archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/inetsrv/iis/iisrearc/iisplus/ulw3/iiscertmap.cxx

817 lines
25 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1998 Microsoft Corporation
  5. Module Name :
  6. iiscertmap.cxx
  8. Abstract:
  9. IIS Certificate mapping
  12. Author:
  13. Bilal Alam (BAlam) 19-Apr-2000
  15. Environment:
  16. Win32 - User Mode
  18. Project:
  19. Stream Filter Worker Process
  20. --*/
  22. #include "precomp.hxx"
  23. #include <mbstring.h>
  27. IIS_CERTIFICATE_MAPPING::IIS_CERTIFICATE_MAPPING( VOID )
  28. : _pCert11Mapper( NULL ),
  29. _pCertWildcardMapper( NULL ),
  30. _cRefs( 1 )
  31. {
  32. }
  34. IIS_CERTIFICATE_MAPPING::~IIS_CERTIFICATE_MAPPING( VOID )
  35. {
  36. if ( _pCert11Mapper != NULL )
  37. {
  38. delete _pCert11Mapper;
  39. _pCert11Mapper = NULL;
  40. }
  42. if ( _pCertWildcardMapper != NULL )
  43. {
  44. delete _pCertWildcardMapper;
  45. _pCertWildcardMapper = NULL;
  46. }
  47. }
  49. HRESULT
  50. IIS_CERTIFICATE_MAPPING::Read11Mappings(
  51. DWORD dwSiteId
  52. )
  53. /*++
  55. Routine Description:
  57. Read 1-1 mappings from metabase
  59. Arguments:
  61. dwSiteId - Site ID
  63. Return Value:
  65. HRESULT
  67. --*/
  68. {
  69. MB mb( g_pW3Server->QueryMDObject() );
  70. WCHAR achMBPath[ 256 ];
  71. HRESULT hr = NO_ERROR;
  72. // besides terminating '\0' one extra char is needed for leading slash
  73. WCHAR achMappingName[ ADMINDATA_MAX_NAME_LEN + 1 + 1 ];
  74. BOOL fRet;
  75. DWORD dwIndex;
  76. STACK_BUFFER( buff, 1024 );
  77. DWORD cbRequired;
  78. STACK_STRU( strTemp, 64 );
  79. STACK_STRU( strUserName, 64 );
  80. STACK_STRU( strPassword, 64 );
  81. DWORD dwEnabled;
  82. CIisMapping * pCertMapping;
  84. //
  85. // Setup the metabase path to get at 1-1 mappings
  86. //
  88. _snwprintf( achMBPath,
  89. sizeof( achMBPath ) / sizeof( WCHAR ) - 1,
  90. L"/LM/W3SVC/%d/Cert11/Mappings",
  91. dwSiteId );
  92. achMBPath[ sizeof( achMBPath ) / sizeof( WCHAR ) - 1 ] = '\0';
  94. //
  95. // Open the metabase and read 1-1 mapping properties
  96. //
  98. fRet = mb.Open( achMBPath,
  99. METADATA_PERMISSION_READ );
  100. if ( fRet )
  101. {
  102. dwIndex = 0;
  103. achMappingName[ 0 ] = L'/';
  105. for ( ; ; ) // loop un
  106. {
  107. dwEnabled = FALSE;
  109. //
  110. // We will need to prepend the object name with '/'. Hence
  111. // goofyness of sending an offseted pointed to name
  112. //
  114. fRet = mb.EnumObjects( L"",
  115. achMappingName + 1,
  116. dwIndex );
  117. if ( !fRet )
  118. {
  119. hr = HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND );
  120. break;
  121. }
  123. //
  124. // Get certificate blob
  125. //
  127. cbRequired = buff.QuerySize();
  129. fRet = mb.GetData( achMappingName,
  130. MD_MAPCERT,
  131. IIS_MD_UT_SERVER,
  132. BINARY_METADATA,
  133. buff.QueryPtr(),
  134. &cbRequired,
  135. METADATA_NO_ATTRIBUTES );
  136. if ( !fRet )
  137. {
  138. if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
  139. {
  140. DBG_ASSERT( cbRequired > buff.QuerySize() );
  142. if ( !buff.Resize( cbRequired ) )
  143. {
  144. hr = HRESULT_FROM_WIN32( GetLastError() );
  145. break;
  146. }
  148. fRet = mb.GetData( achMappingName,
