Microsoft Platform SDK Security Discussions
 
EIDAuthenticationPackage
(1)
LsapScavengerHandleNotify
(1)
LsapScavengerTrigger
(1)
LsapTimerCallback
(1)
NegPackageLoad
(1)
SecpkgGssInfo
(1)
SpGetInfo
(1)
NegTokenInit
(1)

Adding a custom SSP to the negotiate security package

Asked By vletoux
19-Nov-09 04:38 PM
Reply
Hi,

I am the owner of the open source project http://www.mysmartlogon.com
which try to enable smart card usage without a domain. I have
successfully enabled interactive login on console and on terminal
services. However I have to disable NLA to make  terminal service
working.
=> that is my problem

Here is how a terminal session is authenticated using NLA :
client -> mstsc -> credssp -> network -> credssp -> negotiate -> my
security package
=> my security package has to handle negotiate non interactive login

How I test than negotiate security package is aware of my custom
security package ?
I open a SMB connection to the machine I want to test and I am looking
in wireshark what security package is available on this machine.
Indeed, in SMB2 negotiateprotocol response, you have the negTokenInit
message which describes which protocol is available. In my case, only
NTLMSSP.
=> negotiate is not available of my package

What I have tried :
* Configure GSS Oid as the protocol requires.
In my test, I have setup a fake one :
1.3.6.1.4.1.35000.1 which is encoded into
UCHAR GssOid[] = {0x2B,0x06,0x01,0x04,0x01,0x88,0xB8,0x01};
I have implemented SpGetExtendedInformation with the class
SecpkgGssInfo
* set the flag fCapabilities in SpGetInfo to
SECPKG_FLAG_LOGON | SECPKG_FLAG_MULTI_REQUIRED |
SECPKG_FLAG_CLIENT_ONLY | SECPKG_FLAG_IMPERSONATION |
SECPKG_FLAG_NEGOTIABLE | SECPKG_FLAG_ACCEPT_WIN32_NAME |
SECPKG_FLAG_GSS_COMPATIBLE;

I have setup a debugbreak and I am looking in kd what is the call stack :
EIDAuthenticationPackage!SpGetExtendedInformation+0xe4
LSASRV!LsapGetExtendedPackageInfo+0x7a
LSASRV!NegPackageLoad+0xea
LSASRV!LsapScavengerHandleNotify+0x65
LSASRV!LsapScavengerTrigger+0x41
LSASRV!LsapTimerCallback+0x9a
=> the function SpGetExtendedInformation is called through
NegPackageLoad => OK

=> Why my authentication package in not avaible in SMB ?
Am I missing some capabilities ? (flag in spGetInfo)
=> Can we specify a custom behaviour to the negotiate security package
(currently, belong or not to a domain) ?

Regards,
Vincent Le Toux
Previous Discussion:  File / Folder Permissions (Change File But Not Create)
Post Question To EggHeadCafe
Windows 7 Adding a custom SSP to the negotiate security package