Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

3555 lines
98 KiB

//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1993.
//
// File: getas.cxx
//
// Contents: GetASTicket and support functions
//
// Classes:
//
// Functions:
//
// History: 04-Mar-94 wader Created
//
//----------------------------------------------------------------------------
#include "kdcsvr.hxx"
#include "kdctrace.h"
#include "krb5p.h"
#include <userall.h>
#include "fileno.h"
#define FILENO FILENO_GETAS
LARGE_INTEGER tsInfinity = {0xffffffff,0x7fffffff};
LONG lInfinity = 0x7fffffff;
enum {
SubAuthUnknown,
SubAuthNoFilter,
SubAuthYesFilter
} KdcSubAuthFilterPresent = SubAuthUnknown;
extern "C"
NTSTATUS NTAPI
Msv1_0ExportSubAuthenticationRoutine(
IN NETLOGON_LOGON_INFO_CLASS LogonLevel,
IN PVOID LogonInformation,
IN ULONG Flags,
IN ULONG DllNumber,
IN PUSER_ALL_INFORMATION UserAll,
OUT PULONG WhichFields,
OUT PULONG UserFlags,
OUT PBOOLEAN Authoritative,
OUT PLARGE_INTEGER LogoffTime,
OUT PLARGE_INTEGER KickoffTime
);
extern "C"
BOOLEAN NTAPI
Msv1_0SubAuthenticationPresent(
IN ULONG DllNumber
);
ULONG
NetpDcElapsedTime(
IN ULONG StartTime
)
/*++
Routine Description:
Returns the time (in milliseconds) that has elapsed is StartTime.
Arguments:
StartTime - A time stamp from GetTickCount()
Return Value:
Returns the time (in milliseconds) that has elapsed is StartTime.
--*/
{
ULONG CurrentTime;
//
// If time has has wrapped,
// account for it.
//
CurrentTime = GetTickCount();
if ( CurrentTime >= StartTime ) {
return CurrentTime - StartTime;
} else {
return (0xFFFFFFFF-StartTime) + CurrentTime;
}
}
//+-------------------------------------------------------------------------
//
// Function: KdcForwardLogonToPDC
//
// Synopsis: Forwards a failed-password logon to the PDC.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR
KdcForwardLogonToPDC(
IN PKERB_MESSAGE_BUFFER InputMessage,
IN PKERB_MESSAGE_BUFFER OutputMessage
)
{
KERBERR KerbErr = KDC_ERR_NONE;
NTSTATUS Status;
BOOLEAN CalledPDC;
KERB_MESSAGE_BUFFER Reply = {0};
DOMAIN_SERVER_ROLE ServerRole;
Status = SamIQueryServerRole(
GlobalAccountDomainHandle,
&ServerRole
);
if (!KdcGlobalAvoidPdcOnWan &&
NT_SUCCESS(Status) &&
(ServerRole == DomainServerRoleBackup))
{
Status = KerbMakeKdcCall(
SecData.KdcDnsRealmName(),
NULL, // no account name
TRUE, // call the PDC
TRUE, // use TCP/IP, not UDP
InputMessage,
&Reply,
0, // no additional flags
&CalledPDC
);
if (!NT_SUCCESS(Status))
{
KerbErr = KRB_ERR_GENERIC;
}
else
{
OutputMessage->Buffer = (PBYTE) MIDL_user_allocate(Reply.BufferSize);
if (OutputMessage->Buffer != NULL)
{
OutputMessage->BufferSize = Reply.BufferSize;
RtlCopyMemory(
OutputMessage->Buffer,
Reply.Buffer,
OutputMessage->BufferSize
);
}
else
{
KerbErr = KRB_ERR_GENERIC;
}
KerbFree(Reply.Buffer);
}
}
else
{
KerbErr = KRB_ERR_GENERIC;
}
return(KerbErr);
}
//+---------------------------------------------------------------------------
//
// Function: KdcVerifyKdcAsRep
//
// Synopsis: Verifies that our AS_REP came from a KDC, as opposed to a malicious
// attacker by evaluating the TGT embedded in response
//
// Arguments: Reply PKERB_KDC_REPLY
//
// Returns: Boolean to client.