  149. MD_MAPCERT,
  150. IIS_MD_UT_SERVER,
  151. BINARY_METADATA,
  152. buff.QueryPtr(),
  153. &cbRequired,
  154. METADATA_NO_ATTRIBUTES );
  155. if ( !fRet )
  156. {
  157. DBG_ASSERT( GetLastError() != ERROR_INSUFFICIENT_BUFFER );
  158. hr = HRESULT_FROM_WIN32( GetLastError() );
  159. if ( hr == MD_ERROR_DATA_NOT_FOUND )
  160. {
  161. // if cert blob is not present we skip this entry
  162. goto NextEntry;
  163. }
  164. else
  165. {
  166. break;
  167. }
  168. }
  169. }
  170. else
  171. {
  172. hr = HRESULT_FROM_WIN32( GetLastError() );
  173. if ( hr == MD_ERROR_DATA_NOT_FOUND )
  174. {
  175. // if cert blob is not present we skip this entry
  176. goto NextEntry;
  177. }
  178. else
  179. {
  180. break;
  181. }
  182. }
  183. }
  185. //
  186. // Get NT account name
  187. //
  189. if ( !mb.GetStr( achMappingName,
  190. MD_MAPNTACCT,
  191. IIS_MD_UT_SERVER,
  192. &strUserName ) )
  193. {
  194. hr = HRESULT_FROM_WIN32( GetLastError() );
  195. if ( hr == MD_ERROR_DATA_NOT_FOUND )
  196. {
  197. // if account name is not present we skip this entry
  198. goto NextEntry;
  199. }
  200. else
  201. {
  202. break;
  203. }
  205. break;
  206. }
  208. //
  209. // Get NT password
  210. //
  212. if ( !mb.GetStr( achMappingName,
  213. MD_MAPNTPWD,
  214. IIS_MD_UT_SERVER,
  215. &strPassword ) )
  216. {
  217. hr = HRESULT_FROM_WIN32( GetLastError() );
  218. if ( hr == MD_ERROR_DATA_NOT_FOUND )
  219. {
  220. // we assume default password - empty;
  221. strPassword.Reset();
  222. }
  223. else
  224. {
  225. break;
  226. }
  227. }
  229. //
  230. // Is this mapping enabled?
  231. //
  233. if ( !mb.GetDword( achMappingName,
  234. MD_MAPENABLED,
  235. IIS_MD_UT_SERVER,
  236. &dwEnabled ) )
  237. {
  238. hr = HRESULT_FROM_WIN32( GetLastError() );
  239. if ( hr == MD_ERROR_DATA_NOT_FOUND )
  240. {
  241. // we assume default 0 (FALSE);
  242. dwEnabled = 0;
  243. }
  244. else
  245. {
  246. break;
  247. }
  248. }
  250. //
  251. // If this mapping is enabled, add it to 1-1 mapper
  252. //
  254. if ( dwEnabled )
  255. {
  256. if ( _pCert11Mapper == NULL )
  257. {
  258. _pCert11Mapper = new CIisCert11Mapper();
  259. if ( _pCert11Mapper == NULL )
  260. {
  261. hr = HRESULT_FROM_WIN32( GetLastError() );
  262. break;
  263. }
  265. //
  266. // Reset() will configure default hierarchies
  267. // If hierarchies are not configured then comparison (CIisMapping::Cmp() function
  268. // implemented in iismap.cxx) will fail
  269. // (and mapper will always incorrectly map to first available 1to1 mapping)
  270. //
  272. if(!_pCert11Mapper->Reset())
  273. {
  274. delete _pCert11Mapper;
  275. _pCert11Mapper = NULL;
  277. hr = HRESULT_FROM_WIN32( GetLastError() );
  278. break;
  279. }
  280. }
  282. DBG_ASSERT( _pCert11Mapper != NULL );
  284. pCertMapping = _pCert11Mapper->CreateNewMapping();
  285. if ( pCertMapping == NULL )
  286. {
  287. hr = HRESULT_FROM_WIN32( GetLastError() );
  288. break;
  289. }
  291. if ( !pCertMapping->MappingSetField( IISMDB_INDEX_CERT11_CERT,
  292. (PBYTE) buff.QueryPtr(),
  293. cbRequired,
  294. FALSE ) )
  295. {
  296. hr = HRESULT_FROM_WIN32( GetLastError() );
  297. break;
  298. }
