/*++ BUILD Version: 0000 Increment this if a change has global effects Copyright (c) Microsoft Corporation. All rights reserved. Module Name: ntsecapi.h Abstract: This module defines the Local Security Authority APIs. Revision History: --*/ #ifndef _NTSECAPI_ #define _NTSECAPI_ #ifdef __cplusplus extern "C" { #endif #ifndef _NTDEF_ typedef LONG NTSTATUS, *PNTSTATUS; #endif #ifndef _NTLSA_IFS_ // begin_ntifs // // Security operation mode of the system is held in a control // longword. // typedef ULONG LSA_OPERATIONAL_MODE, *PLSA_OPERATIONAL_MODE; // end_ntifs #endif // _NTLSA_IFS_ // // The flags in the security operational mode are defined // as: // // PasswordProtected - Some level of authentication (such as // a password) must be provided by users before they are // allowed to use the system. Once set, this value will // not be cleared without re-booting the system. // // IndividualAccounts - Each user must identify an account to // logon to. This flag is only meaningful if the // PasswordProtected flag is also set. If this flag is // not set and the PasswordProtected flag is set, then all // users may logon to the same account. Once set, this value // will not be cleared without re-booting the system. // // MandatoryAccess - Indicates the system is running in a mandatory // access control mode (e.g., B-level as defined by the U.S.A's // Department of Defense's "Orange Book"). This is not utilized // in the current release of NT. This flag is only meaningful // if both the PasswordProtected and IndividualAccounts flags are // set. Once set, this value will not be cleared without // re-booting the system. // // LogFull - Indicates the system has been brought up in a mode in // which if must perform security auditing, but its audit log // is full. This may (should) restrict the operations that // can occur until the audit log is made not-full again. THIS // VALUE MAY BE CLEARED WHILE THE SYSTEM IS RUNNING (I.E., WITHOUT // REBOOTING). // // If the PasswordProtected flag is not set, then the system is running // without security, and user interface should be adjusted appropriately. // #define LSA_MODE_PASSWORD_PROTECTED (0x00000001L) #define LSA_MODE_INDIVIDUAL_ACCOUNTS (0x00000002L) #define LSA_MODE_MANDATORY_ACCESS (0x00000004L) #define LSA_MODE_LOG_FULL (0x00000008L) #ifndef _NTLSA_IFS_ // begin_ntifs // // Used by a logon process to indicate what type of logon is being // requested. // typedef enum _SECURITY_LOGON_TYPE { Interactive = 2, // Interactively logged on (locally or remotely) Network, // Accessing system via network Batch, // Started via a batch queue Service, // Service started by service controller Proxy, // Proxy logon Unlock, // Unlock workstation NetworkCleartext, // Network logon with cleartext credentials NewCredentials, // Clone caller, new default credentials RemoteInteractive, // Remote, yet interactive. Terminal server CachedInteractive, // Try cached credentials without hitting the net. CachedRemoteInteractive, // Same as RemoteInteractive, this is used internally for auditing purpose CachedUnlock // Cached Unlock workstation } SECURITY_LOGON_TYPE, *PSECURITY_LOGON_TYPE; // end_ntifs #endif // _NTLSA_IFS_ // // Audit Event Categories // // The following are the built-in types or Categories of audit event. // WARNING! This structure is subject to expansion. The user should not // compute the number of elements of this type directly, but instead // should obtain the count of elements by calling LsaQueryInformationPolicy() // for the PolicyAuditEventsInformation class and extracting the count from // the MaximumAuditEventCount field of the returned structure. // typedef enum _POLICY_AUDIT_EVENT_TYPE { AuditCategorySystem, AuditCategoryLogon, AuditCategoryObjectAccess, AuditCategoryPrivilegeUse, AuditCategoryDetailedTracking, AuditCategoryPolicyChange, AuditCategoryAccountManagement, AuditCategoryDirectoryServiceAccess, AuditCategoryAccountLogon } POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE; // // The following defines describe the auditing options for each // event type // // Leave options specified for this event unchanged #define POLICY_AUDIT_EVENT_UNCHANGED (0x00000000L) // Audit successful occurrences of events of this type #define POLICY_AUDIT_EVENT_SUCCESS (0x00000001L) // Audit failed attempts to cause an event of this type to occur #define POLICY_AUDIT_EVENT_FAILURE (0x00000002L) #define POLICY_AUDIT_EVENT_NONE (0x00000004L) // Mask of valid event auditing options #define POLICY_AUDIT_EVENT_MASK \ (POLICY_AUDIT_EVENT_SUCCESS | \ POLICY_AUDIT_EVENT_FAILURE | \ POLICY_AUDIT_EVENT_UNCHANGED | \ POLICY_AUDIT_EVENT_NONE) #ifdef _NTDEF_ // begin_ntifs typedef UNICODE_STRING LSA_UNICODE_STRING, *PLSA_UNICODE_STRING; typedef STRING LSA_STRING, *PLSA_STRING; typedef OBJECT_ATTRIBUTES LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES; // end_ntifs #else // _NTDEF_ #ifndef IN #define IN #endif #ifndef OUT #define OUT #endif #ifndef OPTIONAL #define OPTIONAL #endif typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; #ifdef MIDL_PASS [size_is(MaximumLength/2), length_is(Length/2)] #endif // MIDL_PASS PWSTR Buffer; } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING; typedef struct _LSA_STRING { USHORT Length; USHORT MaximumLength; PCHAR Buffer; } LSA_STRING, *PLSA_STRING; typedef struct _LSA_OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PLSA_UNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE } LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES; #endif // _NTDEF_ // // Macro for determining whether an API succeeded. // #define LSA_SUCCESS(Error) ((LONG)(Error) >= 0) #ifndef _NTLSA_IFS_ // begin_ntifs NTSTATUS NTAPI LsaRegisterLogonProcess ( IN PLSA_STRING LogonProcessName, OUT PHANDLE LsaHandle, OUT PLSA_OPERATIONAL_MODE SecurityMode ); NTSTATUS NTAPI LsaLogonUser ( IN HANDLE LsaHandle, IN PLSA_STRING OriginName, IN SECURITY_LOGON_TYPE LogonType, IN ULONG AuthenticationPackage, IN PVOID AuthenticationInformation, IN ULONG AuthenticationInformationLength, IN PTOKEN_GROUPS LocalGroups OPTIONAL, IN PTOKEN_SOURCE SourceContext, OUT PVOID *ProfileBuffer, OUT PULONG ProfileBufferLength, OUT PLUID LogonId, OUT PHANDLE Token, OUT PQUOTA_LIMITS Quotas, OUT PNTSTATUS SubStatus ); // end_ntifs NTSTATUS NTAPI LsaLookupAuthenticationPackage ( IN HANDLE LsaHandle, IN PLSA_STRING PackageName, OUT PULONG AuthenticationPackage ); // begin_ntifs NTSTATUS NTAPI LsaFreeReturnBuffer ( IN PVOID Buffer ); // end_ntifs NTSTATUS NTAPI LsaCallAuthenticationPackage ( IN HANDLE LsaHandle, IN ULONG AuthenticationPackage, IN PVOID ProtocolSubmitBuffer, IN ULONG SubmitBufferLength, OUT PVOID *ProtocolReturnBuffer, OUT PULONG ReturnBufferLength, OUT PNTSTATUS ProtocolStatus ); NTSTATUS NTAPI LsaDeregisterLogonProcess ( IN HANDLE LsaHandle ); NTSTATUS NTAPI LsaConnectUntrusted ( OUT PHANDLE LsaHandle ); #endif // _NTLSA_IFS_ //////////////////////////////////////////////////////////////////////////// // // // Local Security Policy Administration API datatypes and defines // // // //////////////////////////////////////////////////////////////////////////// // // Access types for the Policy object // #define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L #define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L #define POLICY_GET_PRIVATE_INFORMATION 0x00000004L #define POLICY_TRUST_ADMIN 0x00000008L #define POLICY_CREATE_ACCOUNT 0x00000010L #define POLICY_CREATE_SECRET 0x00000020L #define POLICY_CREATE_PRIVILEGE 0x00000040L #define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L #define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L #define POLICY_AUDIT_LOG_ADMIN 0x00000200L #define POLICY_SERVER_ADMIN 0x00000400L #define POLICY_LOOKUP_NAMES 0x00000800L #define POLICY_NOTIFICATION 0x00001000L #define POLICY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\ POLICY_VIEW_LOCAL_INFORMATION |\ POLICY_VIEW_AUDIT_INFORMATION |\ POLICY_GET_PRIVATE_INFORMATION |\ POLICY_TRUST_ADMIN |\ POLICY_CREATE_ACCOUNT |\ POLICY_CREATE_SECRET |\ POLICY_CREATE_PRIVILEGE |\ POLICY_SET_DEFAULT_QUOTA_LIMITS |\ POLICY_SET_AUDIT_REQUIREMENTS |\ POLICY_AUDIT_LOG_ADMIN |\ POLICY_SERVER_ADMIN |\ POLICY_LOOKUP_NAMES) #define POLICY_READ (STANDARD_RIGHTS_READ |\ POLICY_VIEW_AUDIT_INFORMATION |\ POLICY_GET_PRIVATE_INFORMATION) #define POLICY_WRITE (STANDARD_RIGHTS_WRITE |\ POLICY_TRUST_ADMIN |\ POLICY_CREATE_ACCOUNT |\ POLICY_CREATE_SECRET |\ POLICY_CREATE_PRIVILEGE |\ POLICY_SET_DEFAULT_QUOTA_LIMITS |\ POLICY_SET_AUDIT_REQUIREMENTS |\ POLICY_AUDIT_LOG_ADMIN |\ POLICY_SERVER_ADMIN) #define POLICY_EXECUTE (STANDARD_RIGHTS_EXECUTE |\ POLICY_VIEW_LOCAL_INFORMATION |\ POLICY_LOOKUP_NAMES) // // Policy object specific data types. // // // The following data type is used to identify a domain // typedef struct _LSA_TRUST_INFORMATION { LSA_UNICODE_STRING Name; PSID Sid; } LSA_TRUST_INFORMATION, *PLSA_TRUST_INFORMATION; // where members have the following usage: // // Name - The name of the domain. // // Sid - A pointer to the Sid of the Domain // // // The following data type is used in name and SID lookup services to // describe the domains referenced in the lookup operation. // typedef struct _LSA_REFERENCED_DOMAIN_LIST { ULONG Entries; PLSA_TRUST_INFORMATION Domains; } LSA_REFERENCED_DOMAIN_LIST, *PLSA_REFERENCED_DOMAIN_LIST; // where members have the following usage: // // Entries - Is a count of the number of domains described in the // Domains array. // // Domains - Is a