//
// History: 12-June-2000 Todds Created
//
//----------------------------------------------------------------------------
BOOLEAN
KdcVerifyKdcAsRep(
PKERB_KDC_REPLY Reply,
PKERB_PRINCIPAL_NAME RequestBodyClientName
)
{
BOOLEAN fRet = FALSE;
KERBERR KerbErr;
KERB_EXT_ERROR ExtendedError;
KDC_TICKET_INFO KrbtgtTicketInfo = {0};
UNICODE_STRING ServerNames[3];
UNICODE_STRING ClientName;
ULONG NameType;
PKERB_ENCRYPTION_KEY EncryptionKey = NULL;
PKERB_ENCRYPTED_TICKET DecryptedTicket = NULL;
KERB_REALM LocalRealm;
PKERB_INTERNAL_NAME ReplyClientName = NULL;
PKERB_INTERNAL_NAME TicketClientName = NULL;
// Get the server key for krbtgt
KerbErr = SecData.GetKrbtgtTicketInfo(&KrbtgtTicketInfo);
if (!KERB_SUCCESS(KerbErr))
{
D_DebugLog((DEB_WARN, "SecData.Getkrbtgtticketinfo failed!\n"));
goto Cleanup;
}
ServerNames[0] = *SecData.KdcFullServiceKdcName();
ServerNames[1] = *SecData.KdcFullServiceDnsName();
ServerNames[2] = *SecData.KdcFullServiceName();
LocalRealm = SecData.KdcKerbDnsRealmName();
//
// Verify the realm of the ticket
//
if (!KerbCompareRealmNames(
&LocalRealm,
&Reply->ticket.realm
))
{
D_DebugLog((DEB_ERROR,"KLIN(%x) Tgt reply is not for our realm: %s instead of %s\n",
KLIN(FILENO, __LINE__), Reply->ticket.realm, LocalRealm));
KerbErr = KRB_AP_ERR_NOT_US;
goto Cleanup;
}
EncryptionKey = KerbGetKeyFromList(
KrbtgtTicketInfo.Passwords,
Reply->ticket.encrypted_part.encryption_type
);
if (EncryptionKey == NULL)
{
D_DebugLog((DEB_ERROR, "Couldn't get key for decrypting krbtgt\n"));
KerbErr = KRB_AP_ERR_NOKEY;
goto Cleanup;
}
KerbErr = KerbVerifyTicket(
&Reply->ticket,
3, // 3 names
ServerNames,
SecData.KdcDnsRealmName(),
EncryptionKey,
&SkewTime,
&DecryptedTicket
);
if (!KERB_SUCCESS(KerbErr))
{
D_DebugLog((DEB_ERROR, "KLIN(%x) Failed to verify ticket - %x\n",
KLIN(FILENO, __LINE__),KerbErr));
goto Cleanup;
}
//
// Verify the realm of the client is the same as our realm
//
if (!KerbCompareRealmNames(
&LocalRealm,
&DecryptedTicket->client_realm
))
{
D_DebugLog((DEB_ERROR,"KLIN(%x) Verified ticket client realm is wrong: %s instead of %s\n",
KLIN(FILENO, __LINE__),DecryptedTicket->client_realm, LocalRealm));
KerbErr = KRB_AP_ERR_NOT_US;
goto Cleanup;
}
//
// Verify the client name in the ticket matches the request body, and
// reply body.
//
if (!KerbComparePrincipalNames(
&DecryptedTicket->client_name,
RequestBodyClientName
) ||
!KerbComparePrincipalNames(
&Reply->client_name,
RequestBodyClientName
))
{
D_DebugLog((DEB_ERROR, "KLIN(%x) Client name AS_REP from PDC doesn't match request\n",
KLIN(FILENO,__LINE__)));
KerbErr = KRB_AP_ERR_MODIFIED;
goto Cleanup;
}
fRet = TRUE;
Cleanup:
if (DecryptedTicket != NULL)
{
KerbFreeTicket(DecryptedTicket);
}
if (!fRet)
{
ClientName.Buffer = NULL;
KerbConvertPrincipalNameToString(
&ClientName,
&NameType,
RequestBodyClientName
);
ReportServiceEvent(
EVENTLOG_ERROR_TYPE,
KDCEVENT_INVALID_FORWARDED_AS_REQ,
sizeof(ULONG),
&KerbErr,
1, // number of strings
ClientName.Buffer
);
if (ClientName.Buffer != NULL)
{
MIDL_user_free(ClientName.Buffer);
}
}
return fRet;
}
//+---------------------------------------------------------------------------
//
// Function: FailedLogon
//
// Synopsis: Processes a failed logon.
//
// Effects: May raise an exception, audit, event, lockout, etc.
//
// Arguments: [UserHandle] -- [in] Client who didn't log on.
// [ClientAddress] -- Address of client making request
// [Client] -- [in optional] Sid of the client requesting logon
// [ClientSize] -- [in] Length of the sid
// [Reason] -- [in] the reason this logon failed.
//
// Requires:
//
// Returns: HRESULT to return to client.
//
// Algorithm:
//
// History: 03-May-94 wader Created
//
// Notes: This usually returns hrReason, but it may map it to
// something else.
//
//----------------------------------------------------------------------------
KERBERR
FailedLogon( IN SAMPR_HANDLE UserHandle,
IN OPTIONAL PSOCKADDR ClientAddress,
IN PKERB_PRINCIPAL_NAME RequestBodyClientName,
IN OPTIONAL UCHAR *Client,
IN ULONG ClientSize,
IN PKERB_MESSAGE_BUFFER InputMessage,
IN PKERB_MESSAGE_BUFFER OutputMessage,
IN PUNICODE_STRING ClientNetbiosAddress,
IN KERBERR Reason )
{
NTSTATUS Status;
SAM_LOGON_STATISTICS LogonStats;
LARGE_INTEGER CurrentTime;
PKERB_ERROR ErrorMessage = NULL;
PKERB_KDC_REPLY Reply = NULL;
TRACE(KDC, FailedLogon, DEB_FUNCTION);
GetSystemTimeAsFileTime((PFILETIME)&CurrentTime);
//
// It's important to know why the logon can fail. For each possible
// reason, decide if that is a reason to lock out the account.
//
//
// Check to see if we've seen this request before recently
//
if (KDC_ERR_NONE == FailedRequests->Check(
InputMessage->Buffer,
InputMessage->BufferSize,
NULL,
0,
&CurrentTime,
TRUE))
{
KERBERR KerbErr;
KERBERR ForwardKerbErr;
//
// If the password was bad then we want to update the sam information
//
if (Reason == KDC_ERR_PREAUTH_FAILED)
{
RtlZeroMemory(&LogonStats, sizeof(LogonStats));
LogonStats.StatisticsToApply =
USER_LOGON_BAD_PASSWORD | USER_LOGON_BAD_PASSWORD_WKSTA | USER_LOGON_TYPE_KERBEROS;
LogonStats.Workstation = *ClientNetbiosAddress;
if ( (ClientAddress == NULL)
|| (ClientAddress->sa_family == AF_INET) ) {
// Set to local address (known to be 4 bytes) or IP address
LogonStats.ClientInfo.Type = SamClientIpAddr;
LogonStats.ClientInfo.Data.IpAddr = *((ULONG*)GET_CLIENT_ADDRESS(ClientAddress));
}
Status = SamIUpdateLogonStatistics(
UserHandle,
&LogonStats
);
if ((NULL == Client) || (0 == ClientSize) ||
(KDC_ERR_NONE == FailedRequests->Check(
Client,
ClientSize,
ClientNetbiosAddress->Buffer,
ClientNetbiosAddress->Length,
&CurrentTime,
FALSE)))
{
//
// Pass this request to the KDC
//
KerbErr = KdcForwardLogonToPDC(
InputMessage,
OutputMessage
);
//
// Return an better error if it wasn't generic.