  300. if ( !pCertMapping->MappingSetField( IISMDB_INDEX_CERT11_NT_ACCT,
  301. (PBYTE) strUserName.QueryStr(),
  302. strUserName.QueryCB() + sizeof (WCHAR),
  303. FALSE ) )
  304. {
  305. hr = HRESULT_FROM_WIN32( GetLastError() );
  306. delete pCertMapping;
  307. pCertMapping = NULL;
  308. break;
  309. }
  311. if ( !pCertMapping->MappingSetField( IISMDB_INDEX_CERT11_NT_PWD,
  312. (PBYTE) strPassword.QueryStr(),
  313. strPassword.QueryCB() + sizeof (WCHAR),
  314. FALSE ) )
  315. {
  316. hr = HRESULT_FROM_WIN32( GetLastError() );
  317. delete pCertMapping;
  318. pCertMapping = NULL;
  319. break;
  320. }
  322. if ( !((CIisAcctMapper*)_pCert11Mapper)->Add( pCertMapping, FALSE ) )
  323. {
  324. hr = HRESULT_FROM_WIN32( GetLastError() );
  325. delete pCertMapping;
  326. pCertMapping = NULL;
  327. break;
  328. }
  329. }
  330. NextEntry:
  331. dwIndex++;
  332. }
  333. }
  334. else
  335. {
  336. hr = HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND );
  337. }
  339. return hr;
  340. }
  342. HRESULT
  343. IIS_CERTIFICATE_MAPPING::ReadWildcardMappings(
  344. DWORD dwSiteId
  345. )
  346. /*++
  348. Routine Description:
  350. Read wildcard mappings from metabase
  352. Arguments:
  354. dwSiteId - Site ID (duh)
  356. Return Value:
  358. HRESULT
  360. --*/
  361. {
  362. MB mb( g_pW3Server->QueryMDObject() );
  363. WCHAR achMBPath[ 256 ];
  364. BOOL fRet;
  365. BYTE abBuffer[ 1024 ];
  366. BUFFER buff( abBuffer, sizeof( abBuffer ) );
  367. DWORD cbRequired;
  368. PUCHAR pSerializedMapping;
  370. //
  371. // Setup the metabase path to get at wildcard mappings
  372. //
  374. _snwprintf( achMBPath,
  375. sizeof( achMBPath ) / sizeof( WCHAR ) - 1,
  376. L"/LM/W3SVC/%d/",
  377. dwSiteId );
  378. achMBPath[ sizeof( achMBPath ) / sizeof( WCHAR ) - 1 ] = '\0';
  380. //
  381. // Open the metabase and read wildcard mappings
  382. //
  384. fRet = mb.Open( achMBPath,
  385. METADATA_PERMISSION_READ );
  386. if ( fRet )
  387. {
  388. cbRequired = buff.QuerySize();
  390. fRet = mb.GetData( L"",
  391. MD_SERIAL_CERTW,
  392. IIS_MD_UT_SERVER,
  393. BINARY_METADATA,
  394. buff.QueryPtr(),
  395. &cbRequired,
  396. METADATA_NO_ATTRIBUTES );
  397. if ( !fRet )
  398. {
  399. if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER )
  400. {
  401. DBG_ASSERT( cbRequired > buff.QuerySize() );
  403. if ( !buff.Resize( cbRequired ) )
  404. {
  405. return HRESULT_FROM_WIN32( GetLastError() );
  406. }
  408. fRet = mb.GetData( L"",
  409. MD_SERIAL_CERTW,
  410. IIS_MD_UT_SERVER,
  411. BINARY_METADATA,
  412. buff.QueryPtr(),
  413. &cbRequired,
  414. METADATA_NO_ATTRIBUTES );
  415. if ( !fRet )
  416. {
  417. DBG_ASSERT( GetLastError() != ERROR_INSUFFICIENT_BUFFER );
  419. return HRESULT_FROM_WIN32( GetLastError() );
  420. }
  421. }
  422. else
  423. {
  424. return HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND );
  425. }
  426. }
  428. //
  429. // Thanx to the man, I can just unserialize. XBF rocks ;-)
  430. //
  432. DBG_ASSERT( _pCertWildcardMapper == NULL );
  434. _pCertWildcardMapper = new CIisRuleMapper();
  435. if ( _pCertWildcardMapper == NULL )
  436. {
  437. return HRESULT_FROM_WIN32( GetLastError() );
  438. }
