You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
886 lines
26 KiB
886 lines
26 KiB
/*++
|
|
|
|
Copyright (c) 1996 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
kerberos.cpp
|
|
|
|
Abstract:
|
|
|
|
Routines to read/write/configure kerberos policy settings
|
|
|
|
The following modules have links to kerberos policy
|
|
scejet.c <SceJetAddSection>
|
|
inftojet.c <SceConvertpInfKeyValue>
|
|
pfget.c <ScepGetKerberosPolicy>
|
|
config.c <ScepConfigureKerberosPolicy>
|
|
analyze.c <ScepAnalyzeKerberosPolicy>
|
|
|
|
Author:
|
|
|
|
Jin Huang (jinhuang) 17-Dec-1997
|
|
|
|
Revision History:
|
|
|
|
jinhuang 28-Jan-1998 splitted to client-server
|
|
|
|
--*/
|
|
|
|
#include "headers.h"
|
|
#include "serverp.h"
|
|
#include "kerberos.h"
|
|
#include "kerbcon.h"
|
|
#include "pfp.h"
|
|
|
|
#define MAXDWORD 0xffffffff
|
|
|
|
static PWSTR KerbItems[] = {
|
|
{(PWSTR)TEXT("MaxTicketAge")},
|
|
{(PWSTR)TEXT("MaxRenewAge")},
|
|
{(PWSTR)TEXT("MaxServiceAge")},
|
|
{(PWSTR)TEXT("MaxClockSkew")},
|
|
{(PWSTR)TEXT("TicketValidateClient")}
|
|
};
|
|
|
|
#define MAX_KERB_ITEMS 5
|
|
|
|
#define IDX_KERB_MAX 0
|
|
#define IDX_KERB_RENEW 1
|
|
#define IDX_KERB_SERVICE 2
|
|
#define IDX_KERB_CLOCK 3
|
|
#define IDX_KERB_VALIDATE 4
|
|
|
|
|
|
SCESTATUS
|
|
ScepGetKerberosPolicy(
|
|
IN PSCECONTEXT hProfile,
|
|
IN SCETYPE ProfileType,
|
|
OUT PSCE_KERBEROS_TICKET_INFO * ppKerberosInfo,
|
|
OUT PSCE_ERROR_LOG_INFO *Errlog OPTIONAL
|
|
)
|
|
/*++
|
|
Routine Description:
|
|
|
|
This routine retrieves kerberos policy information from the Jet database
|
|
and stores in the output buffer ppKerberosInfo.
|
|
|
|
Arguments:
|
|
|
|
hProfile - The profile handle context
|
|
|
|
ppKerberosInfo - the output buffer to hold kerberos settings.
|
|
|
|
Errlog - A buffer to hold all error codes/text encountered when
|
|
parsing the INF file. If Errlog is NULL, no further error
|
|
information is returned except the return DWORD
|
|
|
|
Return value:
|
|
|
|
SCESTATUS - SCESTATUS_SUCCESS
|
|
SCESTATUS_NOT_ENOUGH_RESOURCE
|
|
SCESTATUS_INVALID_PARAMETER
|
|
SCESTATUS_BAD_FORMAT
|
|
SCESTATUS_INVALID_DATA
|
|
|
|
--*/
|
|
|
|
{
|
|
SCESTATUS rc;
|
|
PSCESECTION hSection=NULL;
|
|
|
|
SCE_KEY_LOOKUP AccessKeys[] = {
|
|
{(PWSTR)TEXT("MaxTicketAge"), offsetof(struct _SCE_KERBEROS_TICKET_INFO_, MaxTicketAge), 'D'},
|
|
{(PWSTR)TEXT("MaxRenewAge"), offsetof(struct _SCE_KERBEROS_TICKET_INFO_, MaxRenewAge), 'D'},
|
|
{(PWSTR)TEXT("MaxServiceAge"), offsetof(struct _SCE_KERBEROS_TICKET_INFO_, MaxServiceAge), 'D'},
|
|
{(PWSTR)TEXT("MaxClockSkew"), offsetof(struct _SCE_KERBEROS_TICKET_INFO_, MaxClockSkew), 'D'},
|
|
{(PWSTR)TEXT("TicketValidateClient"), offsetof(struct _SCE_KERBEROS_TICKET_INFO_, TicketValidateClient), 'D'}
|
|
};
|
|
|
|
DWORD cKeys = sizeof(AccessKeys) / sizeof(SCE_KEY_LOOKUP);
|
|
SCE_KERBEROS_TICKET_INFO TicketInfo;
|
|
|
|
if ( ppKerberosInfo == NULL ) {
|
|