//
if (KERB_SUCCESS(KerbErr))
{
ForwardKerbErr = KerbUnpackKerbError(
OutputMessage->Buffer,
OutputMessage->BufferSize,
&ErrorMessage
);
if (KERB_SUCCESS(ForwardKerbErr))
{
if (ErrorMessage->error_code == KDC_ERR_PREAUTH_FAILED)
{
FailedRequests->Check(
Client,
ClientSize,
ClientNetbiosAddress->Buffer,
ClientNetbiosAddress->Length,
&CurrentTime,
TRUE
);
}
} else {
//
// This may have been a successful, forwarded AS_REQ. If so,
// reset bad password count on this BDC...
//
ForwardKerbErr = KerbUnpackAsReply(
OutputMessage->Buffer,
OutputMessage->BufferSize,
&Reply
);
if (KERB_SUCCESS(ForwardKerbErr) && KdcVerifyKdcAsRep(
Reply,
RequestBodyClientName
))
{
RtlZeroMemory(&LogonStats, sizeof(LogonStats));
LogonStats.StatisticsToApply =
USER_LOGON_INTER_SUCCESS_LOGON | USER_LOGON_TYPE_KERBEROS;
if ( (ClientAddress == NULL)
|| (ClientAddress->sa_family == AF_INET) ) {
// Set to local address (known to be 4 bytes) or IP address
LogonStats.ClientInfo.Type = SamClientIpAddr;
LogonStats.ClientInfo.Data.IpAddr = *((ULONG*)GET_CLIENT_ADDRESS(ClientAddress));
}
Status = SamIUpdateLogonStatistics(
UserHandle,
&LogonStats
);
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Could not reset user bad pwd count - %x\n", Status));
}
} else {
DebugLog((DEB_ERROR, "Got reply from fwd'd request to PDC, but wasn't valid!\n"));
}
}
}
else
{
if (KerbErr != KRB_ERR_GENERIC)
{
Reason = KerbErr;
goto Cleanup;
}
}
}
}
}
Cleanup:
if (NULL != ErrorMessage)
{
KerbFreeKerbError(ErrorMessage);
}
if (NULL != Reply)
{
KerbFreeAsReply(Reply);
}
return(Reason);
}
//+---------------------------------------------------------------------------
//
// Function: KdcHandleNoLogonServers
//
// Synopsis: If a password has verified, and we've got no GCs against which
// to validate logon restrictions, then go ahead and set the
// sam info level to include the new USER_LOGON_NO_LOGON_SERVERS
// flag
//
// Effects:
//
// Arguments: [UserHandle] -- Client who logged on.
// [ClientAddress] -- Address of client making request
//
//
// Algorithm:
//
// History: 24-Aug-2000 Todds Created
//
// Notes: On successful logon w/ no GC, update SAM user flag
//
//----------------------------------------------------------------------------
KERBERR
KdcHandleNoLogonServers(
SAMPR_HANDLE UserHandle,
PSOCKADDR ClientAddress OPTIONAL
)
{
SAM_LOGON_STATISTICS LogonStats;
TRACE(KDC, KdcHandleNoLogonServers, DEB_FUNCTION);
RtlZeroMemory(&LogonStats, sizeof(LogonStats));
LogonStats.StatisticsToApply =
USER_LOGON_NO_LOGON_SERVERS | USER_LOGON_TYPE_KERBEROS;
if ( (ClientAddress == NULL)
|| (ClientAddress->sa_family == AF_INET) ) {
// Set to local address (known to be 4 bytes) or IP address
LogonStats.ClientInfo.Type = SamClientIpAddr;
LogonStats.ClientInfo.Data.IpAddr = *((ULONG*)GET_CLIENT_ADDRESS(ClientAddress));
}
(VOID) SamIUpdateLogonStatistics(
UserHandle,
&LogonStats
);
return(KDC_ERR_NONE);
}
//+---------------------------------------------------------------------------
//
// Function: SuccessfulLogon
//
// Synopsis: Processes a successful logon.
//
// Effects: May raise an event, create an audit, throw a party.
//
// Arguments: [UserHandle] -- Client who logged on.
// [ClientAddress] -- Address of client making request
//
//
// Algorithm:
//
// History: 03-May-94 wader Created
//
// Notes: On successful logon, we discard the history of failed logons
// (as far as lockout is concerned).