  440. if( !_pCertWildcardMapper->IsValid() )
  441. {
  442. //
  443. // creation of _pCertWildcardMapper failed
  444. // assume out of memory
  445. //
  446. return HRESULT_FROM_WIN32( ERROR_OUTOFMEMORY );
  447. }
  449. pSerializedMapping = (PUCHAR) buff.QueryPtr();
  451. // Unserialize will change the value of pSerializedMapping
  452. // It will point to the end of the unserialized data
  453. // We don't need that modified pointer. But remember not to use
  454. // pSerializedMapping any more after Unserialize call
  455. //
  456. fRet = _pCertWildcardMapper->Unserialize( &pSerializedMapping,
  457. &cbRequired );
  458. if ( !fRet )
  459. {
  460. return HRESULT_FROM_WIN32( GetLastError() );
  461. }
  462. }
  463. else
  464. {
  465. return HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND );
  466. }
  468. return NO_ERROR;
  469. }
  472. //static
  473. HRESULT
  474. IIS_CERTIFICATE_MAPPING::GetCertificateMapping(
  475. DWORD dwSiteId,
  476. IIS_CERTIFICATE_MAPPING ** ppCertificateMapping
  477. )
  478. /*++
  480. Routine Description:
  482. Read appropriate metabase configuration to get configured IIS
  483. certificate mapping
  485. Arguments:
  487. dwSiteId - Site ID (duh)
  488. ppCertificateMapping - Filled with certificate mapping descriptor on
  489. success
  491. Return Value:
  493. HRESULT
  495. --*/
  496. {
  497. IIS_CERTIFICATE_MAPPING * pCertMapping = NULL;
  498. HRESULT hr = NO_ERROR;
  500. if ( ppCertificateMapping == NULL )
  501. {
  502. DBG_ASSERT( FALSE );
  503. return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
  504. }
  505. *ppCertificateMapping = NULL;
  507. //
  508. // Create a certificate mapping descriptor
  509. //
  511. pCertMapping = new IIS_CERTIFICATE_MAPPING();
  512. if ( pCertMapping == NULL )
  513. {
  514. hr = HRESULT_FROM_WIN32( GetLastError() );
  515. goto Finished;
  516. }
  518. //
  519. // Read 1-1 mappings
  520. //
  522. hr = pCertMapping->Read11Mappings( dwSiteId );
  523. if ( FAILED( hr ) &&
  524. hr != HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND ) )
  525. {
  526. DBGPRINTF(( DBG_CONTEXT,
  527. "Error reading 1to1 Certificate Mappings. hr = %x\n",
  528. hr ));
  530. goto Finished;
  531. }
  532. hr = NO_ERROR;
  534. //
  535. // Read wildcards
  536. //
  538. hr = pCertMapping->ReadWildcardMappings( dwSiteId );
  539. if ( FAILED( hr ) &&
  540. hr != HRESULT_FROM_WIN32( ERROR_FILE_NOT_FOUND ) )
  541. {
  542. DBGPRINTF(( DBG_CONTEXT,
  543. "Error reading Wildcard Certificate Mappings. hr = %x\n",
  544. hr ));
  546. goto Finished;
  547. }
  548. hr = NO_ERROR;
  550. Finished:
  551. if ( FAILED( hr ) )
  552. {
  553. if ( pCertMapping != NULL )
  554. {
  555. delete pCertMapping;
  556. pCertMapping = NULL;
  557. }
  558. }
  559. else
  560. {
  561. DBG_ASSERT( pCertMapping != NULL );
  562. *ppCertificateMapping = pCertMapping;
  563. }
  565. return hr;
  566. }
  569. HRESULT
  570. IIS_CERTIFICATE_MAPPING::DoMapCredential(
  571. W3_MAIN_CONTEXT * pMainContext,
  572. PBYTE pClientCertBlob,
  573. DWORD cbClientCertBlob,
  574. TOKEN_CACHE_ENTRY ** ppCachedToken,
  575. BOOL * pfClientCertDeniedByMapper
  576. )
  577. {
  578. CIisMapping * pQuery;
