_LOGON_GROUP,
_variant_t(L""),
&registeredTask)
Make sure that the application is executed with elevated privileges, otherwise that call will fail.
The problem indeed lies in the parameter _variant_t(L"Builtin\\Administrators"), which is hard-coded to English version of Windows. By using the language agnostic security identifier "S-1-5-32-544" ( http://support.microsoft.com/kb/243330 ), the problem is resolved.
Update: So the explicit call looks like:
rootFolder->RegisterTaskDefinition(
_bstr_t(name.toWideCharPointer()),
task,
TASK_CREATE_OR_UPDATE,
_variant_t(L"S-1-5-32-544"), // Language independent "BUILTIN\Administrators"
_variant_t(),
TASK_LOGON_GROUP,
_variant_t(L""),
&registeredTask)
Make sure that the application is executed with elevated privileges, otherwise the call will fail.
After spending some time, I've seen that more modifications than just _variant_t(L"S-1-5-32-544") are needed to make this "Logon Trigger Example (C++)" example work.
All the details can be found in this answer.

Get the complete username a new username

When using NetUserAdd the user will be created on the local computer or as a domain account depending the role of the server where you used this function.
I want to retrieve the complete username (LOCALCOMPUTER\USERNAME or DOMAIN\USERNAME) to use it remotely.
Is there a function to do this?
Caveat: I haven't checked the solution.
You may call NetGetJoinInformation to know if the machine belongs to a domain and NetServerGetInfo if the code is running on a DC.
After those test you may get the machine name (GetComputerName) and domain name (NetWkstaGetInfo) and whatever you need.
Be careful if you are doing this on a cluster.
I'm sure I'm missing something, but can't you use GetUserNameEx and pass in the desired EXTENDEND_NAME_FORMAT? I believe NameSamCompatible should be the format you desire.
You'll get back either MachineName\UserName or DomainName\UserName

Resources