//
//----------------------------------------------------------------------------
KERBERR
SuccessfulLogon(
IN SAMPR_HANDLE UserHandle,
PSOCKADDR OPTIONAL ClientAddress,
IN PKERB_MESSAGE_BUFFER Request,
IN PUSER_INTERNAL6_INFORMATION UserInfo
)
{
SAM_LOGON_STATISTICS LogonStats;
KERB_MESSAGE_BUFFER Reply = {0};
NTSTATUS Status = STATUS_UNKNOWN_REVISION;
TRACE(KDC, SuccessfulLogon, DEB_FUNCTION);
RtlZeroMemory(&LogonStats, sizeof(LogonStats));
LogonStats.StatisticsToApply =
USER_LOGON_INTER_SUCCESS_LOGON | USER_LOGON_TYPE_KERBEROS;
if ( (ClientAddress == NULL)
|| (ClientAddress->sa_family == AF_INET) ) {
// Set to local address (known to be 4 bytes) or IP address
LogonStats.ClientInfo.Type = SamClientIpAddr;
LogonStats.ClientInfo.Data.IpAddr = *((ULONG*)GET_CLIENT_ADDRESS(ClientAddress));
}
(VOID) SamIUpdateLogonStatistics(
UserHandle,
&LogonStats
);
//
// if this logon reset the bad password count, notify the PDC
//
if (UserInfo->I1.BadPasswordCount != 0)
{
Status = SamIResetBadPwdCountOnPdc(UserHandle);
if (!NT_SUCCESS(Status))
{
if (Status == STATUS_UNKNOWN_REVISION)
{
D_DebugLog((DEB_ERROR, "SamIResetBadPwdCount not implemented on pdc.\n"));
// W2k behavior, in case we have an old PDC
(VOID) KdcForwardLogonToPDC(
Request,
&Reply
);
if (Reply.Buffer != NULL)
{
MIDL_user_free(Reply.Buffer);
}
}
else
{
D_DebugLog((DEB_ERROR, "SamIResetBadPwdCount failed - %x.\n", Status));
}
}
}
return(KDC_ERR_NONE);
}
//+-------------------------------------------------------------------------
//
// Function: IsSubAuthFilterPresent
//
// Synopsis: Figures out whether the MSV1_0 subauthentication filter is present
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns: TRUE or FALSE
//
// Notes:
//
//
//--------------------------------------------------------------------------
BOOLEAN
IsSubAuthFilterPresent()
{
if ( KdcSubAuthFilterPresent == SubAuthUnknown ) {
if ( Msv1_0SubAuthenticationPresent( KERB_SUBAUTHENTICATION_FLAG )) {
KdcSubAuthFilterPresent = SubAuthYesFilter;
} else {
KdcSubAuthFilterPresent = SubAuthNoFilter;
}
}
if ( KdcSubAuthFilterPresent == SubAuthNoFilter ) {
return FALSE;
}
return TRUE;
}
//+-------------------------------------------------------------------------
//
// Function: KdcCallSubAuthRoutine
//
// Synopsis: Calls the MSV1_0 subauthentication filter, if it is present
//
// Effects: If the filter returns an error, returns that error
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR
KdcCallSubAuthRoutine(
IN PKDC_TICKET_INFO TicketInfo,
IN PUSER_INTERNAL6_INFORMATION UserInfo,
IN PUNICODE_STRING ClientNetbiosAddress,
OUT PLARGE_INTEGER LogoffTime,
OUT PKERB_EXT_ERROR pExtendedError
)
{
NTSTATUS Status = STATUS_SUCCESS;
KERBERR KerbErr = KDC_ERR_NONE;
NETLOGON_INTERACTIVE_INFO LogonInfo = {0};
//
// Subauth parameters
//
ULONG WhichFields = 0;
ULONG UserFlags = 0;
BOOLEAN Authoritative = TRUE;
LARGE_INTEGER KickoffTime;
PUSER_ALL_INFORMATION UserAll = &UserInfo->I1;
//
// Check if Msv1_0 has a subauth filter loaded
//
if ( !IsSubAuthFilterPresent()) {
return KDC_ERR_NONE;
}
LogonInfo.Identity.LogonDomainName = *SecData.KdcRealmName();
LogonInfo.Identity.ParameterControl = 0; // this can be set to use a particular package
LogonInfo.Identity.UserName = TicketInfo->AccountName;
LogonInfo.Identity.Workstation = *ClientNetbiosAddress;
//
// Leave logon id field blank
//
if (UserAll->NtPassword.Length == NT_OWF_PASSWORD_LENGTH)
{
RtlCopyMemory(
&LogonInfo.NtOwfPassword,
UserAll->NtPassword.Buffer,
NT_OWF_PASSWORD_LENGTH
);
}
if (UserAll->LmPassword.Length == LM_OWF_PASSWORD_LENGTH)
{
RtlCopyMemory(
&LogonInfo.LmOwfPassword,
UserAll->LmPassword.Buffer,
NT_OWF_PASSWORD_LENGTH
);
}
//
// Make sure logoff time is intialized to something interesting
//
*LogoffTime = KickoffTime = UserAll->AccountExpires;
//
// Make the call
//
Status = Msv1_0ExportSubAuthenticationRoutine(
NetlogonInteractiveInformation,
&LogonInfo,
MSV1_0_PASSTHRU,
KERB_SUBAUTHENTICATION_FLAG,
UserAll,
&WhichFields,
&UserFlags,
&Authoritative,
LogoffTime,
&KickoffTime
);
//
// If the kickoff time is more restrictive, use it.
