LSA_AP_LOGON_USER_EX callback function (ntsecpkg.h)
Authenticates a user's logon credentials.
This function is called by the Local Security Authority (LSA) only for a user's initial logon. Subsequent authentication requests must use LsaCallAuthenticationPackage. If LsaApLogonUserEx succeeds, it creates a logon session and returns information used to build the token representing the newly logged on user.
This function differs from LsaApLogonUser in that the machine name is added to the audit record for the logon attempt.
Syntax
LSA_AP_LOGON_USER_EX LsaApLogonUserEx;
NTSTATUS LsaApLogonUserEx(
[in] PLSA_CLIENT_REQUEST ClientRequest,
[in] SECURITY_LOGON_TYPE LogonType,
[in] PVOID AuthenticationInformation,
[in] PVOID ClientAuthenticationBase,
[in] ULONG AuthenticationInformationLength,
[out] PVOID *ProfileBuffer,
[out] PULONG ProfileBufferLength,
[out] PLUID LogonId,
[out] PNTSTATUS SubStatus,
[out] PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
[out] PVOID *TokenInformation,
[out] PUNICODE_STRING *AccountName,
[out] PUNICODE_STRING *AuthenticatingAuthority,
[out] PUNICODE_STRING *MachineName
)
{...}
Parameters
[in] ClientRequest
Pointer to an opaque LSA_CLIENT_REQUEST data type representing the LSA client's request.
[in] LogonType
A SECURITY_LOGON_TYPE structure which identifies the type of logon being attempted.
[in] AuthenticationInformation
Supplies the authentication information specific to the authentication package. The LSA will free this buffer.
[in] ClientAuthenticationBase
Provides the address of the authentication information within the client process. This may be necessary to remap any pointers within the AuthenticationInformation buffer.
[in] AuthenticationInformationLength
Indicates the length of the AuthenticationInformation buffer.
[out] ProfileBuffer
Pointer that receives the address of the profile buffer in the client process. The authentication package is responsible for allocating the ProfileBuffer buffer within the client process by calling the AllocateClientBuffer function. However, if the LSA subsequently encounters an error which prevents a successful logon, then the LSA will take care of freeing this buffer.
The contents of this buffer are determined by the authentication package. The LSA does not alter this buffer; it simply returns the value to the LsaLogonUser function.
[out] ProfileBufferLength
Pointer to a ULONG that receives the length of the ProfileBuffer buffer, in bytes.
[out] LogonId
Pointer to an LUID variable that receives the new logon ID that uniquely identifies this logon session. The authentication package is responsible for allocating this LUID and creating the LSA logon session for this logon.
[out] SubStatus
Pointer to an NTSTATUS that receives the reason for failures due to account restrictions. The values returned in SubStatus are determined by the authentication package.
The following are SubStatus values for the MSV1_0 and Kerberos authentication packages.
More information about NTSTATUS codes can be found in the Subauth.h header file shipped with the Platform SDK.
[out] TokenInformationType
Pointer that receives the address of an LSA_TOKEN_INFORMATION_TYPE value that indicates the type of information returned for inclusion in the token to be created. The information is returned by means of the TokenInformation parameter.
[out] TokenInformation
Pointer that receives the address of information to be included in the token. The format and content of TokenInformation are indicated by the TokenInformationType parameter. Your authentication package is responsible for allocating the memory used by TokenInformation; however, this memory will be freed by the LSA.
[out] AccountName
Pointer to an LSA_UNICODE_STRING structure that receives the name of the user account. AccountName must always be returned regardless of the success or failure of the call; its string is included in the audit record for an authentication attempt. Your authentication package is responsible for allocating the memory used by AccountName It will be freed by the LSA.
[out] AuthenticatingAuthority
Optional. Pointer to an LSA_UNICODE_STRING structure that receives the description of the authenticating authority for the logon. This parameter may be NULL. This string is included in the audit record for an authentication attempt. Your authentication package is responsible for allocating the memory used by AuthenticatingAuthority; however, this memory will be freed by the LSA.
The MSV1_0 authentication package returns the domain name of the domain validating the account. The Kerberos authentication package returns the NetBIOS domain name.
[out] MachineName
Optional. Pointer that receives the address of an LSA_UNICODE_STRING structure containing the name of the client's workstation. This information is included in the audit record for an authentication attempt. Your authentication package is responsible for allocating the memory used by MachineName; however, this memory will be freed by the LSA.
The MSV1_0 authentication package returns the NetBIOS name of the client's workstation.
Return value
If the function succeeds, it should return STATUS_SUCCESS.
Otherwise, it should return an NTSTATUS error code, which can be one of the following values or one of the LSA Policy Function Return Values.
Return code | Description |
---|---|
|
The logon could not be completed because the client's memory quota is insufficient to allocate the return buffer. |
|
No domain controllers are available to service the authentication request. |
|
The logon attempt failed. The reason for failure is not specified; typical reasons include misspelled user names and passwords. |
|
The user account and password are legitimate, but user account restrictions prevent successful logon at this time. |
|
The authentication information provided is recognized by the authentication package. |
Calling applications can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.
Remarks
Authentication packages must implement one of the following functions: LsaApLogonUser, LsaApLogonUserEx, or LsaApLogonUserEx2.
LsaApLogonUserEx was added for C2 certification. C2 is a security classification defined by the United States government.
Requirements
Requirement | Value |
---|---|
Minimum supported client | Windows XP [desktop apps only] |
Minimum supported server | Windows Server 2003 [desktop apps only] |
Target Platform | Windows |
Header | ntsecpkg.h |