return(SCESTATUS_INVALID_PARAMETER);
|
|
}
|
|
|
|
rc = ScepGetFixValueSection(
|
|
hProfile,
|
|
szKerberosPolicy,
|
|
AccessKeys,
|
|
cKeys,
|
|
ProfileType,
|
|
(PVOID)&TicketInfo,
|
|
&hSection,
|
|
Errlog
|
|
);
|
|
if ( rc != SCESTATUS_SUCCESS ) {
|
|
return(rc);
|
|
}
|
|
//
|
|
// copy the value in TicketInfo to ppKerberosInfo
|
|
//
|
|
if ( NULL == *ppKerberosInfo ) {
|
|
*ppKerberosInfo = (PSCE_KERBEROS_TICKET_INFO)ScepAlloc(0, sizeof(SCE_KERBEROS_TICKET_INFO));
|
|
}
|
|
|
|
if ( *ppKerberosInfo ) {
|
|
|
|
memcpy(*ppKerberosInfo, &TicketInfo, sizeof(SCE_KERBEROS_TICKET_INFO));
|
|
|
|
} else {
|
|
|
|
rc = SCESTATUS_NOT_ENOUGH_RESOURCE;
|
|
}
|
|
|
|
SceJetCloseSection(&hSection, TRUE);
|
|
|
|
return(rc);
|
|
}
|
|
|
|
#if _WIN32_WINNT>=0x0500
|
|
|
|
SCESTATUS
|
|
ScepConfigureKerberosPolicy(
|
|
IN PSCECONTEXT hProfile,
|
|
IN PSCE_KERBEROS_TICKET_INFO pKerberosInfo,
|
|
IN DWORD ConfigOptions
|
|
)
|
|
/* ++
|
|
|
|
Routine Description:
|
|
|
|
This routine configure the kerberos policy settings in the area of security
|
|
policy.
|
|
|
|
Arguments:
|
|
|
|
pKerberosInfo - The buffer which contains kerberos policy settings
|
|
|
|
Return value:
|
|
|
|
SCESTATUS_SUCCESS
|
|
SCESTATUS_NOT_ENOUGH_RESOURCE
|
|
SCESTATUS_INVALID_PARAMETER
|
|
SCESTATUS_OTHER_ERROR
|
|
|
|
-- */
|
|
{
|
|
if ( !pKerberosInfo ) {
|
|
//
|
|
// if no info to configure
|
|
//
|
|
return SCESTATUS_SUCCESS;
|
|
}
|
|
|
|
NTSTATUS NtStatus;
|
|
LSA_HANDLE lsaHandle=NULL;
|
|
DWORD rc = NO_ERROR;
|
|
BOOL bDefaultUsed=FALSE;
|
|
BOOL bDefined=FALSE;
|
|
|
|
//
|
|
// open LSA policy to configure kerberos policy
|
|
//
|
|
NtStatus = ScepOpenLsaPolicy(
|
|
MAXIMUM_ALLOWED,
|
|
&lsaHandle,
|
|
TRUE
|
|
);
|
|
|
|
if (!NT_SUCCESS(NtStatus)) {
|
|
|
|
lsaHandle = NULL;
|
|
rc = RtlNtStatusToDosError( NtStatus );
|
|
ScepLogOutput3( 1, rc, SCEDLL_LSA_POLICY);
|
|
|
|
if ( ConfigOptions & SCE_RSOP_CALLBACK )
|
|
|
|
ScepRsopLog(SCE_RSOP_KERBEROS_INFO, rc, NULL, 0, 0);
|
|
|
|
return(ScepDosErrorToSceStatus(rc));
|
|
}
|
|
//
|
|
// query current kerberos policy settings into pBuffer
|
|
//
|
|
PPOLICY_DOMAIN_KERBEROS_TICKET_INFO pBuffer=NULL;
|
|
POLICY_DOMAIN_KERBEROS_TICKET_INFO TicketInfo;
|
|
|
|
NtStatus = LsaQueryDomainInformationPolicy(
|
|
lsaHandle,
|
|
PolicyDomainKerberosTicketInformation,
|
|
(PVOID *)&pBuffer
|
|
);
|
|
|
|
if ( NT_SUCCESS(NtStatus) && pBuffer ) {
|
|
//
|
|
// transfer ticket info to TicketInfo buffer
|
|
//
|
|
TicketInfo.AuthenticationOptions = pBuffer->AuthenticationOptions;
|
|
TicketInfo.MaxTicketAge = pBuffer->MaxTicketAge;
|
|
TicketInfo.MaxRenewAge = pBuffer->MaxRenewAge;
|
|
TicketInfo.MaxServiceTicketAge = pBuffer->MaxServiceTicketAge;
|
|
TicketInfo.MaxClockSkew = pBuffer->MaxClockSkew;
|
|
|
|
//
|
|
// free the buffer
|
|
//
|
|
LsaFreeMemory((PVOID)pBuffer);
|
|
|
|
} else {
|
|
//
|
|
// no kerberos policy is configured yet because by default it's not created.