//
if (KickoffTime.QuadPart < LogoffTime->QuadPart)
{
LogoffTime->QuadPart = KickoffTime.QuadPart;
}
//
// Map the error code
//
if (!NT_SUCCESS(Status))
{
DebugLog((DEB_WARN,
"(KLIN:%x) Subauth failed the logon: 0x%x\n",
KLIN(FILENO, __LINE__),
Status));
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
KerbErr = KDC_ERR_POLICY;
}
return(KerbErr);
}
//+-------------------------------------------------------------------------
//
// Function: KdcBuildEtypeInfo
//
// Synopsis: Builds a list of supported etypes & salts
//
// Effects:
//
// Arguments: TicketInfo - client's ticket info
// OutputPreAuth - receives any preauth data to return to client
//
// Requires:
//
// Returns: kerberr
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR
KdcBuildEtypeInfo(
IN PKDC_TICKET_INFO TicketInfo,
IN PKERB_KDC_REQUEST_BODY RequestBody,
OUT PKERB_PA_DATA_LIST * OutputPreAuth
)
{
KERBERR KerbErr = KDC_ERR_NONE;
BOOLEAN FoundEtype = FALSE;
ULONG Index;
PKERB_ETYPE_INFO NextEntry = NULL;
PKERB_ETYPE_INFO EtypeInfo = NULL;
PKERB_PA_DATA_LIST OutputList = NULL;
UNICODE_STRING TempSalt = {0};
STRING TempString = {0};
*OutputPreAuth = NULL;
//
// Build the array of etypes, in reverse order because we are adding
// to the front of the list
//
for ( Index = TicketInfo->Passwords->CredentialCount; Index > 0; Index-- )
{
//
// Only return types that the client supports.
//
if (!KdcCheckForEtype(
RequestBody->encryption_type,
TicketInfo->Passwords->Credentials[Index-1].Key.keytype
))
{
continue;
}
FoundEtype = TRUE;
NextEntry = (PKERB_ETYPE_INFO) MIDL_user_allocate(sizeof(KERB_ETYPE_INFO));
if (NextEntry == NULL)
{
KerbErr = KRB_ERR_GENERIC;
goto Cleanup;
}
RtlZeroMemory(
NextEntry,
sizeof(KERB_ETYPE_INFO)
);
//
// Copy in the etype
//
NextEntry->value.encryption_type =
TicketInfo->Passwords->Credentials[Index-1].Key.keytype;
//
// add the salt - check the per-key salt and then the default salt.
//
if (TicketInfo->Passwords->Credentials[Index-1].Salt.Buffer != NULL)
{
TempSalt = TicketInfo->Passwords->Credentials[Index-1].Salt;
}
else if (TicketInfo->Passwords->DefaultSalt.Buffer != NULL)
{
TempSalt = TicketInfo->Passwords->DefaultSalt;
}
else
{
TempSalt.Buffer = NULL ;
TempSalt.Length = 0 ;
TempSalt.MaximumLength = 0 ;
}
//
// If we have a salt, convert it to ansi & return it.
//
if (TempSalt.Buffer != NULL)
{
TempString.Buffer = NULL;
TempString.Length = 0;
TempString.MaximumLength = 0;
KerbErr = KerbUnicodeStringToKerbString(
&TempString,
&TempSalt
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
NextEntry->value.bit_mask |= salt_present;
NextEntry->value.salt.length = TempString.Length;
NextEntry->value.salt.value = (PUCHAR) TempString.Buffer;
}
NextEntry->next = EtypeInfo;
EtypeInfo = NextEntry;
}
//
// If we can't find a matching etype, then we've got to return an error
// to the client...
if (FoundEtype)
{
OutputList = (PKERB_PA_DATA_LIST) MIDL_user_allocate(sizeof(KERB_PA_DATA_LIST));
if (OutputList == NULL)
{
KerbErr = KRB_ERR_GENERIC;
goto Cleanup;
}
RtlZeroMemory(
OutputList,
sizeof(KERB_PA_DATA_LIST)
);
OutputList->value.preauth_data_type = KRB5_PADATA_ETYPE_INFO;
OutputList->next = NULL;
KerbErr = KerbPackData(
&EtypeInfo,
PKERB_ETYPE_INFO_PDU,
(PULONG) &OutputList->value.preauth_data.length,
&OutputList->value.preauth_data.value
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
*OutputPreAuth = OutputList;
OutputList = NULL;
}
else // did not find etype from request that we support, warn the admin
{
KerbErr = KDC_ERR_ETYPE_NOTSUPP;
DebugLog((DEB_ERROR,"There is no union between client and server Etypes!\n"));
KdcReportKeyError(
&(TicketInfo->AccountName),
NULL,
KDCEVENT_NO_KEY_UNION_AS,
RequestBody->encryption_type,
TicketInfo->Passwords
);
}
Cleanup:
//
// Cleanup the etype list, as it is returned in marshalled form.
//
while (EtypeInfo != NULL)
{
NextEntry = EtypeInfo->next;
if (EtypeInfo->value.salt.value != NULL)
{
TempString.Buffer = (PCHAR) EtypeInfo->value.salt.value;
TempString.Length = (USHORT) EtypeInfo->value.salt.length;
KerbFreeString((PUNICODE_STRING) &TempString);
}
MIDL_user_free(EtypeInfo);
EtypeInfo = NextEntry;
}
if (OutputList != NULL)
{
KerbFreePreAuthData( OutputList);
}
return KerbErr;
}
//+-------------------------------------------------------------------------
//
// Function: KdcBuildPreauthTypeList
//
// Synopsis: For returning with a PREAUTH-REQUIRED message
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR
KdcBuildPreauthTypeList(
OUT PKERB_PA_DATA_LIST * PreauthTypeList
)
{
PKERB_PA_DATA_LIST DataList = NULL;
KERBERR KerbErr = KDC_ERR_NONE;
//
// Allocate and fill in the first item
//
DataList = (PKERB_PA_DATA_LIST) MIDL_user_allocate(sizeof(KERB_PA_DATA_LIST));
if (DataList == NULL)
{
KerbErr = KRB_ERR_GENERIC;
goto Cleanup;
}
RtlZeroMemory(
DataList,
sizeof(KERB_PA_DATA_LIST)
);
DataList->value.preauth_data_type = KRB5_PADATA_ENC_TIMESTAMP;
//
// Even if we fail the allocation, we can still return this value.
