MSV1_0_LM20_LOGON structure (ntsecapi.h)

The MSV1_0_LM20_LOGON structure contains logon information used in network logons.

It is used by LsaLogonUser.

Syntax

typedef struct _MSV1_0_LM20_LOGON {
  MSV1_0_LOGON_SUBMIT_TYPE MessageType;
  UNICODE_STRING           LogonDomainName;
  UNICODE_STRING           UserName;
  UNICODE_STRING           Workstation;
  UCHAR                    ChallengeToClient[MSV1_0_CHALLENGE_LENGTH];
  STRING                   CaseSensitiveChallengeResponse;
  STRING                   CaseInsensitiveChallengeResponse;
  ULONG                    ParameterControl;
} MSV1_0_LM20_LOGON, *PMSV1_0_LM20_LOGON;

Members

MessageType

A MSV1_0_LOGON_SUBMIT_TYPE value that specifies the type of logon being requested. This member must be set to MsV1_0Lm20Logon or MsV1_0NetworkLogon.

If this member is set to MsV1_0Lm20Logon, the MSV1_0 package ignores the ParameterControl member.

LogonDomainName

A UNICODE_STRING that contains the name of the logon domain. The specified domain name must be a Windows domain (or mixed domain) that is in the trusted domain list of this computer. If the logon domain name is not known (for example, for clients that do not supply this information), this member should be passed in as a zero-length string. This domain is the authenticating authority.

UserName

A UNICODE_STRING that represents the account name of the user. The name can be up to 255 bytes long. The name is treated as case insensitive.

Workstation

A UNICODE_STRING that contains the computer name of the client workstation from which the user logon request was initiated.

ChallengeToClient[MSV1_0_CHALLENGE_LENGTH]

Contains the challenge returned from a previous call to LsaCallAuthenticationPackage, when MsV1_0Lm20ChallengeRequest was specified as the message type. For more information, see the description of MsV1_0Lm20ChallengeRequest in MSV1_0_PROTOCOL_MESSAGE_TYPE. This enables the authentication package to determine whether the challenge response is correct.

CaseSensitiveChallengeResponse

Contains some function of the case-sensitive Unicode password of the client. Typically, it will be the ChallengeToClient member encrypted by a case-sensitive version of the password.

Some clients will simply supply the plaintext case-sensitive Unicode password. In that case, this member points to that plaintext password. The MSV1_0 Authentication Package may accept this nonencrypted form depending on a configuration option.

Some clients do not support case-sensitive Unicode passwords. In that case, this member should contain a zero-length string.

CaseInsensitiveChallengeResponse

Contains some function of the case-insensitive multiple-byte character set (MBCS) password of the client. Typically, it will be the ChallengeToClient member encrypted by a case-insensitive version of the password.

Clients that support only MBCS and not Unicode supply a plaintext case-insensitive MBCS password. In that case, this member points to that plaintext password. The MSV1_0 authentication package will accept this nonencrypted form depending on a configuration option.

ParameterControl

Specifies attributes of the other parameters. This can be one or more of the following flags.

Value Meaning
MSV1_0_CLEARTEXT_PASSWORD_ALLOWED
02
LanMan2.0 or LanMan1.0 send a plaintext password instead of a challenge response. To allow plaintext passwords to be used in the NetworkLogon message, an application must supply this flag.
MSV1_0_UPDATE_LOGON_STATISTICS
04
Update the logon statistics for the account. If this flag is not set, the bad password count is set to zero upon successful logon.
MSV1_0_RETURN_USER_PARAMETERS
08
If this flag is specified, the UserParameters member of the MSV1_0_LM20_LOGON_PROFILE return buffer is valid.
MSV1_0_DONT_TRY_GUEST_ACCOUNT
10
Prevents the user from logging on with a guest account.
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
20
If this flag is set, domain controller accounts can be used for authentication; otherwise, only user accounts can be used.
MSV1_0_RETURN_PASSWORD_EXPIRY
40
Causes the password expiration time to be returned in the LogoffTime member of the MSV1_0_LM20_LOGON_PROFILE structure returned in the output buffer.
MSV1_0_USE_CLIENT_CHALLENGE
80
Denotes that the CaseInsensitiveChallengeResponse contains a client challenge in the first 8 bytes.
MSV1_0_TRY_GUEST_ACCOUNT_ONLY
100
Causes the user to log on using the guest account.
MSV1_0_RETURN_PROFILE_PATH
200
Returns the profile path for Encrypting File System (EFS). The profile path is used by EFS to locate the profile of the user and find the user's keys for encrypting and decrypting files. This information is not returned to the caller; it is stored within the LSA and used by internal processes.
MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY
400
In normal operation, the LogonDomainName member is used as a suggestion. The package (using the NetLogon service) will continue passing the logon request to domain controllers higher in the trusted domain path until one authoritatively rejects the logon.

This flag overrides that behavior so that only the specified domain controller will attempt to process the logon. If LogonDomainName is blank, the logon will not be attempted.

MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
800
Permits remote-boot clients to log on using a computer account.
MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED
4000
Permits the user of a clear text password.

Windows XP and Windows Server 2003:  Not supported.

MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY
8000
Permits the domain to be used for routing only.

Windows XP and Windows Server 2003:  Not supported.

MSV1_0_ALLOW_MSVCHAPV2
10000
Permits SubAuthentication log on.

Windows XP and Windows Server 2003:  Not supported.

MSV1_0_S4U2SELF
20000
Permits S4U clients to log on without a password.

Windows Vista, Windows Server 2003 with SP2, Windows XP and Windows Server 2003:  Not supported.

MSV1_0_CHECK_LOGONHOURS_FOR_S4U
40000
Check the log on hours for a S4U log on client.

Windows Vista, Windows Server 2003 with SP2, Windows XP and Windows Server 2003:  Not supported.

MSV1_0_INTERNET_DOMAIN
80000
Permits log on for Internet users. This flag should be used by calls from authentication packages directly and not from netlogon.

Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows XP and Windows Server 2003:  Not supported.

Remarks

If the UserName, CaseSensitiveChallengeResponse, and CaseInsensitiveChallengeResponse members all contain zero-length strings, an anonymous token will be generated for the logon. This anonymous token gives the user no ability to access protected system resources but does allow access to nonprotected system resources. The server uses this method to support a NULL session.

Requirements

Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Header ntsecapi.h

See also

LsaCallAuthenticationPackage

LsaLogonUser

MSV1_0_LM20_LOGON_PROFILE

MSV1_0_LOGON_SUBMIT_TYPE

MSV1_0_PROTOCOL_MESSAGE_TYPE