|
|
// let's create it now. set a default ticket info
|
|
//
|
|
TicketInfo.AuthenticationOptions = POLICY_KERBEROS_VALIDATE_CLIENT;
|
|
|
|
TicketInfo.MaxTicketAge.QuadPart = (LONGLONG) KERBDEF_MAX_TICKET*60*60 * 10000000L;
|
|
TicketInfo.MaxRenewAge.QuadPart = (LONGLONG) KERBDEF_MAX_RENEW*24*60*60 * 10000000L;
|
|
TicketInfo.MaxServiceTicketAge.QuadPart = (LONGLONG) KERBDEF_MAX_SERVICE*60 * 10000000L;
|
|
TicketInfo.MaxClockSkew.QuadPart = (LONGLONG) KERBDEF_MAX_CLOCK*60 * 10000000L;
|
|
|
|
bDefaultUsed = TRUE;
|
|
}
|
|
pBuffer = &TicketInfo;
|
|
|
|
//
|
|
// process each field in pKerberosInfo
|
|
//
|
|
BOOL bFlagSet=FALSE;
|
|
ULONG lOptions=0;
|
|
ULONG lValue=0;
|
|
|
|
SCE_TATTOO_KEYS *pTattooKeys=NULL;
|
|
DWORD cTattooKeys=0;
|
|
|
|
PSCESECTION hSectionDomain=NULL;
|
|
PSCESECTION hSectionTattoo=NULL;
|
|
|
|
#define MAX_KERB_KEYS 5
|
|
|
|
|
|
//
|
|
// if in policy propagation, open the policy sections
|
|
// since kerberos policy is only available on DCs and kerberos policy (account policy)
|
|
// can't be reset to local settings on each DC, there is no point to query/save
|
|
// the tattoo values
|
|
//
|
|
/* do not take tattoo value for kerberos
|
|
if ( (ConfigOptions & SCE_POLICY_TEMPLATE) &&
|
|
hProfile ) {
|
|
|
|
pTattooKeys = (SCE_TATTOO_KEYS *)ScepAlloc(LPTR,MAX_KERB_KEYS*sizeof(SCE_TATTOO_KEYS));
|
|
|
|
if ( !pTattooKeys ) {
|
|
ScepLogOutput3(1, ERROR_NOT_ENOUGH_MEMORY, SCESRV_POLICY_TATTOO_ERROR_CREATE);
|
|
}
|
|
}
|
|
*/
|
|
if ( pKerberosInfo->MaxRenewAge != SCE_NO_VALUE ) {
|
|
ScepTattooCheckAndUpdateArray(pTattooKeys, &cTattooKeys,
|
|
(PWSTR)L"MaxRenewAge", ConfigOptions,
|
|
KERBDEF_MAX_RENEW);
|
|
}
|
|
|
|
if ( pKerberosInfo->MaxRenewAge == SCE_FOREVER_VALUE ) {
|
|
|
|
if ( pBuffer->MaxRenewAge.HighPart != MINLONG ||
|
|
pBuffer->MaxRenewAge.LowPart != 0 ) {
|
|
//
|
|
// Maximum LARGE_INTEGER .ie. never
|
|
//
|
|
|
|
pBuffer->MaxRenewAge.HighPart = MINLONG;
|
|
pBuffer->MaxRenewAge.LowPart = 0;
|
|
bFlagSet = TRUE;
|
|
|
|
}
|
|
bDefined = TRUE;
|
|
|
|
} else if ( SCE_NO_VALUE != pKerberosInfo->MaxRenewAge ) {
|
|
|
|
//
|
|
// ticket is renewable, the max age is stored in MaxRenewAge
|
|
// using days
|
|
//
|
|
|
|
lValue = (DWORD) (pBuffer->MaxRenewAge.QuadPart /
|
|
(LONGLONG)(10000000L) );
|
|
lValue /= 3600;
|
|
lValue /= 24;
|
|
|
|
if ( lValue != pKerberosInfo->MaxRenewAge ) {
|
|
|
|
pBuffer->MaxRenewAge.QuadPart = (LONGLONG)pKerberosInfo->MaxRenewAge*24*3600 * 10000000L;
|
|
bFlagSet = TRUE;
|
|
|
|
}
|
|
|
|
bDefined = TRUE;
|
|
}
|
|
|
|
//
|
|
// validate client ?