pointer to an array of Entries LSA_TRUST_INFORMATION data // structures. // // // The following data type is used in name to SID lookup services to describe // the domains referenced in the lookup operation. // typedef struct _LSA_TRANSLATED_SID { SID_NAME_USE Use; ULONG RelativeId; LONG DomainIndex; } LSA_TRANSLATED_SID, *PLSA_TRANSLATED_SID; // where members have the following usage: // // Use - identifies the use of the SID. If this value is SidUnknown or // SidInvalid, then the remainder of the record is not set and // should be ignored. // // RelativeId - Contains the relative ID of the translated SID. The // remainder of the SID (the prefix) is obtained using the // DomainIndex field. // // DomainIndex - Is the index of an entry in a related // LSA_REFERENCED_DOMAIN_LIST data structure describing the // domain in which the account was found. // // If there is no corresponding reference domain for an entry, then // this field will contain a negative value. // typedef struct _LSA_TRANSLATED_SID2 { SID_NAME_USE Use; PSID Sid; LONG DomainIndex; ULONG Flags; } LSA_TRANSLATED_SID2, *PLSA_TRANSLATED_SID2; // where members have the following usage: // // Use - identifies the use of the SID. If this value is SidUnknown or // SidInvalid, then the remainder of the record is not set and // should be ignored. // // Sid - Contains the complete Sid of the tranlated SID // // DomainIndex - Is the index of an entry in a related // LSA_REFERENCED_DOMAIN_LIST data structure describing the // domain in which the account was found. // // If there is no corresponding reference domain for an entry, then // this field will contain a negative value. // // // The following data type is used in SID to name lookup services to // describe the domains referenced in the lookup operation. // typedef struct _LSA_TRANSLATED_NAME { SID_NAME_USE Use; LSA_UNICODE_STRING Name; LONG DomainIndex; } LSA_TRANSLATED_NAME, *PLSA_TRANSLATED_NAME; // where the members have the following usage: // // Use - Identifies the use of the name. If this value is SidUnknown // or SidInvalid, then the remainder of the record is not set and // should be ignored. If this value is SidWellKnownGroup then the // Name field is invalid, but the DomainIndex field is not. // // Name - Contains the isolated name of the translated SID. // // DomainIndex - Is the index of an entry in a related // LSA_REFERENCED_DOMAIN_LIST data structure describing the domain // in which the account was found. // // If there is no corresponding reference domain for an entry, then // this field will contain a negative value. // // // The following data type is used to represent the role of the LSA // server (primary or backup). // typedef enum _POLICY_LSA_SERVER_ROLE { PolicyServerRoleBackup = 2, PolicyServerRolePrimary } POLICY_LSA_SERVER_ROLE, *PPOLICY_LSA_SERVER_ROLE; // // The following data type is used to specify the auditing options for // an Audit Event Type. // typedef ULONG POLICY_AUDIT_EVENT_OPTIONS, *PPOLICY_AUDIT_EVENT_OPTIONS; // where the following flags can be set: // // POLICY_AUDIT_EVENT_UNCHANGED - Leave existing auditing options // unchanged for events of this type. This flag is only used for // set operations. If this flag is set, then all other flags // are ignored. // // POLICY_AUDIT_EVENT_NONE - Cancel all auditing options for events // of this type. If this flag is set, the success/failure flags // are ignored. // // POLICY_AUDIT_EVENT_SUCCESS - When auditing is enabled, audit all // successful occurrences of events of the given type. // // POLICY_AUDIT_EVENT_FAILURE - When auditing is enabled, audit all // unsuccessful occurrences of events of the given type. // // // The following data type defines the classes of Policy Information // that may be queried/set. // typedef enum _POLICY_INFORMATION_CLASS { PolicyAuditLogInformation = 1, PolicyAuditEventsInformation, PolicyPrimaryDomainInformation, PolicyPdAccountInformation, PolicyAccountDomainInformation, PolicyLsaServerRoleInformation, PolicyReplicaSourceInformation, PolicyDefaultQuotaInformation, PolicyModificationInformation, PolicyAuditFullSetInformation, PolicyAuditFullQueryInformation, PolicyDnsDomainInformation, PolicyDnsDomainInformationInt } POLICY_INFORMATION_CLASS, *PPOLICY_INFORMATION_CLASS; // // The following data type corresponds to the PolicyAuditLogInformation // information class. It is used to represent information relating to // the Audit Log. // // This structure may be used in both query and set operations. However, // when used in set operations, some fields are ignored. // typedef struct _POLICY_AUDIT_LOG_INFO { ULONG AuditLogPercentFull; ULONG MaximumLogSize; LARGE_INTEGER AuditRetentionPeriod; BOOLEAN AuditLogFullShutdownInProgress; LARGE_INTEGER TimeToShutdown; ULONG NextAuditRecordId; } POLICY_AUDIT_LOG_INFO, *PPOLICY_AUDIT_LOG_INFO; // where the members have the following usage: // // AuditLogPercentFull - Indicates the percentage of the Audit Log // currently being used. // // MaximumLogSize - Specifies the maximum size of the Audit Log in // kilobytes. // // AuditRetentionPeriod - Indicates the length of time that Audit // Records are to be retained. Audit Records are discardable // if their timestamp predates the current time minus the // retention period. // // AuditLogFullShutdownInProgress - Indicates whether or not a system // shutdown is being initiated due to the security Audit Log becoming // full. This condition will only occur if the system is configured // to shutdown when the log becomes full. // // TRUE indicates that a shutdown is in progress // FALSE indicates that a shutdown is not in progress. // // Once a shutdown has been initiated, this flag will be set to // TRUE. If an administrator is able to currect the situation // before the shutdown becomes irreversible, then this flag will // be reset to false. // // This field is ignored for set operations. // // TimeToShutdown - If the AuditLogFullShutdownInProgress flag is set, // then this field contains the time left before the shutdown // becomes irreversible. // // This field is ignored for set operations. // // // The following data type corresponds to the PolicyAuditEventsInformation // information class. It is used to represent information relating to // the audit requirements. // typedef struct _POLICY_AUDIT_EVENTS_INFO { BOOLEAN AuditingMode; PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions; ULONG MaximumAuditEventCount; } POLICY_AUDIT_EVENTS_INFO, *PPOLICY_AUDIT_EVENTS_INFO; // where the members have the following usage: // // AuditingMode - A Boolean variable specifying the Auditing Mode value. // This value is interpreted as follows: // // TRUE - Auditing is to be enabled (set operations) or is enabled // (query operations). Audit Records will be generated according // to the Event Auditing Options in effect (see the // EventAuditingOptions field. // // FALSE - Auditing is to be disabled (set operations) or is // disabled (query operations). No Audit Records will be // generated. Note that for set operations the Event Auditing // Options in effect will still be updated as specified by the // EventAuditingOptions field whether Auditing is enabled or // disabled. // // EventAuditingOptions - Pointer to an array of Auditing Options // indexed by Audit Event Type. // // MaximumAuditEventCount - Specifiesa count of the number of Audit // Event Types specified by the EventAuditingOptions parameter. If // this count is less than the number of Audit Event Types supported // by the system, the Auditing Options for Event Types with IDs // higher than (MaximumAuditEventCount + 1) are left unchanged. // // // The following structure corresponds to the PolicyAccountDomainInformation // information class. // typedef struct _POLICY_ACCOUNT_DOMAIN_INFO { LSA_UNICODE_STRING DomainName; PSID DomainSid; } POLICY_ACCOUNT_DOMAIN_INFO, *PPOLICY_ACCOUNT_DOMAIN_INFO; // where the members have the following usage: // // DomainName - Is the name of the domain // // DomainSid - Is the Sid of the domain // // // The following structure corresponds to the PolicyPrimaryDomainInformation // information class. // typedef struct _POLICY_PRIMARY_DOMAIN_INFO { LSA_UNICODE_STRING Name; PSID Sid; } POLICY_PRIMARY_DOMAIN_INFO, *PPOLICY_PRIMARY_DOMAIN_INFO; // where the members have the following usage: // // Name - Is the name of the domain // // Sid - Is the Sid of the domain // // // The following structure corresponds to the PolicyDnsDomainInformation // information class // typedef struct _POLICY_DNS_DOMAIN_INFO { LSA_UNICODE_STRING Name; LSA_UNICODE_STRING DnsDomainName; LSA_UNICODE_STRING DnsForestName; GUID DomainGuid; PSID Sid; } POLICY_DNS_DOMAIN_INFO, *PPOLICY_DNS_DOMAIN_INFO; // where the members have the following usage: // // Name - Is the name of the Domain // // DnsDomainName - Is the DNS name of the domain // // DnsForestName - Is the DNS forest name of the domain // // DomainGuid - Is the GUID of the domain // // Sid - Is the Sid of the domain // // The following structure corresponds to the PolicyPdAccountInformation // information class. This structure may be used in Query operations // only. // typedef struct _POLICY_PD_ACCOUNT_INFO { LSA_UNICODE_STRING Name; } POLICY_PD_ACCOUNT_INFO, *PPOLICY_PD_ACCOUNT_INFO; // where the members have the following usage: // // Name - Is the name of an account in the domain that should be used // for authentication and name/ID lookup requests. // // // The following structure