  579. CIisMapping * pResult;
  580. WCHAR wszUserName[ UNLEN + IIS_DNLEN + 1 + 1 ];
  581. LPWSTR pwszUserName;
  582. DWORD cbUserName;
  583. WCHAR wszPassword[ PWLEN + 1 ];
  584. LPWSTR pwszPassword;
  585. DWORD cbPassword;
  586. CHAR * pszDomain;
  587. BOOL fMatch = FALSE;
  588. DWORD dwLogonError = NO_ERROR;
  589. HRESULT hr = S_OK;
  591. BOOL fPossibleUPNLogon = FALSE;
  592. //
  593. // add 1 to strUserDomainW for separator "\"
  594. //
  595. STACK_STRU( strUserDomainW, UNLEN + IIS_DNLEN + 1 + 1 );
  596. STACK_STRU( strUserNameW, UNLEN + IIS_DNLEN + 1 + 1 );
  597. STACK_STRU( strDomainNameW, IIS_DNLEN + 1 );
  598. STACK_STRU( strPasswordW, PWLEN + 1 );
  599. DBG_ASSERT( pClientCertBlob != NULL );
  600. DBG_ASSERT( cbClientCertBlob != 0 );
  601. DBG_ASSERT( ppCachedToken != NULL );
  602. DBG_ASSERT( pfClientCertDeniedByMapper != NULL );
  605. //
  606. // First try the 1-1 mapper
  607. //
  610. if ( _pCert11Mapper != NULL )
  611. {
  612. //
  613. // Build a query mapping to check
  614. //
  616. pQuery = _pCert11Mapper->CreateNewMapping( pClientCertBlob,
  617. cbClientCertBlob );
  618. if ( pQuery == NULL )
  619. {
  620. return SEC_E_INTERNAL_ERROR;
  621. }
  623. //
  624. // no need to lock cert mapper because this is read only copy
  625. // used for mapping execution in worker process
  628. if ( _pCert11Mapper->FindMatch( pQuery,
  629. &pResult ) )
  630. {
  631. //
  632. // Awesome. We found a match. Do the deed if the rule is
  633. // enabled
  634. //
  636. if ( pResult->MappingGetField( IISMDB_INDEX_CERT11_NT_ACCT,
  637. (PBYTE *)&pwszUserName,
  638. &cbUserName,
  639. FALSE ) &&
  640. pResult->MappingGetField( IISMDB_INDEX_CERT11_NT_PWD,
  641. (PBYTE *)&pwszPassword,
  642. &cbPassword,
  643. FALSE ) )
  644. {
  645. //
  646. // No need to check for Enabled (IISMDB_INDEX_CERT11_ENABLED)
  647. // since Read11Mappings() will build mapping table consisting only
  648. // of enabled mappings
  649. //
  651. //
  652. // Make copy of user and password
  653. //
  654. hr = strUserDomainW.Copy( pwszUserName );
  655. if ( FAILED( hr ) )
  656. {
  657. return hr;
  658. }
  660. hr = strPasswordW.Copy( pwszPassword );
  661. if ( FAILED( hr ) )
  662. {
  663. return hr;
  664. }
  666. fMatch = TRUE;
  667. }
  668. }
  671. delete pQuery;
  672. pQuery = NULL;
  673. }
  675. //
  676. // Try the wildcard mapper if we still haven't found a match
  677. //
  679. if ( !fMatch &&
  680. _pCertWildcardMapper != NULL )
  681. {
  683. PCCERT_CONTEXT pClientCert = CertCreateCertificateContext(
  684. X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  685. pClientCertBlob,
  686. cbClientCertBlob );
  687. if ( pClientCert == NULL )
  688. {
  689. DBG_ASSERT( pClientCert != NULL );
  690. }
  691. // Wildcard mapper assumes that
  692. // achUserName buffer is greater than UNLEN+IIS_DNLEN+1 and
  693. // achPassword buffer is greater then PWLEN
  694. //
  695. else if ( !_pCertWildcardMapper->Match(
  696. (PCERT_CONTEXT) pClientCert,
  697. NULL, // legacy value
  698. wszUserName,
  699. wszPassword ) )
  700. {
  701. //
  702. // If the mapping rule is denied then return
  703. // a NULL pointer through ppCachedToken with SEC_E_OK.