|
|
//
|
|
|
|
if ( pKerberosInfo->TicketValidateClient != SCE_NO_VALUE ) {
|
|
|
|
if ( pKerberosInfo->TicketValidateClient ) {
|
|
lOptions |= POLICY_KERBEROS_VALIDATE_CLIENT;
|
|
}
|
|
|
|
ScepTattooCheckAndUpdateArray(pTattooKeys, &cTattooKeys,
|
|
(PWSTR)L"TicketValidateClient", ConfigOptions,
|
|
KERBDEF_VALIDATE);
|
|
|
|
if ( ( pBuffer->AuthenticationOptions & POLICY_KERBEROS_VALIDATE_CLIENT ) !=
|
|
( lOptions & POLICY_KERBEROS_VALIDATE_CLIENT ) ) {
|
|
|
|
|
|
pBuffer->AuthenticationOptions = lOptions;
|
|
bFlagSet = TRUE;
|
|
}
|
|
bDefined = TRUE;
|
|
}
|
|
|
|
//
|
|
// max ticket age
|
|
//
|
|
if ( pKerberosInfo->MaxTicketAge != SCE_NO_VALUE ) {
|
|
ScepTattooCheckAndUpdateArray(pTattooKeys, &cTattooKeys,
|
|
(PWSTR)L"MaxTicketAge", ConfigOptions,
|
|
KERBDEF_MAX_TICKET);
|
|
bDefined = TRUE;
|
|
}
|
|
|
|
if ( pKerberosInfo->MaxTicketAge == SCE_FOREVER_VALUE ) {
|
|
|
|
if ( pBuffer->MaxTicketAge.HighPart != MINLONG ||
|
|
pBuffer->MaxTicketAge.LowPart != 0 ) {
|
|
//
|
|
// Maximum LARGE_INTEGER .ie. never
|
|
//
|
|
|
|
pBuffer->MaxTicketAge.HighPart = MINLONG;
|
|
pBuffer->MaxTicketAge.LowPart = 0;
|
|
bFlagSet = TRUE;
|
|
}
|
|
|
|
bDefined = TRUE;
|
|
|
|
} else if ( pKerberosInfo->MaxTicketAge != SCE_NO_VALUE ) {
|
|
// in hours
|
|
|
|
|
|
lValue = (DWORD) (pBuffer->MaxTicketAge.QuadPart /
|
|
(LONGLONG)(10000000L) );
|
|
lValue /= 3600;
|
|
|
|
if ( lValue != pKerberosInfo->MaxTicketAge ) {
|
|
|
|
pBuffer->MaxTicketAge.QuadPart = (LONGLONG)pKerberosInfo->MaxTicketAge*60*60 * 10000000L;
|
|
bFlagSet = TRUE;
|
|
}
|
|
|
|
bDefined = TRUE;
|
|
}
|
|
|
|
//
|
|
// max service ticket age
|
|
//
|
|
if ( pKerberosInfo->MaxServiceAge != SCE_NO_VALUE ) {
|
|
ScepTattooCheckAndUpdateArray(pTattooKeys, &cTattooKeys,
|
|
(PWSTR)L"MaxServiceAge", ConfigOptions,
|
|
KERBDEF_MAX_SERVICE);
|
|
bDefined = TRUE;
|
|
}
|
|
|
|
if ( pKerberosInfo->MaxServiceAge == SCE_FOREVER_VALUE ) {
|
|
|
|
if ( pBuffer->MaxServiceTicketAge.HighPart != MINLONG ||
|
|
pBuffer->MaxServiceTicketAge.LowPart != 0 ) {
|
|
//
|
|
// Maximum LARGE_INTEGER .ie. never
|
|
//
|
|
|
|
pBuffer->MaxServiceTicketAge.HighPart = MINLONG;
|
|
pBuffer->MaxServiceTicketAge.LowPart = 0;
|
|
bFlagSet = TRUE;
|
|
}
|
|
|
|
bDefined = TRUE;
|
|
|
|
} else if ( pKerberosInfo->MaxServiceAge != SCE_NO_VALUE ) {
|
|
// in minutes
|
|
|
|
|
|
lValue = (DWORD) (pBuffer->MaxServiceTicketAge.QuadPart /
|
|
(LONGLONG)(10000000L) );
|
|
lValue /= 60;
|
|
|
|
if ( lValue != pKerberosInfo->MaxServiceAge ) {
|
|
|
|
pBuffer->MaxServiceTicketAge.QuadPart = (LONGLONG)pKerberosInfo->MaxServiceAge*60 * 10000000L;
|
|
bFlagSet = TRUE;
|
|
}
|
|
|
|
bDefined = TRUE;
|
|
}
|
|
|
|
//
|
|
// max clock
|
|
//
|
|