corresponds to the PolicyLsaServerRoleInformation // information class. // typedef struct _POLICY_LSA_SERVER_ROLE_INFO { POLICY_LSA_SERVER_ROLE LsaServerRole; } POLICY_LSA_SERVER_ROLE_INFO, *PPOLICY_LSA_SERVER_ROLE_INFO; // where the fields have the following usage: // // TBS // // // The following structure corresponds to the PolicyReplicaSourceInformation // information class. // typedef struct _POLICY_REPLICA_SOURCE_INFO { LSA_UNICODE_STRING ReplicaSource; LSA_UNICODE_STRING ReplicaAccountName; } POLICY_REPLICA_SOURCE_INFO, *PPOLICY_REPLICA_SOURCE_INFO; // // The following structure corresponds to the PolicyDefaultQuotaInformation // information class. // typedef struct _POLICY_DEFAULT_QUOTA_INFO { QUOTA_LIMITS QuotaLimits; } POLICY_DEFAULT_QUOTA_INFO, *PPOLICY_DEFAULT_QUOTA_INFO; // // The following structure corresponds to the PolicyModificationInformation // information class. // typedef struct _POLICY_MODIFICATION_INFO { LARGE_INTEGER ModifiedId; LARGE_INTEGER DatabaseCreationTime; } POLICY_MODIFICATION_INFO, *PPOLICY_MODIFICATION_INFO; // where the members have the following usage: // // ModifiedId - Is a 64-bit unsigned integer that is incremented each // time anything in the LSA database is modified. This value is // only modified on Primary Domain Controllers. // // DatabaseCreationTime - Is the date/time that the LSA Database was // created. On Backup Domain Controllers, this value is replicated // from the Primary Domain Controller. // // // The following structure type corresponds to the PolicyAuditFullSetInformation // Information Class. // typedef struct _POLICY_AUDIT_FULL_SET_INFO { BOOLEAN ShutDownOnFull; } POLICY_AUDIT_FULL_SET_INFO, *PPOLICY_AUDIT_FULL_SET_INFO; // // The following structure type corresponds to the PolicyAuditFullQueryInformation // Information Class. // typedef struct _POLICY_AUDIT_FULL_QUERY_INFO { BOOLEAN ShutDownOnFull; BOOLEAN LogIsFull; } POLICY_AUDIT_FULL_QUERY_INFO, *PPOLICY_AUDIT_FULL_QUERY_INFO; // // The following data type defines the classes of Policy Information // that may be queried/set that has domain wide effect. // typedef enum _POLICY_DOMAIN_INFORMATION_CLASS { // PolicyDomainQualityOfServiceInformation, // value was used in W2K; no longer supported PolicyDomainEfsInformation = 2, PolicyDomainKerberosTicketInformation } POLICY_DOMAIN_INFORMATION_CLASS, *PPOLICY_DOMAIN_INFORMATION_CLASS; // // The following structure corresponds to the PolicyEfsInformation // information class // typedef struct _POLICY_DOMAIN_EFS_INFO { ULONG InfoLength; PUCHAR EfsBlob; } POLICY_DOMAIN_EFS_INFO, *PPOLICY_DOMAIN_EFS_INFO; // // where the members have the following usage: // // InfoLength - Length of the EFS Information blob // // EfsBlob - Efs blob data // // // The following structure corresponds to the PolicyDomainKerberosTicketInformation // information class // #define POLICY_KERBEROS_VALIDATE_CLIENT 0x00000080 typedef struct _POLICY_DOMAIN_KERBEROS_TICKET_INFO { ULONG AuthenticationOptions; LARGE_INTEGER MaxServiceTicketAge; LARGE_INTEGER MaxTicketAge; LARGE_INTEGER MaxRenewAge; LARGE_INTEGER MaxClockSkew; LARGE_INTEGER Reserved; } POLICY_DOMAIN_KERBEROS_TICKET_INFO, *PPOLICY_DOMAIN_KERBEROS_TICKET_INFO; // // where the members have the following usage // // AuthenticationOptions -- allowed ticket options (POLICY_KERBEROS_* flags ) // // MaxServiceTicketAge -- Maximum lifetime for a service ticket // // MaxTicketAge -- Maximum lifetime for the initial ticket // // MaxRenewAge -- Maximum cumulative age a renewable ticket can be with // requring authentication // // MaxClockSkew -- Maximum tolerance for synchronization of computer clocks // // Reserved -- Reserved // // The following data type defines the classes of Policy Information / Policy Domain Information // that may be used to request notification // typedef enum _POLICY_NOTIFICATION_INFORMATION_CLASS { PolicyNotifyAuditEventsInformation = 1, PolicyNotifyAccountDomainInformation, PolicyNotifyServerRoleInformation, PolicyNotifyDnsDomainInformation, PolicyNotifyDomainEfsInformation, PolicyNotifyDomainKerberosTicketInformation, PolicyNotifyMachineAccountPasswordInformation } POLICY_NOTIFICATION_INFORMATION_CLASS, *PPOLICY_NOTIFICATION_INFORMATION_CLASS; // // LSA RPC Context Handle (Opaque form). Note that a Context Handle is // always a pointer type unlike regular handles. // typedef PVOID LSA_HANDLE, *PLSA_HANDLE; // // Trusted Domain Object specific data types // // // This data type defines the following information classes that may be // queried or set. // typedef enum _TRUSTED_INFORMATION_CLASS { TrustedDomainNameInformation = 1, TrustedControllersInformation, TrustedPosixOffsetInformation, TrustedPasswordInformation, TrustedDomainInformationBasic, TrustedDomainInformationEx, TrustedDomainAuthInformation, TrustedDomainFullInformation, TrustedDomainAuthInformationInternal, TrustedDomainFullInformationInternal, TrustedDomainInformationEx2Internal, TrustedDomainFullInformation2Internal, } TRUSTED_INFORMATION_CLASS, *PTRUSTED_INFORMATION_CLASS; // // The following data type corresponds to the TrustedDomainNameInformation // information class. // typedef struct _TRUSTED_DOMAIN_NAME_INFO { LSA_UNICODE_STRING Name; } TRUSTED_DOMAIN_NAME_INFO, *PTRUSTED_DOMAIN_NAME_INFO; // where members have the following meaning: // // Name - The name of the Trusted Domain. // // // The following data type corresponds to the TrustedControllersInformation // information class. // typedef struct _TRUSTED_CONTROLLERS_INFO { ULONG Entries; PLSA_UNICODE_STRING Names; } TRUSTED_CONTROLLERS_INFO, *PTRUSTED_CONTROLLERS_INFO; // where members have the following meaning: // // Entries - Indicate how mamy entries there are in the Names array. // // Names - Pointer to an array of LSA_UNICODE_STRING structures containing the // names of domain controllers of the domain. This information may not // be accurate and should be used only as a hint. The order of this // list is considered significant and will be maintained. // // By convention, the first name in this list is assumed to be the // Primary Domain Controller of the domain. If the Primary Domain // Controller is not known, the first name should be set to the NULL // string. // // // The following data type corresponds to the TrustedPosixOffsetInformation // information class. // typedef struct _TRUSTED_POSIX_OFFSET_INFO { ULONG Offset; } TRUSTED_POSIX_OFFSET_INFO, *PTRUSTED_POSIX_OFFSET_INFO; // where members have the following meaning: // // Offset - Is an offset to use for the generation of Posix user and group // IDs from SIDs. The Posix ID corresponding to any particular SID is // generated by adding the RID of that SID to the Offset of the SID's // corresponding TrustedDomain object. // // // The following data type corresponds to the TrustedPasswordInformation // information class. // typedef struct _TRUSTED_PASSWORD_INFO { LSA_UNICODE_STRING Password; LSA_UNICODE_STRING OldPassword; } TRUSTED_PASSWORD_INFO, *PTRUSTED_PASSWORD_INFO; typedef LSA_TRUST_INFORMATION TRUSTED_DOMAIN_INFORMATION_BASIC; typedef PLSA_TRUST_INFORMATION PTRUSTED_DOMAIN_INFORMATION_BASIC; // // Direction of the trust // #define TRUST_DIRECTION_DISABLED 0x00000000 #define TRUST_DIRECTION_INBOUND 0x00000001 #define TRUST_DIRECTION_OUTBOUND 0x00000002 #define TRUST_DIRECTION_BIDIRECTIONAL (TRUST_DIRECTION_INBOUND | TRUST_DIRECTION_OUTBOUND) #define TRUST_TYPE_DOWNLEVEL 0x00000001 // NT4 and before #define TRUST_TYPE_UPLEVEL 0x00000002 // NT5 #define TRUST_TYPE_MIT 0x00000003 // Trust with a MIT Kerberos realm // #define TRUST_TYPE_DCE 0x00000004 // Trust with a DCE realm // Levels 0x5 - 0x000FFFFF reserved for future use // Provider specific trust levels are from 0x00100000 to 0xFFF00000 #define TRUST_ATTRIBUTE_NON_TRANSITIVE 0x00000001 // Disallow transitivity #define TRUST_ATTRIBUTE_UPLEVEL_ONLY 0x00000002 // Trust link only valid for uplevel client #define TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0x00000004 // Used to quarantine domains #define TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0x00000008 // This link may contain forest trust information #define TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0x00000010 // This trust is to a domain/forest which is not part of this enterprise #define TRUST_ATTRIBUTE_WITHIN_FOREST 0x00000020 // Trust is internal to this forest #define TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0x00000040 // Trust is to be treated as external for trust boundary purposes // Trust attributes 0x00000040 through 0x00200000 are reserved for future use // Trust attributes 0x00400000 through 0x00800000 were used previously (up to W2K) and should not be re-used // Trust attributes 0x01000000 through 0x80000000 are reserved for user #define TRUST_ATTRIBUTES_VALID 0xFF03FFFF #define TRUST_ATTRIBUTES_USER 0xFF000000 typedef struct _TRUSTED_DOMAIN_INFORMATION_EX { LSA_UNICODE_STRING Name; LSA_UNICODE_STRING FlatName; PSID Sid; ULONG TrustDirection; ULONG TrustType; ULONG TrustAttributes; } TRUSTED_DOMAIN_INFORMATION_EX, *PTRUSTED_DOMAIN_INFORMATION_EX; typedef struct _TRUSTED_DOMAIN_INFORMATION_EX2 { LSA_UNICODE_STRING Name; LSA_UNICODE_STRING FlatName; PSID Sid; ULONG TrustDirection; ULONG TrustType; ULONG TrustAttributes; ULONG ForestTrustLength; #ifdef MIDL_PASS [size_is( ForestTrustLength )] #endif PUCHAR ForestTrustInfo; } TRUSTED_DOMAIN_INFORMATION_EX2, *PTRUSTED_DOMAIN_INFORMATION_EX2; // // Type of authentication information // #define