//
*PreauthTypeList = DataList;
DataList->next = (PKERB_PA_DATA_LIST) MIDL_user_allocate(sizeof(KERB_PA_DATA_LIST));
if (DataList->next == NULL)
{
KerbErr = KRB_ERR_GENERIC;
goto Cleanup;
}
RtlZeroMemory(
DataList->next,
sizeof(KERB_PA_DATA_LIST)
);
DataList = DataList->next;
DataList->value.preauth_data_type = KRB5_PADATA_PK_AS_REP;
Cleanup:
return(KerbErr);
}
//+-------------------------------------------------------------------------
//
// Function: KdcBuildPwSalt
//
// Synopsis: builds the pw-salt pa data type
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR
KdcBuildPwSalt(
IN PKERB_STORED_CREDENTIAL Passwords,
IN PKERB_ENCRYPTION_KEY ReplyKey,
IN OUT PKERB_PA_DATA_LIST * OutputPreAuthData
)
{
KERBERR KerbErr = KDC_ERR_NONE;
PKERB_PA_DATA_LIST DataList = NULL;
PKERB_KEY_DATA KeyData = NULL;
STRING Salt = {0};
UNICODE_STRING SaltUsed = {0};
ULONG Index;
//
// Find the key use for encryption.
//
for (Index = 0; Index < Passwords->CredentialCount ; Index++ )
{
if (Passwords->Credentials[Index].Key.keytype == (int) ReplyKey->keytype)
{
KeyData = &Passwords->Credentials[Index];
break;
}
}
if (KeyData == NULL)
{
goto Cleanup;
}
//
// Locate the salt used
//
if (KeyData->Salt.Buffer != NULL)
{
SaltUsed = KeyData->Salt;
}
else if (Passwords->DefaultSalt.Buffer != NULL)
{
SaltUsed = Passwords->DefaultSalt;
}
//
// Convert the salt to a kerb string
//
KerbErr = KerbUnicodeStringToKerbString(
&Salt,
&SaltUsed
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
//
// Allocate and fill in the first item
//
DataList = (PKERB_PA_DATA_LIST) MIDL_user_allocate(sizeof(KERB_PA_DATA_LIST));
if (DataList == NULL)
{
KerbErr = KRB_ERR_GENERIC;
goto Cleanup;
}
RtlZeroMemory(
DataList,
sizeof(KERB_PA_DATA_LIST)
);
DataList->value.preauth_data_type = KRB5_PADATA_PW_SALT;
DataList->value.preauth_data.length = Salt.Length;
DataList->value.preauth_data.value = (PUCHAR) Salt.Buffer;
Salt.Buffer = NULL;
DataList->next = *OutputPreAuthData;
*OutputPreAuthData = DataList;
DataList = NULL;
Cleanup:
if (DataList != NULL)
{
KerbFreePreAuthData((PKERB_PA_DATA_LIST)DataList);
}
if (Salt.Buffer != NULL)
{
MIDL_user_free(Salt.Buffer);
}
return(KerbErr);
}
//+-------------------------------------------------------------------------
//
// Function: KdcVerifyEncryptedTimeStamp
//
// Synopsis: Verifies an encrypted time stamp pre-auth data
//
// Effects:
//
// Arguments: PreAuthData - preauth data from client
// TicketInfo - client's ticket info
// UserHandle - handle to client's account
// OutputPreAuth - receives any preauth data to return to client
//
// Requires:
//
// Returns: KDC_ERR_PREAUTH_FAILED - the password was bad
// Other errors - preauth failed but shouldn't trigger lockout
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR
KdcVerifyEncryptedTimeStamp(
IN PKERB_PA_DATA_LIST PreAuthData,
IN PKDC_TICKET_INFO TicketInfo,
IN PKERB_KDC_REQUEST_BODY RequestBody,
IN SAMPR_HANDLE UserHandle,
OUT PKERB_PA_DATA_LIST * OutputPreAuth
)
{
KERBERR KerbErr;
PKERB_ENCRYPTED_DATA EncryptedData = NULL;
PKERB_ENCRYPTED_TIMESTAMP EncryptedTime = NULL;
PKERB_ENCRYPTION_KEY UserKey = NULL;
LARGE_INTEGER CurrentTime;
LARGE_INTEGER ClientTime;
if ((TicketInfo->UserAccountControl & USER_ACCOUNT_DISABLED))
{
KerbErr = KDC_ERR_CLIENT_REVOKED;
goto Cleanup;
}
//
// Unpack the pre-auth data into an encrypted data first.