if ( pKerberosInfo->MaxClockSkew != SCE_NO_VALUE ) {
|
|
ScepTattooCheckAndUpdateArray(pTattooKeys, &cTattooKeys,
|
|
(PWSTR)L"MaxClockSkew", ConfigOptions,
|
|
KERBDEF_MAX_CLOCK);
|
|
bDefined = TRUE;
|
|
}
|
|
|
|
if ( pKerberosInfo->MaxClockSkew == SCE_FOREVER_VALUE ) {
|
|
|
|
if ( pBuffer->MaxClockSkew.HighPart != MINLONG ||
|
|
pBuffer->MaxClockSkew.LowPart != 0 ) {
|
|
|
|
//
|
|
// Maximum LARGE_INTEGER .ie. never
|
|
//
|
|
|
|
pBuffer->MaxClockSkew.HighPart = MINLONG;
|
|
pBuffer->MaxClockSkew.LowPart = 0;
|
|
bFlagSet = TRUE;
|
|
}
|
|
bDefined = TRUE;
|
|
|
|
} else if ( pKerberosInfo->MaxClockSkew != SCE_NO_VALUE ) {
|
|
// in minutes
|
|
|
|
lValue = (DWORD) (pBuffer->MaxClockSkew.QuadPart /
|
|
(LONGLONG)(10000000L) );
|
|
lValue /= 60;
|
|
|
|
if ( lValue != pKerberosInfo->MaxClockSkew ) {
|
|
|
|
pBuffer->MaxClockSkew.QuadPart = (LONGLONG)pKerberosInfo->MaxClockSkew*60 * 10000000L;
|
|
bFlagSet = TRUE;
|
|
}
|
|
bDefined = TRUE;
|
|
}
|
|
|
|
if ( bFlagSet || (bDefaultUsed && bDefined) ) {
|
|
//
|
|
// if anything for kerberos to configure
|
|
//
|
|
NtStatus = LsaSetDomainInformationPolicy(
|
|
lsaHandle,
|
|
PolicyDomainKerberosTicketInformation,
|
|
(PVOID)pBuffer
|
|
);
|
|
rc = RtlNtStatusToDosError( NtStatus );
|
|
|
|
if ( rc != NO_ERROR ) {
|
|
ScepLogOutput3(1, rc, SCEDLL_SCP_ERROR_KERBEROS);
|
|
} else {
|
|
ScepLogOutput3(1, 0, SCEDLL_SCP_KERBEROS);
|
|
}
|
|
}
|
|
|
|
if ( (ConfigOptions & SCE_POLICY_TEMPLATE) &&
|
|
hProfile && pTattooKeys && cTattooKeys ) {
|
|
|
|
ScepTattooOpenPolicySections(
|
|
hProfile,
|
|
szKerberosPolicy,
|
|
&hSectionDomain,
|
|
&hSectionTattoo
|
|
);
|
|
ScepLogOutput3(3,0,SCESRV_POLICY_TATTOO_ARRAY,cTattooKeys);
|
|
//
|
|
// some policy is different than the system setting
|
|
// check if we should save the existing setting as the tattoo value
|
|
// also remove reset'ed tattoo policy
|
|
//
|
|
ScepTattooManageValues(hSectionDomain, hSectionTattoo, pTattooKeys, cTattooKeys, rc);
|
|
|
|
if ( hSectionDomain ) SceJetCloseSection(&hSectionDomain,TRUE);
|
|
if ( hSectionTattoo ) SceJetCloseSection(&hSectionTattoo,TRUE);
|
|
}
|
|
|
|
if ( pTattooKeys ) ScepFree(pTattooKeys);
|
|
|
|
if ( ConfigOptions & SCE_RSOP_CALLBACK )
|
|
|
|
ScepRsopLog(SCE_RSOP_KERBEROS_INFO, rc, NULL, 0, 0);
|
|
|
|
//
|
|
// close LSA policy
|
|
//
|
|
LsaClose( lsaHandle );
|
|
|
|
return(ScepDosErrorToSceStatus(rc));
|
|
}
|
|
|
|
|
|
SCESTATUS
|
|
ScepAnalyzeKerberosPolicy(
|
|
IN PSCECONTEXT hProfile OPTIONAL,
|
|
IN PSCE_KERBEROS_TICKET_INFO pKerInfo,
|
|
IN DWORD Options
|
|
)
|
|
/* ++
|
|
|
|
Routine Description:
|
|
|
|
This routine queries the system kerberos policy settings and compare them
|
|
with the template settings.
