archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/protocols/kerberos/client2/krbaudit.cxx

366 lines
11 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 2001
  6. //
  7. // File: krbaudit.cxx
  8. //
  9. // Contents: Auditing routines
  10. //
  11. //
  12. // History: 27-April-2001 Created kumarp
  13. //
  14. //------------------------------------------------------------------------
  16. #include <kerb.hxx>
  17. #include <kerbp.h>
  18. #include <krbaudit.h>
  21. //+-------------------------------------------------------------------------
  22. //
  23. // Function: KerbGetLogonGuid
  24. //
  25. // Synopsis: Gets a unique ID based on certain fields in the ticket
  26. //
  27. // Arguments: pPrimaryCredentials -- primary credentials
  28. // pKdcReplyBody -- kdc reply structure
  29. // pLogonGuid -- returned GUID
  30. //
  31. // Returns: NTSTATUS code
  32. //
  33. // Notes: The generated GUID is MD5 hash of 3 fields:
  34. // -- client name
  35. // -- client realm
  36. // -- ticket start time
  37. //
  38. // All of these fields are available at client/kdc/server machine.
  39. // this allows us to generate the same unique ID on these machines
  40. // without having to introduce a new field in the ticket.
  41. // This GUID is used in audit events allowing us to correlate
  42. // events on three different machines.
  43. //
  44. //--------------------------------------------------------------------------
  45. NTSTATUS
  46. KerbGetLogonGuid(
  47. IN PKERB_PRIMARY_CREDENTIAL pPrimaryCredentials,
  48. IN PKERB_ENCRYPTED_KDC_REPLY pKdcReplyBody,
  49. OUT LPGUID pLogonGuid
  50. )
  51. {
  52. NTSTATUS Status = STATUS_INVALID_PARAMETER;
  54. // ISSUE-2001/04/28-kumarp : use KERB_ENCRYPTED_KDC_REPLY_starttime_present
  55. //if ( KdcReplyBody->flags & KERB_ENCRYPTED_KDC_REPLY_starttime_present )
  56. if ( pKdcReplyBody && pPrimaryCredentials )
  57. {
  59. Status = LsaIGetLogonGuid(
  60. &pPrimaryCredentials->UserName,
  61. &pPrimaryCredentials->DomainName,
  62. (PBYTE) &pKdcReplyBody->starttime,
  63. sizeof(KERB_TIME),
  64. pLogonGuid
  65. );
  67. if (!NT_SUCCESS(Status))
  68. {
  69. RtlZeroMemory( pLogonGuid, sizeof(GUID) );
  70. }
  71. }
  73. return Status;
  74. }
  78. //+-------------------------------------------------------------------------
  79. //
  80. // Function: KerbGenerateAuditForLogonUsingExplicitCreds
  81. //
  82. // Synopsis: Generate an audit event to indicate that somebody logged on
  83. // by supplying explicit credentials.
  84. //
  85. // Arguments: pCurrentUserLogonSession -- logon session of the user
  86. // who supplied credentials of
  87. // another user
  88. // pNewUserPrimaryCredentials -- supplied primary credentials
  89. // pNewUserLogonGuid -- logon GUID for the new logon
  90. // pTargetName -- name of the target server
  91. //
  92. // Returns: NTSTATUS code
  93. //
  94. // Notes: This event covers credentials obtained from credman
  95. //
  96. //--------------------------------------------------------------------------
  97. NTSTATUS
  98. KerbGenerateAuditForLogonUsingExplicitCreds(
  99. IN PKERB_LOGON_SESSION pCurrentUserLogonSession,
  100. IN PKERB_PRIMARY_CREDENTIAL pNewUserPrimaryCredentials,
  101. IN LPGUID pNewUserLogonGuid,
  102. IN PKERB_INTERNAL_NAME pTargetName
  103. )
  104. {
  105. NTSTATUS Status = STATUS_SUCCESS;
  106. GUID CurrentUserLogonGuid;
  107. LPGUID pCurrentUserLogonGuid = NULL;
  108. PKERB_TICKET_CACHE_ENTRY pTicketCacheEntry = NULL;
  109. UNICODE_STRING OurDomainName = { 0 };
  110. KERB_TIME CurrentUserStartTime = { 0 };
  111. KERBERR KerbErr = KDC_ERR_NONE;
  112. PUNICODE_STRING pTargetServerName = NULL;
  113. PUNICODE_STRING pTargetFullName = NULL;
  114. UNICODE_STRING TargetFullName = { 0 };
  116. //
  117. // calculate LogonGuid for current logged on user
  118. // we need the following 3 parameters for this:
  119. // -- client name
  120. // -- client realm
  121. // -- ticket start time
  122. //
  123. if ( !(pCurrentUserLogonSession->LogonSessionFlags &
  124. (KERB_LOGON_LOCAL_ONLY | KERB_LOGON_DEFERRED)) )
  125. {
  126. Status = KerbGetOurDomainName( &OurDomainName );
  128. ASSERT( NT_SUCCESS(Status) && L"KerbGenerateAuditForLogonUsingExplicitCreds: KerbGetOurDomainName failed" );
  130. if (NT_SUCCESS(Status))
  131. {
  132. //
  133. // find the cached ticket for the local machine from
  134. // the ticket cache of the current logon session.
