archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/net/ias/providers/ntuser/lsa/ezlogon.c

451 lines
11 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. ///////////////////////////////////////////////////////////////////////////////
  2. //
  3. // Copyright (c) Microsoft Corp. All rights reserved.
  4. //
  5. // FILE
  6. //
  7. // ezlogon.c
  8. //
  9. // SYNOPSIS
  10. //
  11. // Defines the IAS wrapper around LsaLogonUser
  12. //
  13. // MODIFICATION HISTORY
  14. //
  15. // 08/15/1998 Original version.
  16. // 09/09/1998 Fix AV when logon domain doesn't match user domain.
  17. // 10/02/1998 NULL out handle when LsaLogonUser fails.
  18. // 10/11/1998 Use SubStatus for STATUS_ACCOUNT_RESTRICTION.
  19. // 10/22/1998 PIAS_LOGON_HOURS is now a mandatory parameter.
  20. // 01/28/1999 Remove LogonDomainName check.
  21. // 04/19/1999 Add IASPurgeTicketCache.
  22. //
  23. ///////////////////////////////////////////////////////////////////////////////
  25. #include <nt.h>
  26. #include <ntrtl.h>
  27. #include <nturtl.h>
  30. #include <ntlsa.h>
  31. #include <kerberos.h>
  32. #include <windows.h>
  34. #include <ezlogon.h>
  35. #include <iaslsa.h>
  36. #include <iastrace.h>
  38. CONST CHAR LOGON_PROCESS_NAME[] = "IAS";
  39. CONST CHAR TOKEN_SOURCE_NAME[TOKEN_SOURCE_LENGTH] = "IAS";
  41. //////////
  42. // Misc. global variables used for logons.
  43. //////////
  44. LSA_HANDLE theLogonProcess; // The handle for the logon process.
  45. ULONG theMSV1_0_Package; // The MSV1_0 authentication package.
  46. ULONG theKerberosPackage; // The Kerberos authentication package.
  47. STRING theOriginName; // The origin of the logon requests.
  48. TOKEN_SOURCE theSourceContext; // The source context of the logon requests.
  51. /////////////////////////////////////////////////////////////////////////////// //
  52. // FUNCTION
  53. //
  54. // IASLogonInitialize
  55. //
  56. // DESCRIPTION
  57. //
  58. // Registers the logon process.
  59. //
  60. ///////////////////////////////////////////////////////////////////////////////
  61. DWORD
  62. WINAPI
  63. IASLogonInitialize( VOID )
  64. {
  65. DWORD status;
  66. BOOLEAN wasEnabled;
  67. LSA_STRING processName, packageName;
  68. LSA_OPERATIONAL_MODE opMode;
  70. //////////
  71. // Enable SE_TCB_PRIVILEGE.
  72. //////////
  74. status = RtlAdjustPrivilege(
  75. SE_TCB_PRIVILEGE,
  76. TRUE,
  77. FALSE,
  78. &wasEnabled
  79. );
  80. if (!NT_SUCCESS(status)) { goto exit; }
  82. //////////
  83. // Register as a logon process.
  84. //////////
  86. RtlInitString(
  87. &processName,
  88. LOGON_PROCESS_NAME
  89. );
  91. status = LsaRegisterLogonProcess(
  92. &processName,
  93. &theLogonProcess,
  94. &opMode
  95. );
  96. if (!NT_SUCCESS(status)) { goto exit; }
  98. //////////
  99. // Lookup the MSV1_0 authentication package.
  100. //////////
  102. RtlInitString(
  103. &packageName,
  104. MSV1_0_PACKAGE_NAME
  105. );
  107. status = LsaLookupAuthenticationPackage(
  108. theLogonProcess,
  109. &packageName,
  110. &theMSV1_0_Package
  111. );
  112. if (!NT_SUCCESS(status)) { goto deregister; }
  114. //////////
  115. // Lookup the Kerberos authentication package.
  116. //////////
  118. RtlInitString(
  119. &packageName,
  120. MICROSOFT_KERBEROS_NAME_A
  121. );
  123. status = LsaLookupAuthenticationPackage(
  124. theLogonProcess,
  125. &packageName,
  126. &theKerberosPackage
  127. );
  128. if (!NT_SUCCESS(status)) { goto deregister; }
  130. //////////
  131. // Initialize the source context.
  132. //////////
  134. memcpy(theSourceContext.SourceName,
  135. TOKEN_SOURCE_NAME,
  136. TOKEN_SOURCE_LENGTH);
  137. status = NtAllocateLocallyUniqueId(
  138. &theSourceContext.SourceIdentifier
  139. );
  140. if (!NT_SUCCESS(status)) { goto deregister; }
  142. return NO_ERROR;
  144. deregister:
  145. LsaDeregisterLogonProcess(theLogonProcess);
  146. theLogonProcess = NULL;
  148. exit:
  149. return RtlNtStatusToDosError(status);
  150. }
  152. /////////////////////////////////////////////////////////////////////////////// //
  153. // FUNCTION
  154. //
  155. // IASLogonShutdown
  156. //
  157. // DESCRIPTION
  158. //
  159. // Deregisters the logon process.