|
|
|
|
Arguments:
|
|
|
|
hProfile - the profile context
|
|
|
|
pKerInfo - The buffer which contains kerberos settings to compare with or
|
|
the buffer to query system settings into
|
|
|
|
Options - the option(s) for the analysis, e.g., SCE_SYSTEM_SETTINGS
|
|
|
|
Return value:
|
|
|
|
|
|
-- */
|
|
{
|
|
NTSTATUS NtStatus;
|
|
LSA_HANDLE lsaHandle=NULL;
|
|
DWORD rc32 = NO_ERROR;
|
|
SCESTATUS rc=SCESTATUS_SUCCESS;
|
|
PPOLICY_DOMAIN_KERBEROS_TICKET_INFO pBuffer=NULL;
|
|
DWORD dValue;
|
|
PSCESECTION hSection=NULL;
|
|
POLICY_DOMAIN_KERBEROS_TICKET_INFO KerbTicketInfo;
|
|
|
|
if ( !pKerInfo ) {
|
|
//
|
|
// if no template info, do not analyze
|
|
//
|
|
if ( Options & SCE_SYSTEM_SETTINGS ) {
|
|
return SCESTATUS_INVALID_PARAMETER;
|
|
} else {
|
|
return SCESTATUS_SUCCESS;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// open LSA policy to configure kerberos policy
|
|
//
|
|
NtStatus = ScepOpenLsaPolicy(
|
|
MAXIMUM_ALLOWED,
|
|
&lsaHandle,
|
|
TRUE
|
|
);
|
|
|
|
if (!NT_SUCCESS(NtStatus)) {
|
|
|
|
lsaHandle = NULL;
|
|
rc32 = RtlNtStatusToDosError( NtStatus );
|
|
ScepLogOutput3( 1, rc32, SCEDLL_LSA_POLICY);
|
|
|
|
return(ScepDosErrorToSceStatus(rc32));
|
|
}
|
|
|
|
if ( !(Options & SCE_SYSTEM_SETTINGS) ) {
|
|
|
|
//
|
|
// Prepare kerberos section
|
|
//
|
|
rc = ScepStartANewSection(
|
|
hProfile,
|
|
&hSection,
|
|
(Options & SCE_GENERATE_ROLLBACK) ? SCEJET_TABLE_SMP : SCEJET_TABLE_SAP,
|
|
szKerberosPolicy
|
|
);
|
|
}
|
|
|
|
if ( rc != SCESTATUS_SUCCESS ) {
|
|
ScepLogOutput3(1, ScepSceStatusToDosError(rc),
|
|
SCEDLL_SAP_START_SECTION, (PWSTR)szKerberosPolicy);
|
|
|
|
} else {
|
|
|
|
DWORD KerbValues[MAX_KERB_ITEMS];
|
|
|
|
for ( dValue=0; dValue<MAX_KERB_ITEMS; dValue++ ) {
|
|
KerbValues[dValue] = SCE_ERROR_VALUE;
|
|
}
|
|
|
|
//
|
|
// query current kerberos policy settings into pBuffer
|
|
//
|
|
NtStatus = LsaQueryDomainInformationPolicy(
|
|
lsaHandle,
|
|
PolicyDomainKerberosTicketInformation,
|
|
(PVOID *)&pBuffer
|
|
);
|
|
|
|
if ( STATUS_NOT_FOUND == NtStatus ) {
|
|
|
|
//
|
|
// there is no Kerberos policy
|
|
//
|
|
KerbTicketInfo.AuthenticationOptions = POLICY_KERBEROS_VALIDATE_CLIENT;
|
|
|
|
KerbTicketInfo.MaxTicketAge.QuadPart = (LONGLONG) KERBDEF_MAX_TICKET*60*60 * 10000000L;
|
|
KerbTicketInfo.MaxRenewAge.QuadPart = (LONGLONG) KERBDEF_MAX_RENEW*24*60*60 * 10000000L;
|
|
KerbTicketInfo.MaxServiceTicketAge.QuadPart = (LONGLONG) KERBDEF_MAX_SERVICE*60 * 10000000L;
|
|