  704. // That indicated to caller that mapping was denied
  705. //
  707. if ( GetLastError() == ERROR_ACCESS_DENIED )
  708. {
  709. *ppCachedToken = NULL;
  710. *pfClientCertDeniedByMapper = TRUE;
  712. if ( pClientCert != NULL )
  713. {
  714. CertFreeCertificateContext( pClientCert );
  715. pClientCert = NULL;
  716. }
  718. return SEC_E_OK;
  719. }
  720. }
  721. else
  722. {
  723. fMatch = TRUE;
  724. //
  725. // Copy user and password (user name may be fully qualified with domain name in it)
  726. //
  727. hr = strUserDomainW.Copy( wszUserName );
  728. if ( FAILED( hr ) )
  729. {
  730. return hr;
  731. }
  733. hr = strPasswordW.Copy( wszPassword );
  734. if ( FAILED( hr ) )
  735. {
  736. return hr;
  737. }
  739. }
  741. if ( pClientCert != NULL )
  742. {
  743. CertFreeCertificateContext( pClientCert );
  744. pClientCert = NULL;
  745. }
  746. }
  748. //
  749. // If we still haven't found a match, then return error
  750. //
  752. if ( fMatch )
  753. {
  755. //
  756. // Split up the user name into domain/user if needed
  757. // Note: DefaultLogonDomain is not used for cert mapping at all
  758. // This is to keep behaviour equivalent with former versions of IIS
  759. //
  761. hr = W3_STATE_AUTHENTICATION::SplitUserDomain( strUserDomainW,
  762. &strUserNameW,
  763. &strDomainNameW,
  764. NULL, // no default domain
  765. &fPossibleUPNLogon );
  766. if ( FAILED( hr ) )
  767. {
  768. return hr;
  769. }
  772. //
  773. // We should have valid credentials to call LogonUser()
  774. //
  775. DBG_ASSERT( g_pW3Server->QueryTokenCache() != NULL );
  777. hr = g_pW3Server->QueryTokenCache()->GetCachedToken(
  778. strUserNameW.QueryStr(),
  779. strDomainNameW.QueryStr(),
  780. strPasswordW.QueryStr(),
  781. LOGON32_LOGON_NETWORK_CLEARTEXT,
  782. FALSE, //don't use subauth
  783. fPossibleUPNLogon,
  784. pMainContext->QueryRequest()->
  785. QueryRemoteSockAddress(),
  786. ppCachedToken,
  787. &dwLogonError );
  788. if ( FAILED( hr ) )
  789. {
  790. return SEC_E_UNKNOWN_CREDENTIALS;
  791. }
  792. //
  793. // If *ppCachedToken is NULL, then logon failed
  794. //
  796. if ( *ppCachedToken == NULL )
  797. {
  798. //
  799. // Note: With IIS5 we used to log logon failure to event log
  800. // however it doesn't seem to be necessary because if logon/logoff auditing is enabled
  801. // then security log would have relevant information about the logon failure
  802. //
  803. DBG_ASSERT( dwLogonError != ERROR_SUCCESS );
  804. return SEC_E_UNKNOWN_CREDENTIALS;
  805. }
  807. DBG_ASSERT( (*ppCachedToken)->CheckSignature() );
  808. *pfClientCertDeniedByMapper = FALSE;
  809. return SEC_E_OK;
  810. }
  812. return SEC_E_UNKNOWN_CREDENTIALS;
  813. }