  135. //
  136. pTicketCacheEntry =
  137. KerbLocateTicketCacheEntry(
  138. &pCurrentUserLogonSession->PrimaryCredentials.ServerTicketCache,
  139. KerbGlobalMitMachineServiceName,
  140. &OurDomainName
  141. );
  143. if ( pTicketCacheEntry )
  144. {
  145. //
  146. // Convert start time to the format we want.
  147. //
  148. KerbConvertLargeIntToGeneralizedTime(
  149. &CurrentUserStartTime,
  150. NULL,
  151. &pTicketCacheEntry->StartTime
  152. );
  154. //
  155. // Generate the logon GUID
  156. //
  157. Status = LsaIGetLogonGuid(
  158. &pCurrentUserLogonSession->PrimaryCredentials.UserName,
  159. &pCurrentUserLogonSession->PrimaryCredentials.DomainName,
  160. (PBYTE) &CurrentUserStartTime,
  161. sizeof(KERB_TIME),
  162. &CurrentUserLogonGuid
  163. );
  164. if (NT_SUCCESS(Status))
  165. {
  166. pCurrentUserLogonGuid = &CurrentUserLogonGuid;
  167. }
  168. }
  169. else
  170. {
  171. D_DebugLog((DEB_TRACE, "KerbGenerateAuditForLogonUsingExplicitCreds: could not locate ticket"));
  172. }
  173. }
  175. //
  176. // ISSUE-2002/03/28-kumarp : this should be inside the if stmt
  177. //
  178. KerbFreeString(&OurDomainName);
  180. }
  181. #if DBG
  182. else
  183. {
  184. //
  185. // KERB_LOGON_LOCAL_ONLY indicates a logon using non Kerberos package.
  186. // Logon GUID is supported only by Kerberos therefore its generation
  187. // is skipped.
  188. //
  189. if (pCurrentUserLogonSession->LogonSessionFlags & KERB_LOGON_LOCAL_ONLY)
  190. {
  191. D_DebugLog((DEB_TRACE,"KerbGenerateAuditForLogonUsingExplicitCreds: LogonSession %p has KERB_LOGON_LOCAL_ONLY\n", pCurrentUserLogonSession));
  192. }
  194. //
  195. // KERB_LOGON_DEFERRED indicates that a logon occurred using
  196. // cached credentials because kdc was not available. In this case,
  197. // we will not have a ticket for local machine therefore generation of
  198. // the logon GUID is skipped.