KerbTicketInfo.MaxClockSkew.QuadPart = (LONGLONG) KERBDEF_MAX_CLOCK*60 * 10000000L;
|
|
|
|
pBuffer = &KerbTicketInfo;
|
|
NtStatus = STATUS_SUCCESS;
|
|
}
|
|
|
|
rc = ScepDosErrorToSceStatus(
|
|
RtlNtStatusToDosError( NtStatus ));
|
|
|
|
if ( NT_SUCCESS(NtStatus) && pBuffer ) {
|
|
|
|
//
|
|
// analyze kerberos values
|
|
// max ticket age
|
|
//
|
|
if ( pBuffer->MaxTicketAge.HighPart == MINLONG &&
|
|
pBuffer->MaxTicketAge.LowPart == 0 ) {
|
|
//
|
|
// Maximum password age value is MINLONG,0
|
|
//
|
|
dValue = SCE_FOREVER_VALUE;
|
|
|
|
} else {
|
|
|
|
dValue = (DWORD) ( pBuffer->MaxTicketAge.QuadPart /
|
|
(LONGLONG)(10000000L) );
|
|
//
|
|
// using hours
|
|
//
|
|
// dValue /= 24;
|
|
|
|
dValue /= 3600;
|
|
|
|
}
|
|
|
|
rc = SCESTATUS_SUCCESS;
|
|
|
|
if ( Options & SCE_SYSTEM_SETTINGS ) {
|
|
|
|
pKerInfo->MaxTicketAge = dValue;
|
|
|
|
} else {
|
|
|
|
rc = ScepCompareAndSaveIntValue(
|
|
hSection,
|
|
L"MaxTicketAge",
|
|
(Options & SCE_GENERATE_ROLLBACK),
|
|
pKerInfo->MaxTicketAge,
|
|
dValue);
|
|
}
|
|
|
|
if ( SCESTATUS_SUCCESS == rc ) {
|
|
|
|
KerbValues[IDX_KERB_MAX] = 1;
|
|
|
|
|
|
if ( pBuffer->MaxRenewAge.HighPart == MINLONG &&
|
|
pBuffer->MaxRenewAge.LowPart == 0 ) {
|
|
//
|
|
// Maximum age value is MINLONG,0
|
|
//
|
|
dValue = SCE_FOREVER_VALUE;
|
|
|
|
} else {
|
|
|
|
dValue = (DWORD) ( pBuffer->MaxRenewAge.QuadPart /
|
|
(LONGLONG)(10000000L) );
|
|
//
|
|
// using days
|
|
//
|
|
dValue /= 3600;
|
|
dValue /= 24;
|
|
|
|
}
|
|
|
|
if ( Options & SCE_SYSTEM_SETTINGS ) {
|
|
|
|
pKerInfo->MaxRenewAge = dValue;
|
|
|
|
} else {
|
|
|
|
rc = ScepCompareAndSaveIntValue(
|
|
hSection,
|
|
L"MaxRenewAge",
|
|
(Options & SCE_GENERATE_ROLLBACK),
|
|
pKerInfo->MaxRenewAge,
|
|
dValue);
|
|
}
|
|
|
|
if ( SCESTATUS_SUCCESS == rc ) {
|
|
|
|
KerbValues[IDX_KERB_RENEW] = 1;
|
|
|
|
if ( pBuffer->MaxServiceTicketAge.HighPart == MINLONG &&
|
|
pBuffer->MaxServiceTicketAge.LowPart == 0 ) {
|
|
//
|
|
// Maximum age value is MINLONG,0
|
|
//
|
|
dValue = SCE_FOREVER_VALUE;
|
|
|
|
} else {
|
|
|
|
dValue = (DWORD) ( pBuffer->MaxServiceTicketAge.QuadPart /
|
|
(LONGLONG)(10000000L) );
|
|
//
|
|
// using minutes
|
|
//
|
|
dValue /= 60;
|
|
|
|
}
|
|
|
|
if ( Options & SCE_SYSTEM_SETTINGS ) {
|
|
|
|
pKerInfo->MaxServiceAge = dValue;
|
|
|
|
} else {
|
|
|
|
rc = ScepCompareAndSaveIntValue(
|
|
hSection,
|
|
L"MaxServiceAge",
|
|
(Options & SCE_GENERATE_ROLLBACK),
|
|
pKerInfo->MaxServiceAge,
|