  160. //
  161. ///////////////////////////////////////////////////////////////////////////////
  162. VOID
  163. WINAPI
  164. IASLogonShutdown( VOID )
  165. {
  166. LsaDeregisterLogonProcess(theLogonProcess);
  167. theLogonProcess = NULL;
  168. }
  170. /////////////////////////////////////////////////////////////////////////////// //
  171. // FUNCTION
  172. //
  173. // IASInitAuthInfo
  174. //
  175. // DESCRIPTION
  176. //
  177. // Initializes the fields common to all MSV1_0_LM20* structs.
  178. //
  179. ///////////////////////////////////////////////////////////////////////////////
  180. VOID
  181. WINAPI
  182. IASInitAuthInfo(
  183. IN PVOID AuthInfo,
  184. IN DWORD FixedLength,
  185. IN PCWSTR UserName,
  186. IN PCWSTR Domain,
  187. OUT PBYTE* Data
  188. )
  189. {
  190. PMSV1_0_LM20_LOGON logon;
  192. // Zero out the fixed data.
  193. memset(AuthInfo, 0, FixedLength);
  195. // Set Data to point just past the fixed struct.
  196. *Data = FixedLength + (PBYTE)AuthInfo;
  198. // This cast is safe since all LM20 structs have the same initial fields.
  199. logon = (PMSV1_0_LM20_LOGON)AuthInfo;
  201. // We always do Network logons.
  202. logon->MessageType = MsV1_0NetworkLogon;
  204. // Copy in the strings common to all logons.
  205. IASInitUnicodeString(logon->LogonDomainName, *Data, Domain);
  206. IASInitUnicodeString(logon->UserName, *Data, UserName);
  207. IASInitUnicodeString(logon->Workstation, *Data, L"");
  208. }
  210. /////////////////////////////////////////////////////////////////////////////// //
  211. // FUNCTION
  212. //
  213. // IASLogonUser
  214. //
  215. // DESCRIPTION
  216. //
  217. // Wrapper around LsaLogonUser.
  218. //
  219. ///////////////////////////////////////////////////////////////////////////////
  220. DWORD
  221. WINAPI
  222. IASLogonUser(
  223. IN PVOID AuthInfo,
  224. IN ULONG AuthInfoLength,
  225. OUT PMSV1_0_LM20_LOGON_PROFILE *Profile,
  226. OUT PHANDLE Token
  227. )
  228. {
  229. NTSTATUS status, SubStatus;
  230. PMSV1_0_LM20_LOGON_PROFILE ProfileBuffer;
  231. ULONG ProfileBufferLength;
  232. LUID LogonId;
  233. QUOTA_LIMITS Quotas;
  235. // Make sure the OUT arguments are NULL.
  236. *Token = NULL;
  237. ProfileBuffer = NULL;
  239. status = LsaLogonUser(
  240. theLogonProcess,
  241. &theOriginName,
  242. Network,
  243. theMSV1_0_Package,
  244. AuthInfo,
  245. AuthInfoLength,
  246. NULL,
  247. &theSourceContext,
  248. &ProfileBuffer,
  249. &ProfileBufferLength,
  250. &LogonId,
  251. Token,
  252. &Quotas,
  253. &SubStatus
  254. );
  256. if (!NT_SUCCESS(status))
  257. {
  258. // For account restrictions, we can get a more descriptive error
  259. // from the SubStatus.
  260. if (status == STATUS_ACCOUNT_RESTRICTION && !NT_SUCCESS(SubStatus))
  261. {
  262. status = SubStatus;
  263. }
  265. // Sometimes LsaLogonUser returns an invalid handle value on failure.
  266. *Token = NULL;
  267. }
  269. if (Profile)
  270. {
  271. // Return the profile if requested ...
  272. *Profile = ProfileBuffer;
  273. }
  274. else if (ProfileBuffer)
  275. {
  276. // ... otherwise free it.
  277. LsaFreeReturnBuffer(ProfileBuffer);
  278. }
  280. return RtlNtStatusToDosError(status);
  281. }
  283. /////////////////////////////////////////////////////////////////////////////// //
  284. // FUNCTION
  285. //
  286. // IASCheckAccountRestrictions
  287. //
  288. // DESCRIPTION
  289. //
  290. // Checks whether an account can be used for logon.
  291. //
  292. ///////////////////////////////////////////////////////////////////////////////
  293. DWORD
  294. WINAPI
  295. IASCheckAccountRestrictions(
  296. IN PLARGE_INTEGER AccountExpires,
  297. IN PIAS_LOGON_HOURS LogonHours,
  298. OUT PLARGE_INTEGER KickOffTime
  299. )
  300. {
  301. LONGLONG now, logonHoursExpiry;
  302. TIME_ZONE_INFORMATION tzi;
  303. SYSTEMTIME st;
  304. size_t msecOfWeek, msecPerUnit, idx, lastUnit, msecLeft;
  305. const size_t msecPerWeek = 1000 * 60 * 60 * 24 * 7;
  307. GetSystemTimeAsFileTime((LPFILETIME)&now);
  309. if (AccountExpires->QuadPart == 0)
  310. {
  311. // An expiration time of zero means 'never'.