//
KerbErr = KerbUnpackEncryptedData(
PreAuthData->value.preauth_data.value,
PreAuthData->value.preauth_data.length,
&EncryptedData
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
//
// Now decrypt the encrypted data (in place)
//
UserKey = KerbGetKeyFromList(
TicketInfo->Passwords,
EncryptedData->encryption_type
);
if (UserKey == NULL)
{
// fakeit
KERB_CRYPT_LIST FakeList;
FakeList.next = NULL;
FakeList.value = EncryptedData->encryption_type ;
KdcReportKeyError(
&(TicketInfo->AccountName),
NULL,
KDCEVENT_NO_KEY_UNION_AS,
&FakeList,
TicketInfo->Passwords
);
KerbErr = KDC_ERR_ETYPE_NOTSUPP;
goto Cleanup;
}
KerbErr = KerbDecryptDataEx(
EncryptedData,
UserKey,
KERB_ENC_TIMESTAMP_SALT,
(PULONG) &EncryptedData->cipher_text.length,
EncryptedData->cipher_text.value
);
if (!KERB_SUCCESS(KerbErr))
{
D_DebugLog((DEB_WARN,
"KLIN(%x) Failed to decrypt timestamp pre-auth data: 0x%x\n",
KLIN(FILENO,__LINE__),
KerbErr));
KerbErr = KDC_ERR_PREAUTH_FAILED;
goto Cleanup;
}
//
// unpack the decrypted data into a KERB_ENCRYPTED_TIMESTAMP
//
KerbErr = KerbUnpackData(
EncryptedData->cipher_text.value,
EncryptedData->cipher_text.length,
KERB_ENCRYPTED_TIMESTAMP_PDU,
(PVOID *) &EncryptedTime
);
if (!KERB_SUCCESS(KerbErr))
{
D_DebugLog((DEB_WARN,"KLIN(%x) Failed to unpack preauth data to encrpyted_time\n",
KLIN(FILENO,__LINE__)));
goto Cleanup;
}
//
// Now verify the time.
//
KerbConvertGeneralizedTimeToLargeInt(
&ClientTime,
&EncryptedTime->timestamp,
((EncryptedTime->bit_mask & KERB_ENCRYPTED_TIMESTAMP_usec_present) != 0) ?
EncryptedTime->KERB_ENCRYPTED_TIMESTAMP_usec : 0
);
GetSystemTimeAsFileTime(
(PFILETIME) &CurrentTime
);
//
// We don't want to check too closely, so allow for skew
//
if ((CurrentTime.QuadPart + SkewTime.QuadPart < ClientTime.QuadPart) ||
(CurrentTime.QuadPart - SkewTime.QuadPart > ClientTime.QuadPart))
{
D_DebugLog((DEB_ERROR, "KLIN(%x) Client %wZ time is incorrect:\n",
KLIN(FILENO,__LINE__),
&TicketInfo->AccountName));
PrintTime(DEB_ERROR, "Client Time is", &ClientTime );
PrintTime(DEB_ERROR, "KDC Time is", &CurrentTime );
//
// We don't want to lockout the account if the time is off
//
KerbErr = KRB_AP_ERR_SKEW;
goto Cleanup;
}
KerbErr = KDC_ERR_NONE;
Cleanup:
//
// Build an ETYPE_INFO structure to return
//
if ((KerbErr == KDC_ERR_PREAUTH_FAILED) || (KerbErr == KDC_ERR_ETYPE_NOTSUPP))
{
KERBERR TmpErr;
TmpErr = KdcBuildEtypeInfo(
TicketInfo,
RequestBody,
OutputPreAuth
);
//
// In this case, we can't find any ETypes that both the client and
// server support, so we've got to bail w/ proper error
// message...
//
if (TmpErr == KDC_ERR_ETYPE_NOTSUPP)
{
KerbErr = KDC_ERR_ETYPE_NOTSUPP;
}
}
if (EncryptedData != NULL)
{
KerbFreeEncryptedData(EncryptedData);
}
if (EncryptedTime != NULL)
{
KerbFreeData(KERB_ENCRYPTED_TIMESTAMP_PDU, EncryptedTime);
}
return(KerbErr);
}
typedef enum _BUILD_PAC_OPTIONS {
IncludePac,
DontIncludePac,
DontCare
} BUILD_PAC_OPTIONS, *PBUILD_PAC_OPTIONS;
//+-------------------------------------------------------------------------
//
// Function: KdcCheckPacRequestPreAuthData
//
// Synopsis: Gets the status of whether the client wants a PAC from the
// pre-auth data
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR
KdcCheckPacRequestPreAuthData(
IN PKERB_PA_DATA_LIST PreAuthData,
IN OUT PBUILD_PAC_OPTIONS BuildPac
)
{
PKERB_PA_PAC_REQUEST PacRequest = NULL;
KERBERR KerbErr = KDC_ERR_NONE;
DsysAssert(PreAuthData->value.preauth_data_type == KRB5_PADATA_PAC_REQUEST);
KerbErr = KerbUnpackData(
PreAuthData->value.preauth_data.value,
PreAuthData->value.preauth_data.length,
KERB_PA_PAC_REQUEST_PDU,
(PVOID *) &PacRequest
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
if (PacRequest->include_pac)
{
*BuildPac = IncludePac;
}
else
{
*BuildPac = DontIncludePac;
}
D_DebugLog((DEB_T_TICKETS,"Setting BuildPac from pa-data to %d\n",*BuildPac));
Cleanup:
if (PacRequest != NULL)
{
KerbFreeData(
KERB_PA_PAC_REQUEST_PDU,
PacRequest
);
}
return(KerbErr);
}
//+-------------------------------------------------------------------------
//
// Function: KdcCheckPreAuthData
//
// Synopsis: Checks the pre-auth data in an AS request. This routine
// may return pre-auth data to caller on both success and
// failure.
//
// Effects:
//
// Arguments: ClientTicketInfo - client account's ticket info
// UserHandle - Handle to client's user object
// PreAuthData - Pre-auth data supplied by client
// PreAuthType - The type of pre-auth used
// OutputPreAuthData - pre-auth data to return to client
// BuildPac - TRUE if we should build a PAC for this client
//
//
// Requires:
//
// Returns: KDC_ERR_PREAUTH_REQUIRED, KDC_ERR_PREAUTH_FAILED
//
// Notes: This routine should be more extensible - at some point
// it should allow DLLs to be plugged in that implement
// preauth.