TRUST_AUTH_TYPE_NONE 0 // Ignore this entry #define TRUST_AUTH_TYPE_NT4OWF 1 // NT4 OWF password #define TRUST_AUTH_TYPE_CLEAR 2 // Cleartext password #define TRUST_AUTH_TYPE_VERSION 3 // Cleartext password version number typedef struct _LSA_AUTH_INFORMATION { LARGE_INTEGER LastUpdateTime; ULONG AuthType; ULONG AuthInfoLength; PUCHAR AuthInfo; } LSA_AUTH_INFORMATION, *PLSA_AUTH_INFORMATION; typedef struct _TRUSTED_DOMAIN_AUTH_INFORMATION { ULONG IncomingAuthInfos; PLSA_AUTH_INFORMATION IncomingAuthenticationInformation; PLSA_AUTH_INFORMATION IncomingPreviousAuthenticationInformation; ULONG OutgoingAuthInfos; PLSA_AUTH_INFORMATION OutgoingAuthenticationInformation; PLSA_AUTH_INFORMATION OutgoingPreviousAuthenticationInformation; } TRUSTED_DOMAIN_AUTH_INFORMATION, *PTRUSTED_DOMAIN_AUTH_INFORMATION; typedef struct _TRUSTED_DOMAIN_FULL_INFORMATION { TRUSTED_DOMAIN_INFORMATION_EX Information; TRUSTED_POSIX_OFFSET_INFO PosixOffset; TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation; } TRUSTED_DOMAIN_FULL_INFORMATION, *PTRUSTED_DOMAIN_FULL_INFORMATION; typedef struct _TRUSTED_DOMAIN_FULL_INFORMATION2 { TRUSTED_DOMAIN_INFORMATION_EX2 Information; TRUSTED_POSIX_OFFSET_INFO PosixOffset; TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation; } TRUSTED_DOMAIN_FULL_INFORMATION2, *PTRUSTED_DOMAIN_FULL_INFORMATION2; typedef enum { ForestTrustTopLevelName, ForestTrustTopLevelNameEx, ForestTrustDomainInfo, ForestTrustRecordTypeLast = ForestTrustDomainInfo } LSA_FOREST_TRUST_RECORD_TYPE; // // Bottom 16 bits of the flags are reserved for disablement reasons // #define LSA_FTRECORD_DISABLED_REASONS ( 0x0000FFFFL ) // // Reasons for a top-level name forest trust record to be disabled // #define LSA_TLN_DISABLED_NEW ( 0x00000001L ) #define LSA_TLN_DISABLED_ADMIN ( 0x00000002L ) #define LSA_TLN_DISABLED_CONFLICT ( 0x00000004L ) // // Reasons for a domain information forest trust record to be disabled // #define LSA_SID_DISABLED_ADMIN ( 0x00000001L ) #define LSA_SID_DISABLED_CONFLICT ( 0x00000002L ) #define LSA_NB_DISABLED_ADMIN ( 0x00000004L ) #define LSA_NB_DISABLED_CONFLICT ( 0x00000008L ) typedef struct _LSA_FOREST_TRUST_DOMAIN_INFO { #ifdef MIDL_PASS PISID Sid; #else PSID Sid; #endif LSA_UNICODE_STRING DnsName; LSA_UNICODE_STRING NetbiosName; } LSA_FOREST_TRUST_DOMAIN_INFO, *PLSA_FOREST_TRUST_DOMAIN_INFO; // // To prevent huge data to be passed in, we should put a limit on LSA_FOREST_TRUST_BINARY_DATA. // 128K is large enough that can't be reached in the near future, and small enough not to // cause memory problems. #define MAX_FOREST_TRUST_BINARY_DATA_SIZE ( 128 * 1024 ) typedef struct _LSA_FOREST_TRUST_BINARY_DATA { #ifdef MIDL_PASS [range(0, MAX_FOREST_TRUST_BINARY_DATA_SIZE)] ULONG Length; [size_is( Length )] PUCHAR Buffer; #else ULONG Length; PUCHAR Buffer; #endif } LSA_FOREST_TRUST_BINARY_DATA, *PLSA_FOREST_TRUST_BINARY_DATA; typedef struct _LSA_FOREST_TRUST_RECORD { ULONG Flags; LSA_FOREST_TRUST_RECORD_TYPE ForestTrustType; // type of record LARGE_INTEGER Time; #ifdef MIDL_PASS [switch_type( LSA_FOREST_TRUST_RECORD_TYPE ), switch_is( ForestTrustType )] #endif union { // actual data #ifdef MIDL_PASS [case( ForestTrustTopLevelName, ForestTrustTopLevelNameEx )] LSA_UNICODE_STRING TopLevelName; [case( ForestTrustDomainInfo )] LSA_FOREST_TRUST_DOMAIN_INFO DomainInfo; [default] LSA_FOREST_TRUST_BINARY_DATA Data; #else LSA_UNICODE_STRING TopLevelName; LSA_FOREST_TRUST_DOMAIN_INFO DomainInfo; LSA_FOREST_TRUST_BINARY_DATA Data; // used for unrecognized types #endif } ForestTrustData; } LSA_FOREST_TRUST_RECORD, *PLSA_FOREST_TRUST_RECORD; // // To prevent forest trust blobs of large size, number of records must be // smaller than MAX_RECORDS_IN_FOREST_TRUST_INFO // #define MAX_RECORDS_IN_FOREST_TRUST_INFO 4000 typedef struct _LSA_FOREST_TRUST_INFORMATION { #ifdef MIDL_PASS [range(0, MAX_RECORDS_IN_FOREST_TRUST_INFO)] ULONG RecordCount; [size_is( RecordCount )] PLSA_FOREST_TRUST_RECORD * Entries; #else ULONG RecordCount; PLSA_FOREST_TRUST_RECORD * Entries; #endif } LSA_FOREST_TRUST_INFORMATION, *PLSA_FOREST_TRUST_INFORMATION; typedef enum { CollisionTdo, CollisionXref, CollisionOther } LSA_FOREST_TRUST_COLLISION_RECORD_TYPE; typedef struct _LSA_FOREST_TRUST_COLLISION_RECORD { ULONG Index; LSA_FOREST_TRUST_COLLISION_RECORD_TYPE Type; ULONG Flags; LSA_UNICODE_STRING Name; } LSA_FOREST_TRUST_COLLISION_RECORD, *PLSA_FOREST_TRUST_COLLISION_RECORD; typedef struct _LSA_FOREST_TRUST_COLLISION_INFORMATION { ULONG RecordCount; #ifdef MIDL_PASS [size_is( RecordCount )] #endif PLSA_FOREST_TRUST_COLLISION_RECORD * Entries; } LSA_FOREST_TRUST_COLLISION_INFORMATION, *PLSA_FOREST_TRUST_COLLISION_INFORMATION; // // LSA Enumeration Context // typedef ULONG LSA_ENUMERATION_HANDLE, *PLSA_ENUMERATION_HANDLE; // // LSA Enumeration Information // typedef struct _LSA_ENUMERATION_INFORMATION { PSID Sid; } LSA_ENUMERATION_INFORMATION, *PLSA_ENUMERATION_INFORMATION; //////////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Miscellaneous API function prototypes // // // //////////////////////////////////////////////////////////////////////////// NTSTATUS NTAPI LsaFreeMemory( IN PVOID Buffer ); NTSTATUS NTAPI LsaClose( IN LSA_HANDLE ObjectHandle ); typedef struct _SECURITY_LOGON_SESSION_DATA { ULONG Size ; LUID LogonId ; LSA_UNICODE_STRING UserName ; LSA_UNICODE_STRING LogonDomain ; LSA_UNICODE_STRING AuthenticationPackage ; ULONG LogonType ; ULONG Session ; PSID Sid ; LARGE_INTEGER LogonTime ; // // new for whistler: // LSA_UNICODE_STRING LogonServer ; LSA_UNICODE_STRING DnsDomainName ; LSA_UNICODE_STRING Upn ; } SECURITY_LOGON_SESSION_DATA, * PSECURITY_LOGON_SESSION_DATA ; NTSTATUS NTAPI LsaEnumerateLogonSessions( OUT PULONG LogonSessionCount, OUT PLUID * LogonSessionList ); NTSTATUS NTAPI LsaGetLogonSessionData( IN PLUID LogonId, OUT PSECURITY_LOGON_SESSION_DATA * ppLogonSessionData ); NTSTATUS NTAPI LsaOpenPolicy( IN PLSA_UNICODE_STRING SystemName OPTIONAL, IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes, IN ACCESS_MASK DesiredAccess, IN OUT PLSA_HANDLE PolicyHandle ); NTSTATUS NTAPI LsaQueryInformationPolicy( IN LSA_HANDLE PolicyHandle, IN POLICY_INFORMATION_CLASS InformationClass, OUT PVOID *Buffer ); NTSTATUS NTAPI LsaSetInformationPolicy( IN LSA_HANDLE PolicyHandle, IN POLICY_INFORMATION_CLASS InformationClass, IN PVOID Buffer ); NTSTATUS NTAPI LsaQueryDomainInformationPolicy( IN LSA_HANDLE PolicyHandle, IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass, OUT PVOID *Buffer ); NTSTATUS NTAPI LsaSetDomainInformationPolicy( IN LSA_HANDLE PolicyHandle, IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass, IN PVOID Buffer ); NTSTATUS NTAPI LsaRegisterPolicyChangeNotification( IN POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass, IN HANDLE NotificationEventHandle ); NTSTATUS NTAPI LsaUnregisterPolicyChangeNotification( IN POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass, IN HANDLE NotificationEventHandle ); NTSTATUS NTAPI LsaEnumerateTrustedDomains( IN LSA_HANDLE PolicyHandle, IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext, OUT PVOID *Buffer, IN ULONG PreferedMaximumLength, OUT PULONG CountReturned ); NTSTATUS NTAPI LsaLookupNames( IN LSA_HANDLE PolicyHandle, IN ULONG Count, IN PLSA_UNICODE_STRING Names, OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, OUT PLSA_TRANSLATED_SID *Sids ); NTSTATUS NTAPI LsaLookupNames2( IN LSA_HANDLE PolicyHandle, IN ULONG Flags, // Reserved IN ULONG Count, IN PLSA_UNICODE_STRING Names, OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, OUT PLSA_TRANSLATED_SID2 *Sids ); NTSTATUS NTAPI LsaLookupSids( IN LSA_HANDLE PolicyHandle, IN ULONG Count, IN PSID *Sids, OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, OUT PLSA_TRANSLATED_NAME *Names ); #define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight") #define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight") #define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight") #define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight") #define SE_DENY_INTERACTIVE_LOGON_NAME TEXT("SeDenyInteractiveLogonRight") #define SE_DENY_NETWORK_LOGON_NAME TEXT("SeDenyNetworkLogonRight") #define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight") #define SE_DENY_SERVICE_LOGON_NAME TEXT("SeDenyServiceLogonRight") #define SE_REMOTE_INTERACTIVE_LOGON_NAME TEXT("SeRemoteInteractiveLogonRight") #define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME TEXT("SeDenyRemoteInteractiveLogonRight") // // This new API returns all the accounts with a certain privilege // NTSTATUS NTAPI LsaEnumerateAccountsWithUserRight( IN LSA_HANDLE PolicyHandle, IN OPTIONAL PLSA_UNICODE_STRING UserRights, OUT PVOID *EnumerationBuffer, OUT PULONG CountReturned ); // // These new APIs differ by taking a SID instead of requiring the caller // to open the account first and passing in an account handle // NTSTATUS NTAPI LsaEnumerateAccountRights( IN LSA_HANDLE PolicyHandle, IN PSID AccountSid, OUT PLSA_UNICODE_STRING *UserRights, OUT PULONG CountOfRights ); NTSTATUS NTAPI LsaAddAccountRights( IN LSA_HANDLE PolicyHandle, IN PSID AccountSid, IN PLSA_UNICODE_STRING UserRights, IN ULONG CountOfRights ); NTSTATUS NTAPI LsaRemoveAccountRights( IN LSA_HANDLE PolicyHandle, IN PSID AccountSid, IN BOOLEAN AllRights, IN PLSA_UNICODE_STRING UserRights, IN ULONG CountOfRights ); /////////////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Trusted Domain Object API function prototypes // // // /////////////////////////////////////////////////////////////////////////////// NTSTATUS NTAPI LsaOpenTrustedDomainByName( IN LSA_HANDLE PolicyHandle, IN PLSA_UNICODE_STRING TrustedDomainName, IN ACCESS_MASK DesiredAccess, OUT PLSA_HANDLE TrustedDomainHandle ); NTSTATUS NTAPI LsaQueryTrustedDomainInfo( IN LSA_HANDLE PolicyHandle, IN PSID TrustedDomainSid, IN TRUSTED_INFORMATION_CLASS InformationClass, OUT PVOID *Buffer ); NTSTATUS NTAPI LsaSetTrustedDomainInformation( IN LSA_HANDLE PolicyHandle, IN PSID TrustedDomainSid, IN TRUSTED_INFORMATION_CLASS InformationClass, IN PVOID Buffer ); NTSTATUS NTAPI LsaDeleteTrustedDomain( IN LSA_HANDLE PolicyHandle, IN PSID TrustedDomainSid ); NTSTATUS NTAPI LsaQueryTrustedDomainInfoByName( IN LSA_HANDLE PolicyHandle, IN PLSA_UNICODE_STRING TrustedDomainName, IN TRUSTED_INFORMATION_CLASS InformationClass, OUT PVOID *Buffer ); NTSTATUS NTAPI LsaSetTrustedDomainInfoByName( IN LSA_HANDLE PolicyHandle, IN PLSA_UNICODE_STRING TrustedDomainName, IN TRUSTED_INFORMATION_CLASS InformationClass, IN PVOID Buffer ); NTSTATUS NTAPI LsaEnumerateTrustedDomainsEx( IN LSA_HANDLE PolicyHandle, IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext, OUT PVOID *Buffer, IN ULONG PreferedMaximumLength, OUT PULONG CountReturned ); NTSTATUS NTAPI LsaCreateTrustedDomainEx( IN LSA_HANDLE PolicyHandle, IN PTRUSTED_DOMAIN_INFORMATION_EX TrustedDomainInformation, IN PTRUSTED_DOMAIN_AUTH_INFORMATION AuthenticationInformation, IN ACCESS_MASK DesiredAccess, OUT PLSA_HANDLE TrustedDomainHandle ); NTSTATUS NTAPI LsaQueryForestTrustInformation( IN LSA_HANDLE PolicyHandle, IN PLSA_UNICODE_STRING TrustedDomainName, OUT PLSA_FOREST_TRUST_INFORMATION * ForestTrustInfo ); NTSTATUS NTAPI LsaSetForestTrustInformation( IN LSA_HANDLE PolicyHandle, IN PLSA_UNICODE_STRING TrustedDomainName, IN PLSA_FOREST_TRUST_INFORMATION ForestTrustInfo, IN BOOLEAN CheckOnly, OUT PLSA_FOREST_TRUST_COLLISION_INFORMATION * CollisionInfo ); // #define TESTING_MATCHING_ROUTINE #ifdef TESTING_MATCHING_ROUTINE NTSTATUS NTAPI LsaForestTrustFindMatch( IN LSA_HANDLE PolicyHandle, IN ULONG Type, IN PLSA_UNICODE_STRING Name, OUT PLSA_UNICODE_STRING * Match ); #endif // // This API sets the workstation password (equivalent of setting/getting // the SSI_SECRET_NAME secret) // NTSTATUS NTAPI LsaStorePrivateData( IN LSA_HANDLE PolicyHandle, IN PLSA_UNICODE_STRING KeyName, IN PLSA_UNICODE_STRING PrivateData ); NTSTATUS NTAPI LsaRetrievePrivateData( IN LSA_HANDLE PolicyHandle, IN PLSA_UNICODE_STRING KeyName, OUT PLSA_UNICODE_STRING * PrivateData ); ULONG NTAPI LsaNtStatusToWinError( NTSTATUS Status ); // // Define a symbol so we can tell if ntifs.h has been included. // // begin_ntifs #ifndef _NTLSA_IFS_ #define _NTLSA_IFS_ #endif // end_ntifs // // SPNEGO package stuff // enum NEGOTIATE_MESSAGES { NegEnumPackagePrefixes = 0, NegGetCallerName = 1, NegCallPackageMax } ; #define NEGOTIATE_MAX_PREFIX 32 typedef struct _NEGOTIATE_PACKAGE_PREFIX { ULONG_PTR PackageId ; PVOID PackageDataA ; PVOID PackageDataW ; ULONG_PTR PrefixLen ; UCHAR Prefix[ NEGOTIATE_MAX_PREFIX ]; } NEGOTIATE_PACKAGE_PREFIX, * PNEGOTIATE_PACKAGE_PREFIX ; typedef struct _NEGOTIATE_PACKAGE_PREFIXES { ULONG MessageType ; ULONG PrefixCount ; ULONG Offset ; // Offset to array of _PREFIX above ULONG Pad ; // Align structure for 64-bit } NEGOTIATE_PACKAGE_PREFIXES, *PNEGOTIATE_PACKAGE_PREFIXES ; typedef struct _NEGOTIATE_CALLER_NAME_REQUEST { ULONG MessageType ; LUID LogonId ; } NEGOTIATE_CALLER_NAME_REQUEST, *PNEGOTIATE_CALLER_NAME_REQUEST ; typedef struct _NEGOTIATE_CALLER_NAME_RESPONSE { ULONG MessageType ; PWSTR CallerName ; } NEGOTIATE_CALLER_NAME_RESPONSE, * PNEGOTIATE_CALLER_NAME_RESPONSE ; #ifndef _NTDEF_ typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING; typedef LSA_STRING STRING, *PSTRING ; #endif #ifndef _DOMAIN_PASSWORD_INFORMATION_DEFINED #define _DOMAIN_PASSWORD_INFORMATION_DEFINED typedef struct _DOMAIN_PASSWORD_INFORMATION { USHORT MinPasswordLength; USHORT PasswordHistoryLength; ULONG PasswordProperties; #if defined(MIDL_PASS) OLD_LARGE_INTEGER MaxPasswordAge; OLD_LARGE_INTEGER MinPasswordAge; #else LARGE_INTEGER MaxPasswordAge; LARGE_INTEGER MinPasswordAge; #endif } DOMAIN_PASSWORD_INFORMATION, *PDOMAIN_PASSWORD_INFORMATION; #endif // // PasswordProperties flags // #define DOMAIN_PASSWORD_COMPLEX 0x00000001L #define DOMAIN_PASSWORD_NO_ANON_CHANGE 0x00000002L #define DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0x00000004L #define DOMAIN_LOCKOUT_ADMINS 0x00000008L #define DOMAIN_PASSWORD_STORE_CLEARTEXT 0x00000010L #define DOMAIN_REFUSE_PASSWORD_CHANGE 0x00000020L #ifndef _PASSWORD_NOTIFICATION_DEFINED #define _PASSWORD_NOTIFICATION_DEFINED typedef NTSTATUS (*PSAM_PASSWORD_NOTIFICATION_ROUTINE) ( PUNICODE_STRING UserName, ULONG RelativeId, PUNICODE_STRING NewPassword ); #define SAM_PASSWORD_CHANGE_NOTIFY_ROUTINE "PasswordChangeNotify" typedef BOOLEAN (*PSAM_INIT_NOTIFICATION_ROUTINE) ( ); #define SAM_INIT_NOTIFICATION_ROUTINE "InitializeChangeNotify" #define SAM_PASSWORD_FILTER_ROUTINE "PasswordFilter" typedef BOOLEAN (*PSAM_PASSWORD_FILTER_ROUTINE) ( IN PUNICODE_STRING AccountName, IN PUNICODE_STRING FullName, IN PUNICODE_STRING Password, IN BOOLEAN SetOperation ); #endif // _PASSWORD_NOTIFICATION_DEFINED ///////////////////////////////////////////////////////////////////////// // // // Name of the MSV1_0 authentication package // // // ///////////////////////////////////////////////////////////////////////// #define MSV1_0_PACKAGE_NAME "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" #define MSV1_0_PACKAGE_NAMEW L"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" #define MSV1_0_PACKAGE_NAMEW_LENGTH sizeof(MSV1_0_PACKAGE_NAMEW) - sizeof(WCHAR) // // Location of MSV authentication package data // #define MSV1_0_SUBAUTHENTICATION_KEY "SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0" #define MSV1_0_SUBAUTHENTICATION_VALUE "Auth" ///////////////////////////////////////////////////////////////////////// // // // Widely used MSV1_0 data types // // // ///////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////// // // // LOGON Related Data Structures // // // /////////////////////////////////////////////////////////////////////////////// // // When a LsaLogonUser() call is dispatched to the MsV1_0 authentication // package, the beginning of the AuthenticationInformation buffer is // cast to a MSV1_0_LOGON_SUBMIT_TYPE to determine the type of logon // being requested. Similarly, upon return, the type of profile buffer // can be determined by typecasting it to a MSV_1_0_PROFILE_BUFFER_TYPE. // // // MSV1.0 LsaLogonUser() submission message types. // typedef enum _MSV1_0_LOGON_SUBMIT_TYPE { MsV1_0InteractiveLogon = 2, MsV1_0Lm20Logon, MsV1_0NetworkLogon, MsV1_0SubAuthLogon, MsV1_0WorkstationUnlockLogon = 7 } MSV1_0_LOGON_SUBMIT_TYPE, *PMSV1_0_LOGON_SUBMIT_TYPE; // // MSV1.0 LsaLogonUser() profile buffer types. // typedef enum _MSV1_0_PROFILE_BUFFER_TYPE { MsV1_0InteractiveProfile = 2, MsV1_0Lm20LogonProfile, MsV1_0SmartCardProfile } MSV1_0_PROFILE_BUFFER_TYPE, *PMSV1_0_PROFILE_BUFFER_TYPE; // // MsV1_0InteractiveLogon // // The AuthenticationInformation buffer of an LsaLogonUser() call to // perform an interactive logon contains the following data structure: // typedef struct _MSV1_0_INTERACTIVE_LOGON { MSV1_0_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING LogonDomainName; UNICODE_STRING UserName; UNICODE_STRING Password; } MSV1_0_INTERACTIVE_LOGON, *PMSV1_0_INTERACTIVE_LOGON; // // Where: // // MessageType - Contains the type of logon being requested. This // field must be set to MsV1_0InteractiveLogon. // // UserName - Is a string representing the user's account name. The // name may be up to 255 characters long. The name is treated case // insensitive. // // Password - Is a string containing the user's cleartext password. // The password may be up to 255 characters long and contain any // UNICODE value. // // // // The ProfileBuffer returned upon a successful logon of this type // contains the following data structure: // typedef struct _MSV1_0_INTERACTIVE_PROFILE { MSV1_0_PROFILE_BUFFER_TYPE MessageType; USHORT LogonCount; USHORT BadPasswordCount; LARGE_INTEGER LogonTime; LARGE_INTEGER LogoffTime; LARGE_INTEGER KickOffTime; LARGE_INTEGER PasswordLastSet; LARGE_INTEGER PasswordCanChange; LARGE_INTEGER PasswordMustChange; UNICODE_STRING LogonScript; UNICODE_STRING HomeDirectory; UNICODE_STRING FullName; UNICODE_STRING ProfilePath; UNICODE_STRING HomeDirectoryDrive; UNICODE_STRING LogonServer; ULONG UserFlags; } MSV1_0_INTERACTIVE_PROFILE, *PMSV1_0_INTERACTIVE_PROFILE; // // where: // // MessageType - Identifies the type of profile data being returned. // Contains the type of logon being requested. This field must // be set to MsV1_0InteractiveProfile. // // LogonCount - Number of times the user is currently logged on. // // BadPasswordCount - Number of times a bad password was applied to // the account since last successful logon. // // LogonTime - Time when user last logged on. This is an absolute // format NT standard time value. // // LogoffTime - Time when user should log off. This is an absolute // format NT standard time value. // // KickOffTime - Time when system should force user logoff. This is // an absolute format NT standard time value. // // PasswordLastChanged - Time and date the password was last // changed. This is an absolute format NT standard time // value. // // PasswordCanChange - Time and date when the