|
dValue);
|
|
}
|
|
|
|
if ( SCESTATUS_SUCCESS == rc ) {
|
|
|
|
KerbValues[IDX_KERB_SERVICE] = 1;
|
|
|
|
if ( pBuffer->MaxClockSkew.HighPart == MINLONG &&
|
|
pBuffer->MaxClockSkew.LowPart == 0 ) {
|
|
//
|
|
// Maximum age value is MINLONG,0
|
|
//
|
|
dValue = SCE_FOREVER_VALUE;
|
|
|
|
} else {
|
|
|
|
dValue = (DWORD) ( pBuffer->MaxClockSkew.QuadPart /
|
|
(LONGLONG)(10000000L) );
|
|
//
|
|
// using minutes
|
|
//
|
|
dValue /= 60;
|
|
|
|
}
|
|
|
|
if ( Options & SCE_SYSTEM_SETTINGS ) {
|
|
|
|
pKerInfo->MaxClockSkew = dValue;
|
|
|
|
} else {
|
|
|
|
rc = ScepCompareAndSaveIntValue(
|
|
hSection,
|
|
L"MaxClockSkew",
|
|
(Options & SCE_GENERATE_ROLLBACK),
|
|
pKerInfo->MaxClockSkew,
|
|
dValue);
|
|
}
|
|
|
|
if ( SCESTATUS_SUCCESS == rc ) {
|
|
|
|
KerbValues[IDX_KERB_CLOCK] = 1;
|
|
|
|
//
|
|
// validate client
|
|
//
|
|
dValue = ( pBuffer->AuthenticationOptions & POLICY_KERBEROS_VALIDATE_CLIENT ) ? 1 : 0;
|
|
|
|
if ( Options & SCE_SYSTEM_SETTINGS ) {
|
|
|
|
pKerInfo->TicketValidateClient = dValue;
|
|
|
|
} else {
|
|
|
|
rc = ScepCompareAndSaveIntValue(
|
|
hSection,
|
|
L"TicketValidateClient",
|
|
(Options & SCE_GENERATE_ROLLBACK),
|
|
pKerInfo->TicketValidateClient,
|
|
dValue);
|
|
}
|
|
|
|
if ( SCESTATUS_SUCCESS == rc ) {
|
|
|
|
KerbValues[IDX_KERB_VALIDATE] = 1;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if ( !(Options & SCE_SYSTEM_SETTINGS) ) {
|
|
|
|
if ( rc == SCESTATUS_SUCCESS ) {
|
|
|
|
ScepLogOutput3( 1, 0, SCEDLL_SAP_KERBEROS);
|
|
} else {
|
|
ScepLogOutput3( 1, ScepSceStatusToDosError(rc),
|
|
SCEDLL_SAP_ERROR_KERBEROS);
|
|
}
|
|
}
|
|
|
|
if ( pBuffer != &KerbTicketInfo ) {
|
|
|
|
//
|
|
// free the buffer
|
|
//
|
|
LsaFreeMemory((PVOID)pBuffer);
|
|
}
|
|
}
|
|
|
|
if ( !(Options & SCE_SYSTEM_SETTINGS) ) {
|
|
|
|
if ( SCESTATUS_SUCCESS != rc &&
|
|
!(Options & SCE_GENERATE_ROLLBACK) ) {
|
|
|
|
for ( dValue=0; dValue<MAX_KERB_ITEMS; dValue++ ) {
|
|
if ( KerbValues[dValue] == SCE_ERROR_VALUE ) {
|
|
|
|
ScepCompareAndSaveIntValue(
|
|
hSection,
|
|
KerbItems[dValue],
|
|
FALSE,
|
|
SCE_NO_VALUE,
|
|
SCE_ERROR_VALUE
|
|
);
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// close the section
|
|
//
|
|
|
|
SceJetCloseSection(&hSection, TRUE);
|
|
|
|
}
|
|
}
|
|
|
|
LsaClose( lsaHandle );
|
|
|
|
if ( ( rc == SCESTATUS_PROFILE_NOT_FOUND) ||
|
|
( rc == SCESTATUS_RECORD_NOT_FOUND) ) {
|
|
rc = SCESTATUS_SUCCESS;
|
|
}
|
|
|
|
return(rc);
|
|
|
|
}
|
|
|
|
#endif
|