  199. //
  200. if (pCurrentUserLogonSession->LogonSessionFlags & KERB_LOGON_DEFERRED)
  201. {
  202. D_DebugLog((DEB_TRACE,"KerbGenerateAuditForLogonUsingExplicitCreds: LogonSession %p has KERB_LOGON_DEFERRED\n", pCurrentUserLogonSession));
  203. }
  204. }
  205. #endif
  207. //
  208. // convert pTargetName which is in kdc format to a UNICODE_STRING
  209. //
  211. KerbErr = KerbConvertKdcNameToString(
  212. &TargetFullName,
  213. pTargetName,
  214. NULL
  215. );
  217. if ( KerbErr == KDC_ERR_NONE )
  218. {
  219. pTargetFullName = &TargetFullName;
  220. }
  221. else
  222. {
  223. pTargetFullName = NULL;
  224. }
  226. //
  227. // extract the target computer name for known cases
  228. //
  230. if ( pTargetName->NameCount == 1 )
  231. {
  232. pTargetServerName = &pTargetName->Names[0];
  233. }
  234. else if ( pTargetName->NameCount >= 2 )
  235. {
  236. pTargetServerName = &pTargetName->Names[1];
  237. }
  238. else
  239. {
  240. pTargetServerName = NULL;
  241. }
  243. //
  244. // now generate the audit
  245. //
  246. Status = I_LsaIAuditLogonUsingExplicitCreds(
  247. EVENTLOG_AUDIT_SUCCESS,
  248. &pCurrentUserLogonSession->LogonId,
  249. pCurrentUserLogonGuid,
  250. (HANDLE) (ULONG_PTR) GetCurrentProcessId(),
  251. &pNewUserPrimaryCredentials->UserName,
  252. &pNewUserPrimaryCredentials->DomainName,
  253. pNewUserLogonGuid,
  254. pTargetServerName,
  255. pTargetFullName
  256. );
  259. if ( TargetFullName.Buffer != NULL )
  260. {
  261. MIDL_user_free( TargetFullName.Buffer );
  262. }
  264. return Status;
  265. }
  267. //+-------------------------------------------------------------------------
  268. //
  269. // Function: KerbAuditLogon
  270. //
  271. // Synopsis: Generate a successful logon audit event
  272. //
  273. // Arguments: LogonStatus -- overall logon status
  274. // LogonSubStatus -- sub-category within a failed logon status
  275. // pEncryptedTicket -- ticket used
  276. // pUserSid -- user's SID
  277. // pWorkstationName -- logon workstation
  278. // pLogonId -- logon LUID
  279. // pTransittedServices -- list of transitted services
  280. //
  281. // Returns: NTSTATUS code
  282. //
  283. // Notes: A new field (logon GUID) was added to this audit event.
  284. // In order to send this new field to LSA, we had two options:
  285. // 1) add new function (AuditLogonEx) to LSA dispatch table
  286. // 2) define a private (LsaI) function to do the job
  287. //
  288. // option#2 was chosen because the logon GUID is a Kerberos only
  289. // feature.
  290. //
  291. //--------------------------------------------------------------------------
  292. NTSTATUS
  293. KerbAuditLogon(
  294. IN NTSTATUS LogonStatus,
  295. IN NTSTATUS LogonSubStatus,
  296. IN PKERB_CONTEXT Context,
  297. IN PUNICODE_STRING pWorkstationName,
  298. IN PLUID pLogonId,
  299. IN PLSA_ADT_STRING_LIST pTransittedServices
  300. )
  301. {
  302. GUID LogonGuid = { 0 };
  303. NTSTATUS Status = STATUS_SUCCESS;
  304. KERB_TIME StartTime;
  306. //
  307. // Pull this eventually. I think we're OK, though.
  308. //
  309. if (Context == NULL)
  310. {
  311. DsysAssert(FALSE);
  312. goto Cleanup;
  313. }
  316. KerbConvertLargeIntToGeneralizedTime(
  317. &StartTime,
  318. NULL,
  319. &Context->StartTime
  320. );
  322. //
  323. // generate the logon GUID
  324. //
  325. Status = I_LsaIGetLogonGuid(
  326. &Context->ClientName,
  327. &Context->ClientRealm,
  328. (PBYTE) &StartTime,
  329. sizeof(KERB_TIME),
  330. &LogonGuid
  331. );
  333. if (!NT_SUCCESS(Status))
  334. {
  335. goto Cleanup;
  336. }
  339. //
  340. // generate successful logon audit. use the special
  341. // LsaIAuditKerberosLogon function so that we can pass in
  342. // the generated unique logon guid
  343. //
  344. I_LsaIAuditKerberosLogon(
  345. LogonStatus,
  346. LogonSubStatus,
  347. &Context->ClientName,
  348. &Context->ClientRealm,
  349. pWorkstationName,
  350. Context->UserSid,
  351. Network,
  352. &KerberosSource,
  353. pLogonId,
  354. &LogonGuid,
  355. pTransittedServices
  356. );
  358. Cleanup:
  359. if ( !NT_SUCCESS( Status ) )
  360. {
  361. D_DebugLog((DEB_ERROR,"KerbAuditLogon: failed: %x\n", Status ));
  362. }
  365. return Status;
  366. }