user can change the // password. This is an absolute format NT time value. To // prevent a password from ever changing, set this field to a // date very far into the future. // // PasswordMustChange - Time and date when the user must change the // password. If the user can never change the password, this // field is undefined. This is an absolute format NT time // value. // // LogonScript - The (relative) path to the account's logon // script. // // HomeDirectory - The home directory for the user. // // // MsV1_0Lm20Logon and MsV1_0NetworkLogon // // The AuthenticationInformation buffer of an LsaLogonUser() call to // perform an network logon contains the following data structure: // // MsV1_0NetworkLogon logon differs from MsV1_0Lm20Logon in that the // ParameterControl field exists. // #define MSV1_0_CHALLENGE_LENGTH 8 #define MSV1_0_USER_SESSION_KEY_LENGTH 16 #define MSV1_0_LANMAN_SESSION_KEY_LENGTH 8 // // Values for ParameterControl. // #define MSV1_0_CLEARTEXT_PASSWORD_ALLOWED 0x02 #define MSV1_0_UPDATE_LOGON_STATISTICS 0x04 #define MSV1_0_RETURN_USER_PARAMETERS 0x08 #define MSV1_0_DONT_TRY_GUEST_ACCOUNT 0x10 #define MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0x20 #define MSV1_0_RETURN_PASSWORD_EXPIRY 0x40 // this next flag says that CaseInsensitiveChallengeResponse // (aka LmResponse) contains a client challenge in the first 8 bytes #define MSV1_0_USE_CLIENT_CHALLENGE 0x80 #define MSV1_0_TRY_GUEST_ACCOUNT_ONLY 0x100 #define MSV1_0_RETURN_PROFILE_PATH 0x200 #define MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY 0x400 #define MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0x800 #define MSV1_0_DISABLE_PERSONAL_FALLBACK 0x00001000 #define MSV1_0_ALLOW_FORCE_GUEST 0x00002000 #define MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED 0x00004000 #define MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY 0x00008000 #define MSV1_0_SUBAUTHENTICATION_DLL_EX 0x00100000 // // The high order byte is a value indicating the SubAuthentication DLL. // Zero indicates no SubAuthentication DLL. // #define MSV1_0_SUBAUTHENTICATION_DLL 0xFF000000 #define MSV1_0_SUBAUTHENTICATION_DLL_SHIFT 24 #define MSV1_0_MNS_LOGON 0x01000000 // // This is the list of subauthentication dlls used in MS // #define MSV1_0_SUBAUTHENTICATION_DLL_RAS 2 #define MSV1_0_SUBAUTHENTICATION_DLL_IIS 132 typedef struct _MSV1_0_LM20_LOGON { MSV1_0_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING LogonDomainName; UNICODE_STRING UserName; UNICODE_STRING Workstation; UCHAR ChallengeToClient[MSV1_0_CHALLENGE_LENGTH]; STRING CaseSensitiveChallengeResponse; STRING CaseInsensitiveChallengeResponse; ULONG ParameterControl; } MSV1_0_LM20_LOGON, * PMSV1_0_LM20_LOGON; // // NT 5.0 SubAuth dlls can use this struct // typedef struct _MSV1_0_SUBAUTH_LOGON{ MSV1_0_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING LogonDomainName; UNICODE_STRING UserName; UNICODE_STRING Workstation; UCHAR ChallengeToClient[MSV1_0_CHALLENGE_LENGTH]; STRING AuthenticationInfo1; STRING AuthenticationInfo2; ULONG ParameterControl; ULONG SubAuthPackageId; } MSV1_0_SUBAUTH_LOGON, * PMSV1_0_SUBAUTH_LOGON; // // Values for UserFlags. // #define LOGON_GUEST 0x01 #define LOGON_NOENCRYPTION 0x02 #define LOGON_CACHED_ACCOUNT 0x04 #define LOGON_USED_LM_PASSWORD 0x08 #define LOGON_EXTRA_SIDS 0x20 #define LOGON_SUBAUTH_SESSION_KEY 0x40 #define LOGON_SERVER_TRUST_ACCOUNT 0x80 #define LOGON_NTLMV2_ENABLED 0x100 // says DC understands NTLMv2 #define LOGON_RESOURCE_GROUPS 0x200 #define LOGON_PROFILE_PATH_RETURNED 0x400 // // The high order byte is reserved for return by SubAuthentication DLLs. // #define MSV1_0_SUBAUTHENTICATION_FLAGS 0xFF000000 // Values returned by the MSV1_0_MNS_LOGON SubAuthentication DLL #define LOGON_GRACE_LOGON 0x01000000 typedef struct _MSV1_0_LM20_LOGON_PROFILE { MSV1_0_PROFILE_BUFFER_TYPE MessageType; LARGE_INTEGER KickOffTime; LARGE_INTEGER LogoffTime; ULONG UserFlags; UCHAR UserSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH]; UNICODE_STRING LogonDomainName; UCHAR LanmanSessionKey[MSV1_0_LANMAN_SESSION_KEY_LENGTH]; UNICODE_STRING LogonServer; UNICODE_STRING UserParameters; } MSV1_0_LM20_LOGON_PROFILE, * PMSV1_0_LM20_LOGON_PROFILE; // // Supplemental credentials structure used for passing credentials into // MSV1_0 from other packages // #define MSV1_0_OWF_PASSWORD_LENGTH 16 #define MSV1_0_CRED_LM_PRESENT 0x1 #define MSV1_0_CRED_NT_PRESENT 0x2 #define MSV1_0_CRED_VERSION 0 typedef struct _MSV1_0_SUPPLEMENTAL_CREDENTIAL { ULONG Version; ULONG Flags; UCHAR LmPassword[MSV1_0_OWF_PASSWORD_LENGTH]; UCHAR NtPassword[MSV1_0_OWF_PASSWORD_LENGTH]; } MSV1_0_SUPPLEMENTAL_CREDENTIAL, *PMSV1_0_SUPPLEMENTAL_CREDENTIAL; // // NTLM3 definitions. // #define MSV1_0_NTLM3_RESPONSE_LENGTH 16 #define MSV1_0_NTLM3_OWF_LENGTH 16 // // this is the longest amount of time we'll allow challenge response // pairs to be used. Note that this also has to allow for worst case clock skew // #define MSV1_0_MAX_NTLM3_LIFE 129600 // 36 hours (in seconds) #define MSV1_0_MAX_AVL_SIZE 64000 // // MsvAvFlags bit values // #define MSV1_0_AV_FLAG_FORCE_GUEST 0x00000001 // this is an MSV1_0 private data structure, defining the layout of an NTLM3 response, as sent by a // client in the NtChallengeResponse field of the NETLOGON_NETWORK_INFO structure. If can be differentiated // from an old style NT response by its length. This is crude, but it needs to pass through servers and // the servers' DCs that do not understand NTLM3 but that are willing to pass longer responses. typedef struct _MSV1_0_NTLM3_RESPONSE { UCHAR Response[MSV1_0_NTLM3_RESPONSE_LENGTH]; // hash of OWF of password with all the following fields UCHAR RespType; // id number of response; current is 1 UCHAR HiRespType; // highest id number understood by client USHORT Flags; // reserved; must be sent as zero at this version ULONG MsgWord; // 32 bit message from client to server (for use by auth protocol) ULONGLONG TimeStamp; // time stamp when client generated response -- NT system time, quad part UCHAR ChallengeFromClient[MSV1_0_CHALLENGE_LENGTH]; ULONG AvPairsOff; // offset to start of AvPairs (to allow future expansion) UCHAR Buffer[1]; // start of buffer with AV pairs (or future stuff -- so use the offset) } MSV1_0_NTLM3_RESPONSE, *PMSV1_0_NTLM3_RESPONSE; #define MSV1_0_NTLM3_INPUT_LENGTH (sizeof(MSV1_0_NTLM3_RESPONSE) - MSV1_0_NTLM3_RESPONSE_LENGTH) #define MSV1_0_NTLM3_MIN_NT_RESPONSE_LENGTH RTL_SIZEOF_THROUGH_FIELD(MSV1_0_NTLM3_RESPONSE, AvPairsOff) typedef enum { MsvAvEOL, // end of list MsvAvNbComputerName, // server's computer name -- NetBIOS MsvAvNbDomainName, // server's domain name -- NetBIOS MsvAvDnsComputerName, // server's computer name -- DNS MsvAvDnsDomainName, // server's domain name -- DNS MsvAvDnsTreeName, // server's tree name -- DNS MsvAvFlags // server's extended flags -- DWORD mask } MSV1_0_AVID; typedef struct _MSV1_0_AV_PAIR { USHORT AvId; USHORT AvLen; // Data is treated as byte array following structure } MSV1_0_AV_PAIR, *PMSV1_0_AV_PAIR; /////////////////////////////////////////////////////////////////////////////// // // // CALL PACKAGE Related Data Structures // // // /////////////////////////////////////////////////////////////////////////////// // // MSV1.0 LsaCallAuthenticationPackage() submission and response // message types. // typedef enum _MSV1_0_PROTOCOL_MESSAGE_TYPE { MsV1_0Lm20ChallengeRequest = 0, // Both submission and response MsV1_0Lm20GetChallengeResponse, // Both submission and response MsV1_0EnumerateUsers, // Both submission and response MsV1_0GetUserInfo, // Both submission and response MsV1_0ReLogonUsers, // Submission only MsV1_0ChangePassword, // Both submission and response MsV1_0ChangeCachedPassword, // Both submission and response MsV1_0GenericPassthrough, // Both submission and response MsV1_0CacheLogon, // Submission only, no response MsV1_0SubAuth, // Both submission and response MsV1_0DeriveCredential, // Both submission and response MsV1_0CacheLookup, // Both submission and response MsV1_0SetProcessOption, // Submission only, no response } MSV1_0_PROTOCOL_MESSAGE_TYPE, *PMSV1_0_PROTOCOL_MESSAGE_TYPE; typedef struct _MSV1_0_CHANGEPASSWORD_REQUEST { MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType; UNICODE_STRING DomainName; UNICODE_STRING AccountName; UNICODE_STRING OldPassword; UNICODE_STRING NewPassword; BOOLEAN Impersonating; } MSV1_0_CHANGEPASSWORD_REQUEST, *PMSV1_0_CHANGEPASSWORD_REQUEST; typedef struct _MSV1_0_CHANGEPASSWORD_RESPONSE { MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType; BOOLEAN PasswordInfoValid; DOMAIN_PASSWORD_INFORMATION DomainPasswordInfo; } MSV1_0_CHANGEPASSWORD_RESPONSE, *PMSV1_0_CHANGEPASSWORD_RESPONSE; // // MsV1_0GenericPassthrough - for remoting a CallPackage to // a domain controller on the specified domain // typedef struct _MSV1_0_PASSTHROUGH_REQUEST { MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType; UNICODE_STRING DomainName; UNICODE_STRING PackageName; ULONG DataLength; PUCHAR LogonData; ULONG Pad ; } MSV1_0_PASSTHROUGH_REQUEST, *PMSV1_0_PASSTHROUGH_REQUEST; typedef struct _MSV1_0_PASSTHROUGH_RESPONSE { MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType; ULONG Pad; ULONG DataLength; PUCHAR ValidationData; } MSV1_0_PASSTHROUGH_RESPONSE, *PMSV1_0_PASSTHROUGH_RESPONSE; // // MsV1_0SubAuthInfo submit buffer and response - for submitting a buffer to a // specified Subauthentication Package during an LsaCallAuthenticationPackage(). // If this Subauthentication