  312. KickOffTime->QuadPart = MAXLONGLONG;
  313. }
  314. else if (AccountExpires->QuadPart > now)
  315. {
  316. KickOffTime->QuadPart = AccountExpires->QuadPart;
  317. }
  318. else
  319. {
  320. return ERROR_ACCOUNT_EXPIRED;
  321. }
  323. // If LogonHours is empty, then we're done.
  324. if (LogonHours->UnitsPerWeek == 0)
  325. {
  326. return NO_ERROR;
  327. }
  329. // The LogonHours array does not account for bias.
  330. switch (GetTimeZoneInformation(&tzi))
  331. {
  332. case TIME_ZONE_ID_UNKNOWN:
  333. case TIME_ZONE_ID_STANDARD:
  334. // Bias is in minutes.
  335. now -= 60 * 10000000 * (LONGLONG)tzi.StandardBias;
  336. break;
  338. case TIME_ZONE_ID_DAYLIGHT:
  339. // Bias is in minutes.
  340. now -= 60 * 10000000 * (LONGLONG)tzi.DaylightBias;
  341. break;
  343. default:
  344. return ERROR_INVALID_LOGON_HOURS;
  345. }
  347. FileTimeToSystemTime((LPFILETIME)&now, &st);
  349. // Number of milliseconds into the week.
  350. msecOfWeek = st.wMilliseconds +
  351. st.wSecond * 1000 +
  352. st.wMinute * 1000 * 60 +
  353. st.wHour * 1000 * 60 * 60 +
  354. st.wDayOfWeek * 1000 * 60 * 60 * 24;
  356. // Compute the index of the current time (our starting point).
  357. msecPerUnit = msecPerWeek / LogonHours->UnitsPerWeek;
  358. idx = msecOfWeek / msecPerUnit;
  360. // Number of units until we hit an unset bit.
  361. lastUnit = 0;
  363. while (lastUnit < LogonHours->UnitsPerWeek)
  364. {
  365. // Test the corresponding bit.
  366. if ((LogonHours->LogonHours[idx / 8] & (0x1 << (idx % 8))) == 0)
  367. {
  368. break;
  369. }
  371. ++lastUnit;
  372. ++idx;
  374. // Wrap around if necessary.
  375. if (idx == LogonHours->UnitsPerWeek)
  376. {
  377. idx = 0;
  378. }
  379. }
  381. if (lastUnit == LogonHours->UnitsPerWeek)
  382. {
  383. // All bits are set, so leave the KickOffTime alone.
  384. }
  385. else if (lastUnit > 0)
  386. {
  387. // How many milliseconds left?
  388. msecLeft = (lastUnit - 1) * msecPerUnit;
  389. msecLeft += msecPerUnit - (msecOfWeek % msecPerUnit);
  391. // Add this to the current time to find out when logon hours expires.
  392. logonHoursExpiry = now + (msecLeft * 10000i64);
  394. // Is this more restrictive than the the current KickOffTime?
  395. if (logonHoursExpiry < KickOffTime->QuadPart)
  396. {
  397. KickOffTime->QuadPart = logonHoursExpiry;
  398. }
  399. }
  400. else
  401. {
  402. // Current bit isn't set.
  403. return ERROR_INVALID_LOGON_HOURS;
  404. }
  406. return NO_ERROR;
  407. }
  410. /////////////////////////////////////////////////////////////////////////////// //
  411. // FUNCTION
  412. //
  413. // IASPurgeTicketCache
  414. //
  415. // DESCRIPTION
  416. //
  417. // Purges the Kerberos ticket cache.
  418. //
  419. ///////////////////////////////////////////////////////////////////////////////
  420. DWORD
  421. WINAPI
  422. IASPurgeTicketCache( VOID )
  423. {
  424. KERB_PURGE_TKT_CACHE_REQUEST request;
  425. NTSTATUS status, subStatus;
  426. PVOID response;
  427. ULONG responseLength;
  429. memset(&request, 0, sizeof(request));
  430. request.MessageType = KerbPurgeTicketCacheMessage;
  432. response = NULL;
  433. responseLength = 0;
  434. subStatus = 0;
  436. status = LsaCallAuthenticationPackage(
  437. theLogonProcess,
  438. theKerberosPackage,
  439. &request,
  440. sizeof(request),
  441. &response,
  442. &responseLength,
  443. &subStatus
  444. );
  445. if (NT_SUCCESS(status) && (response != NULL))
  446. {
  447. LsaFreeReturnBuffer(response);
  448. }
  450. return RtlNtStatusToDosError(status);
  451. }