is to be done locally, then package this message // in LsaCallAuthenticationPackage(). If this SubAuthentication needs to be done // on the domain controller, then call LsaCallauthenticationPackage with the // message type being MsV1_0GenericPassThrough and the LogonData in this struct // should be a PMSV1_0_SUBAUTH_REQUEST // typedef struct _MSV1_0_SUBAUTH_REQUEST{ MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType; ULONG SubAuthPackageId; ULONG SubAuthInfoLength; PUCHAR SubAuthSubmitBuffer; } MSV1_0_SUBAUTH_REQUEST, *PMSV1_0_SUBAUTH_REQUEST; typedef struct _MSV1_0_SUBAUTH_RESPONSE{ MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType; ULONG SubAuthInfoLength; PUCHAR SubAuthReturnBuffer; } MSV1_0_SUBAUTH_RESPONSE, *PMSV1_0_SUBAUTH_RESPONSE; #define RtlEncryptMemory SystemFunction040 #define RtlDecryptMemory SystemFunction041 // // The buffer passed into RtlEncryptMemory and RtlDecryptMemory // must be a multiple of this length. // #define RTL_ENCRYPT_MEMORY_SIZE 8 // // Allow Encrypt/Decrypt across process boundaries. // eg: encrypted buffer passed across LPC to another process which calls RtlDecryptMemory. // #define RTL_ENCRYPT_OPTION_CROSS_PROCESS 0x01 // // Allow Encrypt/Decrypt across callers with same LogonId. // eg: encrypted buffer passed across LPC to another process which calls RtlDecryptMemory whilst impersonating. // #define RTL_ENCRYPT_OPTION_SAME_LOGON 0x02 NTSTATUS RtlEncryptMemory( IN OUT PVOID Memory, IN ULONG MemoryLength, IN ULONG OptionFlags ); NTSTATUS RtlDecryptMemory( IN OUT PVOID Memory, IN ULONG MemoryLength, IN ULONG OptionFlags ); // Revision of the Kerberos Protocol. MS uses Version 5, Revision 6 #define KERBEROS_VERSION 5 #define KERBEROS_REVISION 6 // Encryption Types: // These encryption types are supported by the default MS KERBSUPP DLL // as crypto systems. Values over 127 are local values, and may be changed // without notice. #define KERB_ETYPE_NULL 0 #define KERB_ETYPE_DES_CBC_CRC 1 #define KERB_ETYPE_DES_CBC_MD4 2 #define KERB_ETYPE_DES_CBC_MD5 3 #define KERB_ETYPE_RC4_MD4 -128 // FFFFFF80 #define KERB_ETYPE_RC4_PLAIN2 -129 #define KERB_ETYPE_RC4_LM -130 #define KERB_ETYPE_RC4_SHA -131 #define KERB_ETYPE_DES_PLAIN -132 #define KERB_ETYPE_RC4_HMAC_OLD -133 // FFFFFF7B #define KERB_ETYPE_RC4_PLAIN_OLD -134 #define KERB_ETYPE_RC4_HMAC_OLD_EXP -135 #define KERB_ETYPE_RC4_PLAIN_OLD_EXP -136 #define KERB_ETYPE_RC4_PLAIN -140 #define KERB_ETYPE_RC4_PLAIN_EXP -141 // // Pkinit encryption types // #define KERB_ETYPE_DSA_SHA1_CMS 9 #define KERB_ETYPE_RSA_MD5_CMS 10 #define KERB_ETYPE_RSA_SHA1_CMS 11 #define KERB_ETYPE_RC2_CBC_ENV 12 #define KERB_ETYPE_RSA_ENV 13 #define KERB_ETYPE_RSA_ES_OEAP_ENV 14 #define KERB_ETYPE_DES_EDE3_CBC_ENV 15 // // Deprecated // #define KERB_ETYPE_DSA_SIGN 8 #define KERB_ETYPE_RSA_PRIV 9 #define KERB_ETYPE_RSA_PUB 10 #define KERB_ETYPE_RSA_PUB_MD5 11 #define KERB_ETYPE_RSA_PUB_SHA1 12 #define KERB_ETYPE_PKCS7_PUB 13 // // Unsupported but defined types // #define KERB_ETYPE_DES3_CBC_MD5 5 #define KERB_ETYPE_DES3_CBC_SHA1 7 #define KERB_ETYPE_DES3_CBC_SHA1_KD 16 // // In use types // #define KERB_ETYPE_DES_CBC_MD5_NT 20 #define KERB_ETYPE_RC4_HMAC_NT 23 #define KERB_ETYPE_RC4_HMAC_NT_EXP 24 // Checksum algorithms. // These algorithms are keyed internally for our use. #define KERB_CHECKSUM_NONE 0 #define KERB_CHECKSUM_CRC32 1 #define KERB_CHECKSUM_MD4 2 #define KERB_CHECKSUM_KRB_DES_MAC 4 #define KERB_CHECKSUM_KRB_DES_MAC_K 5 #define KERB_CHECKSUM_MD5 7 #define KERB_CHECKSUM_MD5_DES 8 #define KERB_CHECKSUM_LM -130 #define KERB_CHECKSUM_SHA1 -131 #define KERB_CHECKSUM_REAL_CRC32 -132 #define KERB_CHECKSUM_DES_MAC -133 #define KERB_CHECKSUM_DES_MAC_MD5 -134 #define KERB_CHECKSUM_MD25 -135 #define KERB_CHECKSUM_RC4_MD5 -136 #define KERB_CHECKSUM_MD5_HMAC -137 // used by netlogon #define KERB_CHECKSUM_HMAC_MD5 -138 // used by Kerberos #define AUTH_REQ_ALLOW_FORWARDABLE 0x00000001 #define AUTH_REQ_ALLOW_PROXIABLE 0x00000002 #define AUTH_REQ_ALLOW_POSTDATE 0x00000004 #define AUTH_REQ_ALLOW_RENEWABLE 0x00000008 #define AUTH_REQ_ALLOW_NOADDRESS 0x00000010 #define AUTH_REQ_ALLOW_ENC_TKT_IN_SKEY 0x00000020 #define AUTH_REQ_ALLOW_VALIDATE 0x00000040 #define AUTH_REQ_VALIDATE_CLIENT 0x00000080 #define AUTH_REQ_OK_AS_DELEGATE 0x00000100 #define AUTH_REQ_PREAUTH_REQUIRED 0x00000200 #define AUTH_REQ_TRANSITIVE_TRUST 0x00000400 #define AUTH_REQ_ALLOW_S4U_DELEGATE 0x00000800 #define AUTH_REQ_PER_USER_FLAGS (AUTH_REQ_ALLOW_FORWARDABLE | \ AUTH_REQ_ALLOW_PROXIABLE | \ AUTH_REQ_ALLOW_POSTDATE | \ AUTH_REQ_ALLOW_RENEWABLE | \ AUTH_REQ_ALLOW_VALIDATE ) // // Ticket Flags: // #define KERB_TICKET_FLAGS_reserved 0x80000000 #define KERB_TICKET_FLAGS_forwardable 0x40000000 #define KERB_TICKET_FLAGS_forwarded 0x20000000 #define KERB_TICKET_FLAGS_proxiable 0x10000000 #define KERB_TICKET_FLAGS_proxy 0x08000000 #define KERB_TICKET_FLAGS_may_postdate 0x04000000 #define KERB_TICKET_FLAGS_postdated 0x02000000 #define KERB_TICKET_FLAGS_invalid 0x01000000 #define KERB_TICKET_FLAGS_renewable 0x00800000 #define KERB_TICKET_FLAGS_initial 0x00400000 #define KERB_TICKET_FLAGS_pre_authent 0x00200000 #define KERB_TICKET_FLAGS_hw_authent 0x00100000 #define KERB_TICKET_FLAGS_ok_as_delegate 0x00040000 #define KERB_TICKET_FLAGS_name_canonicalize 0x00010000 #define KERB_TICKET_FLAGS_reserved1 0x00000001 // // Name types // #define KRB_NT_UNKNOWN 0 // Name type not known #define KRB_NT_PRINCIPAL 1 // Just the name of the principal as in DCE, or for users #define KRB_NT_PRINCIPAL_AND_ID -131 // Name of the principal and its SID. #define KRB_NT_SRV_INST 2 // Service and other unique instance (krbtgt) #define KRB_NT_SRV_INST_AND_ID -132 // SPN and SID #define KRB_NT_SRV_HST 3 // Service with host name as instance (telnet, rcommands) #define KRB_NT_SRV_XHST 4 // Service with host as remaining components #define KRB_NT_UID 5 // Unique ID #define KRB_NT_ENTERPRISE_PRINCIPAL 10 // UPN **ONLY** #define KRB_NT_ENT_PRINCIPAL_AND_ID -130 // UPN and SID // // MS extensions, negative according to the RFC // #define KRB_NT_MS_PRINCIPAL -128 // NT4 style name #define KRB_NT_MS_PRINCIPAL_AND_ID -129 // nt4 style name with sid #define KERB_IS_MS_PRINCIPAL(_x_) (((_x_) <= KRB_NT_MS_PRINCIPAL) || ((_x_) >= KRB_NT_ENTERPRISE_PRINCIPAL)) #ifndef MICROSOFT_KERBEROS_NAME_A #define MICROSOFT_KERBEROS_NAME_A "Kerberos" #define MICROSOFT_KERBEROS_NAME_W L"Kerberos" #ifdef WIN32_CHICAGO #define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_A #else #define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_W #endif // WIN32_CHICAGO #endif // MICROSOFT_KERBEROS_NAME_A ///////////////////////////////////////////////////////////////////////// // // Quality of protection parameters for MakeSignature / EncryptMessage // ///////////////////////////////////////////////////////////////////////// // // This flag indicates to EncryptMessage that the message is not to actually // be encrypted, but a header/trailer are to be produced. // #define KERB_WRAP_NO_ENCRYPT 0x80000001 ///////////////////////////////////////////////////////////////////////// // // LsaLogonUser parameters // ///////////////////////////////////////////////////////////////////////// typedef enum _KERB_LOGON_SUBMIT_TYPE { KerbInteractiveLogon = 2, KerbSmartCardLogon = 6, KerbWorkstationUnlockLogon = 7, KerbSmartCardUnlockLogon = 8, KerbProxyLogon = 9, KerbTicketLogon = 10, KerbTicketUnlockLogon = 11, KerbS4ULogon = 12 } KERB_LOGON_SUBMIT_TYPE, *PKERB_LOGON_SUBMIT_TYPE; typedef struct _KERB_INTERACTIVE_LOGON { KERB_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING LogonDomainName; UNICODE_STRING UserName; UNICODE_STRING Password; } KERB_INTERACTIVE_LOGON, *PKERB_INTERACTIVE_LOGON; typedef struct _KERB_INTERACTIVE_UNLOCK_LOGON { KERB_INTERACTIVE_LOGON Logon; LUID LogonId; } KERB_INTERACTIVE_UNLOCK_LOGON, *PKERB_INTERACTIVE_UNLOCK_LOGON; typedef struct _KERB_SMART_CARD_LOGON { KERB_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING Pin; ULONG CspDataLength; PUCHAR CspData; } KERB_SMART_CARD_LOGON, *PKERB_SMART_CARD_LOGON; typedef struct _KERB_SMART_CARD_UNLOCK_LOGON { KERB_SMART_CARD_LOGON Logon; LUID LogonId; } KERB_SMART_CARD_UNLOCK_LOGON, *PKERB_SMART_CARD_UNLOCK_LOGON; // // Structure used for a ticket-only logon // typedef struct _KERB_TICKET_LOGON { KERB_LOGON_SUBMIT_TYPE MessageType; ULONG Flags; ULONG ServiceTicketLength; ULONG TicketGrantingTicketLength; PUCHAR ServiceTicket; // REQUIRED: Service ticket "host" PUCHAR TicketGrantingTicket; // OPTIONAL: User's encdoded in a KERB_CRED message, encrypted with session key from service ticket } KERB_TICKET_LOGON, *PKERB_TICKET_LOGON; // // Flags for the ticket logon flags field // #define KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET 0x1 typedef struct _KERB_TICKET_UNLOCK_LOGON { KERB_TICKET_LOGON Logon; LUID LogonId; } KERB_TICKET_UNLOCK_LOGON, *PKERB_TICKET_UNLOCK_LOGON; // // Used for S4U Client requests // // typedef struct _KERB_S4U_LOGON { KERB_LOGON_SUBMIT_TYPE MessageType; ULONG Flags; UNICODE_STRING ClientUpn; // REQUIRED: UPN for client UNICODE_STRING ClientRealm; // Optional: Client Realm, if known } KERB_S4U_LOGON, *PKERB_S4U_LOGON; // // Use the same profile structure as MSV1_0 // typedef enum _KERB_PROFILE_BUFFER_TYPE { KerbInteractiveProfile = 2, KerbSmartCardProfile = 4, KerbTicketProfile = 6 } KERB_PROFILE_BUFFER_TYPE, *PKERB_PROFILE_BUFFER_TYPE; typedef struct _KERB_INTERACTIVE_PROFILE { KERB_PROFILE_BUFFER_TYPE MessageType; USHORT LogonCount; USHORT BadPasswordCount; LARGE_INTEGER LogonTime; LARGE_INTEGER LogoffTime; LARGE_INTEGER KickOffTime; LARGE_INTEGER PasswordLastSet; LARGE_INTEGER PasswordCanChange; LARGE_INTEGER PasswordMustChange; UNICODE_STRING LogonScript; UNICODE_STRING HomeDirectory; UNICODE_STRING FullName; UNICODE_STRING ProfilePath; UNICODE_STRING HomeDirectoryDrive; UNICODE_STRING LogonServer; ULONG UserFlags; } KERB_INTERACTIVE_PROFILE, *PKERB_INTERACTIVE_PROFILE; // // For smart card, we return a smart card profile, which is an interactive // profile plus a certificate // typedef struct _KERB_SMART_CARD_PROFILE { KERB_INTERACTIVE_PROFILE Profile; ULONG CertificateSize; PUCHAR CertificateData; } KERB_SMART_CARD_PROFILE, *PKERB_SMART_CARD_PROFILE; // // For a ticket logon profile, we return the session key from the ticket // typedef struct KERB_CRYPTO_KEY { LONG KeyType; ULONG Length; PUCHAR Value; } KERB_CRYPTO_KEY, *PKERB_CRYPTO_KEY; typedef struct _KERB_TICKET_PROFILE { KERB_INTERACTIVE_PROFILE Profile; KERB_CRYPTO_KEY SessionKey; } KERB_TICKET_PROFILE, *PKERB_TICKET_PROFILE; typedef enum _KERB_PROTOCOL_MESSAGE_TYPE { KerbDebugRequestMessage = 0, KerbQueryTicketCacheMessage, KerbChangeMachinePasswordMessage, KerbVerifyPacMessage, KerbRetrieveTicketMessage, KerbUpdateAddressesMessage, KerbPurgeTicketCacheMessage, KerbChangePasswordMessage, KerbRetrieveEncodedTicketMessage, KerbDecryptDataMessage, KerbAddBindingCacheEntryMessage, KerbSetPasswordMessage, KerbSetPasswordExMessage, KerbVerifyCredentialsMessage, KerbQueryTicketCacheExMessage, KerbPurgeTicketCacheExMessage, KerbRefreshSmartcardCredentialsMessage, KerbAddExtraCredentialsMessage, KerbQuerySupplementalCredentialsMessage } KERB_PROTOCOL_MESSAGE_TYPE, *PKERB_PROTOCOL_MESSAGE_TYPE; // // Used both for retrieving tickets and for querying ticket cache // typedef struct _KERB_QUERY_TKT_CACHE_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; } KERB_QUERY_TKT_CACHE_REQUEST, *PKERB_QUERY_TKT_CACHE_REQUEST; typedef struct _KERB_TICKET_CACHE_INFO { UNICODE_STRING ServerName; UNICODE_STRING RealmName; LARGE_INTEGER StartTime; LARGE_INTEGER EndTime; LARGE_INTEGER RenewTime; LONG EncryptionType; ULONG TicketFlags; } KERB_TICKET_CACHE_INFO, *PKERB_TICKET_CACHE_INFO; typedef struct _KERB_TICKET_CACHE_INFO_EX { UNICODE_STRING ClientName; UNICODE_STRING ClientRealm; UNICODE_STRING ServerName; UNICODE_STRING ServerRealm; LARGE_INTEGER StartTime; LARGE_INTEGER EndTime; LARGE_INTEGER RenewTime; LONG EncryptionType; ULONG TicketFlags; } KERB_TICKET_CACHE_INFO_EX, *PKERB_TICKET_CACHE_INFO_EX; typedef struct _KERB_QUERY_TKT_CACHE_RESPONSE { KERB_PROTOCOL_MESSAGE_TYPE MessageType; ULONG CountOfTickets; KERB_TICKET_CACHE_INFO Tickets[ANYSIZE_ARRAY]; } KERB_QUERY_TKT_CACHE_RESPONSE, *PKERB_QUERY_TKT_CACHE_RESPONSE; typedef struct _KERB_QUERY_TKT_CACHE_EX_RESPONSE { KERB_PROTOCOL_MESSAGE_TYPE MessageType; ULONG CountOfTickets; KERB_TICKET_CACHE_INFO_EX Tickets[ANYSIZE_ARRAY]; } KERB_QUERY_TKT_CACHE_EX_RESPONSE, *PKERB_QUERY_TKT_CACHE_EX_RESPONSE; // // Types for retrieving encoded ticket from the cache // #ifndef __SECHANDLE_DEFINED__ typedef struct _SecHandle { ULONG_PTR dwLower ; ULONG_PTR dwUpper ; } SecHandle, * PSecHandle ; #define __SECHANDLE_DEFINED__ #endif // __SECHANDLE_DEFINED__ // Ticket Flags #define KERB_USE_DEFAULT_TICKET_FLAGS 0x0 // CacheOptions #define KERB_RETRIEVE_TICKET_DEFAULT 0x0 #define KERB_RETRIEVE_TICKET_DONT_USE_CACHE 0x1 #define KERB_RETRIEVE_TICKET_USE_CACHE_ONLY 0x2 #define KERB_RETRIEVE_TICKET_USE_CREDHANDLE 0x4 #define KERB_RETRIEVE_TICKET_AS_KERB_CRED 0x8 #define KERB_RETRIEVE_TICKET_WITH_SEC_CRED 0x10 // Encryption Type options #define KERB_ETYPE_DEFAULT 0x0 // don't specify etype in tkt req. typedef struct _KERB_AUTH_DATA { ULONG Type; ULONG Length; PUCHAR Data; } KERB_AUTH_DATA, *PKERB_AUTH_DATA; typedef struct _KERB_NET_ADDRESS { ULONG Family; ULONG Length; PCHAR Address; } KERB_NET_ADDRESS, *PKERB_NET_ADDRESS; typedef struct _KERB_NET_ADDRESSES { ULONG Number; KERB_NET_ADDRESS Addresses[ANYSIZE_ARRAY]; } KERB_NET_ADDRESSES, *PKERB_NET_ADDRESSES; // // Types for the information about a ticket // typedef struct _KERB_EXTERNAL_NAME { SHORT NameType; USHORT NameCount; UNICODE_STRING Names[ANYSIZE_ARRAY]; } KERB_EXTERNAL_NAME, *PKERB_EXTERNAL_NAME; typedef struct _KERB_EXTERNAL_TICKET { PKERB_EXTERNAL_NAME ServiceName; PKERB_EXTERNAL_NAME TargetName; PKERB_EXTERNAL_NAME ClientName; UNICODE_STRING DomainName; UNICODE_STRING TargetDomainName; UNICODE_STRING AltTargetDomainName; // contains ClientDomainName KERB_CRYPTO_KEY SessionKey; ULONG TicketFlags; ULONG Flags; LARGE_INTEGER KeyExpirationTime; LARGE_INTEGER StartTime; LARGE_INTEGER EndTime; LARGE_INTEGER RenewUntil; LARGE_INTEGER TimeSkew; ULONG EncodedTicketSize; PUCHAR EncodedTicket; } KERB_EXTERNAL_TICKET, *PKERB_EXTERNAL_TICKET; typedef struct _KERB_RETRIEVE_TKT_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; UNICODE_STRING TargetName; ULONG TicketFlags; ULONG CacheOptions; LONG EncryptionType; SecHandle CredentialsHandle; } KERB_RETRIEVE_TKT_REQUEST, *PKERB_RETRIEVE_TKT_REQUEST; typedef struct _KERB_RETRIEVE_TKT_RESPONSE { KERB_EXTERNAL_TICKET Ticket; } KERB_RETRIEVE_TKT_RESPONSE, *PKERB_RETRIEVE_TKT_RESPONSE; // // Used to purge entries from the ticket cache // typedef struct _KERB_PURGE_TKT_CACHE_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; UNICODE_STRING ServerName; UNICODE_STRING RealmName; } KERB_PURGE_TKT_CACHE_REQUEST, *PKERB_PURGE_TKT_CACHE_REQUEST; // // Flags for purge requests // #define KERB_PURGE_ALL_TICKETS 1 typedef struct _KERB_PURGE_TKT_CACHE_EX_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; ULONG Flags; KERB_TICKET_CACHE_INFO_EX TicketTemplate; } KERB_PURGE_TKT_CACHE_EX_REQUEST, *PKERB_PURGE_TKT_CACHE_EX_REQUEST; // // KerbChangePassword // // KerbChangePassword changes the password on the KDC account plus // the password cache and logon credentials if applicable. // // typedef struct _KERB_CHANGEPASSWORD_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; UNICODE_STRING DomainName; UNICODE_STRING AccountName; UNICODE_STRING OldPassword; UNICODE_STRING NewPassword; BOOLEAN Impersonating; } KERB_CHANGEPASSWORD_REQUEST, *PKERB_CHANGEPASSWORD_REQUEST; // // KerbSetPassword // // KerbSetPassword changes the password on the KDC account plus // the password cache and logon credentials if applicable. // // typedef struct _KERB_SETPASSWORD_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; SecHandle CredentialsHandle; ULONG Flags; UNICODE_STRING DomainName; UNICODE_STRING AccountName; UNICODE_STRING Password; } KERB_SETPASSWORD_REQUEST, *PKERB_SETPASSWORD_REQUEST; typedef struct _KERB_SETPASSWORD_EX_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; SecHandle CredentialsHandle; ULONG Flags; UNICODE_STRING AccountRealm; UNICODE_STRING AccountName; UNICODE_STRING Password; UNICODE_STRING ClientRealm; UNICODE_STRING ClientName; BOOLEAN Impersonating; UNICODE_STRING KdcAddress; ULONG KdcAddressType; } KERB_SETPASSWORD_EX_REQUEST, *PKERB_SETPASSWORD_EX_REQUEST; #define DS_UNKNOWN_ADDRESS_TYPE 0 // anything *but* IP #define KERB_SETPASS_USE_LOGONID 1 #define KERB_SETPASS_USE_CREDHANDLE 2 typedef struct _KERB_DECRYPT_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; ULONG Flags; LONG CryptoType; LONG KeyUsage; KERB_CRYPTO_KEY Key; // optional ULONG EncryptedDataSize; ULONG InitialVectorSize; PUCHAR InitialVector; PUCHAR EncryptedData; } KERB_DECRYPT_REQUEST, *PKERB_DECRYPT_REQUEST; // // If set, use the primary key from the current logon session of the one provided in the LogonId field. // Otherwise, use the Key in the KERB_DECRYPT_MESSAGE. #define KERB_DECRYPT_FLAG_DEFAULT_KEY 0x00000001 typedef struct _KERB_DECRYPT_RESPONSE { UCHAR DecryptedData[ANYSIZE_ARRAY]; } KERB_DECRYPT_RESPONSE, *PKERB_DECRYPT_RESPONSE; // // Request structure for adding a binding cache entry. TCB privilege // is required for this operation. // typedef struct _KERB_ADD_BINDING_CACHE_ENTRY_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; UNICODE_STRING RealmName; UNICODE_STRING KdcAddress; ULONG AddressType; //dsgetdc.h DS_NETBIOS_ADDRESS||DS_INET_ADDRESS } KERB_ADD_BINDING_CACHE_ENTRY_REQUEST, *PKERB_ADD_BINDING_CACHE_ENTRY_REQUEST; // // Request structure for reacquiring smartcard credentials for a // given LUID. // Requires TCB. // typedef struct _KERB_REFRESH_SCCRED_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; UNICODE_STRING CredentialBlob; // optional LUID LogonId; ULONG Flags; } KERB_REFRESH_SCCRED_REQUEST, *PKERB_REFRESH_SCCRED_REQUEST; // // Flags for KERB_REFRESH_SCCRED_REQUEST // // KERB_REFRESH_SCCRED_RELEASE // Release the smartcard handle for LUID // // KERB_REFRESH_SCCRED_GETTGT // Use the certificate hash in the blob to get a TGT for the logon // session. // #define KERB_REFRESH_SCCRED_RELEASE 0x0 #define KERB_REFRESH_SCCRED_GETTGT 0x1 // // Request structure for adding extra Server credentials to a given // logon session. Only applicable during AcceptSecurityContext, and // requires TCB to alter "other" creds // typedef struct _KERB_ADD_CREDENTIALS_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; UNICODE_STRING UserName; UNICODE_STRING DomainName; UNICODE_STRING Password; LUID LogonId; // optional ULONG Flags; } KERB_ADD_CREDENTIALS_REQUEST, *PKERB_ADD_CREDENTIALS_REQUEST; #define KERB_REQUEST_ADD_CREDENTIAL 1 #define KERB_REQUEST_REPLACE_CREDENTIAL 2 #define KERB_REQUEST_REMOVE_CREDENTIAL 4 #ifdef __cplusplus } #endif #endif /* _NTSECAPI_ */