//
//
//--------------------------------------------------------------------------
KERBERR
KdcCheckPreAuthData(
IN PKDC_TICKET_INFO ClientTicketInfo,
IN SAMPR_HANDLE UserHandle,
IN PUSER_INTERNAL6_INFORMATION UserInfo,
IN OPTIONAL PKERB_PA_DATA_LIST PreAuthData,
IN PKERB_KDC_REQUEST_BODY RequestBody,
OUT PULONG PreAuthType,
OUT PKERB_PA_DATA_LIST * OutputPreAuthData,
OUT PBOOLEAN BuildPac,
OUT PULONG Nonce,
OUT PKERB_ENCRYPTION_KEY EncryptionKey,
OUT PUNICODE_STRING TransitedRealms,
OUT PKERB_MESSAGE_BUFFER ErrorData,
OUT PKERB_EXT_ERROR pExtendedError
)
{
KERBERR KerbErr = KDC_ERR_NONE;
PKERB_PA_DATA_LIST OutputElement = NULL;
PKERB_PA_DATA_LIST ListElement = NULL;
BOOLEAN ValidPreauthPresent = FALSE;
BUILD_PAC_OPTIONS PacOptions = DontCare;
*OutputPreAuthData = NULL;
*BuildPac = FALSE;
//
// Loop through the supplied pre-auth data elements and handle each one
//
for (ListElement = PreAuthData;
ListElement != NULL ;
ListElement = ListElement->next )
{
switch(ListElement->value.preauth_data_type) {
case KRB5_PADATA_ENC_TIMESTAMP:
*PreAuthType = ListElement->value.preauth_data_type;
KerbErr = KdcVerifyEncryptedTimeStamp(
ListElement,
ClientTicketInfo,
RequestBody,
UserHandle,
&OutputElement
);
if (KERB_SUCCESS(KerbErr))
{
ValidPreauthPresent = TRUE;
}
break;
case KRB5_PADATA_PK_AS_REP:
*PreAuthType = ListElement->value.preauth_data_type;
KerbErr = KdcCheckPkinitPreAuthData(
ClientTicketInfo,
UserHandle,
ListElement,
RequestBody,
&OutputElement,
Nonce,
EncryptionKey,
TransitedRealms,
pExtendedError
);
if (KERB_SUCCESS(KerbErr))
{
ValidPreauthPresent = TRUE;
}
break;
case KRB5_PADATA_PAC_REQUEST:
KerbErr = KdcCheckPacRequestPreAuthData(
ListElement,
&PacOptions
);
break;
default:
break;
} // switch
if (OutputElement != NULL)
{
OutputElement->next = *OutputPreAuthData;
*OutputPreAuthData = OutputElement;
OutputElement = NULL;
}
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
} // for
// We need to check preauth data by default, unless, the account tells
// us not to.
//
if (!(UserInfo->I1.UserAccountControl & USER_DONT_REQUIRE_PREAUTH) &&
!ValidPreauthPresent &&
KERB_SUCCESS(KerbErr))
{
KerbErr = KDC_ERR_PREAUTH_REQUIRED;
//
// Return the list of supported types, if we don't have other
// data to return.
//
if (*OutputPreAuthData == NULL)
{
(VOID) KdcBuildPreauthTypeList(OutputPreAuthData);
if (*OutputPreAuthData != NULL)
{
PKERB_PA_DATA_LIST EtypeInfo = NULL;
KERBERR TmpErr;
TmpErr = KdcBuildEtypeInfo(
ClientTicketInfo,
RequestBody,
&EtypeInfo
);
//
// In this case, we can't find any ETypes that both the client and
// server support, so we've got to bail w/ proper error
// message...
//
if (TmpErr == KDC_ERR_ETYPE_NOTSUPP)
{
KerbErr = KDC_ERR_ETYPE_NOTSUPP;
}
if (EtypeInfo != NULL)
{
EtypeInfo->next = *OutputPreAuthData;
*OutputPreAuthData = EtypeInfo;
EtypeInfo = NULL;
}
}
}
}
//
// Set the final option for including the pac- if the pac_request was
// included, honor it. Otherwise build the pac if valid preauth
// was supplied.
//
switch(PacOptions) {
case DontCare:
*BuildPac = ValidPreauthPresent;
break;
case IncludePac:
*BuildPac = TRUE;
break;
case DontIncludePac:
*BuildPac = FALSE;
break;
}
Cleanup:
return(KerbErr);
}
//+---------------------------------------------------------------------------
//
// Function: BuildTicketAS
//
// Synopsis: Builds an AS ticket, including filling inthe name fields
// and flag fields.
//
// Arguments: [ClientTicketInfo] -- client asking for the ticket
// [ClientName] -- name of client
// [ServiceTicketInfo] -- service ticket is for
// [ServerName] -- name of service
// [RequestBody] -- ticket request
// [NewTicket] -- (out) ticket
//
// History: 24-May-93 WadeR Created
//
// Notes: See 3.1.3, A.2 of the Kerberos V5 R5.2 spec
//
//----------------------------------------------------------------------------
KERBERR
BuildTicketAS(
IN PKDC_TICKET_INFO ClientTicketInfo,
IN PKERB_PRINCIPAL_NAME ClientName,
IN PKDC_TICKET_INFO ServiceTicketInfo,
IN PKERB_PRINCIPAL_NAME ServerName,
IN OPTIONAL PKERB_HOST_ADDRESSES HostAddresses,
IN PLARGE_INTEGER LogoffTime,
IN PLARGE_INTEGER AccountExpiry,
IN PKERB_KDC_REQUEST_BODY RequestBody,
IN ULONG CommonEType,
IN ULONG PreAuthType,
IN PUNICODE_STRING TransitedRealm,
OUT PKERB_TICKET NewTicket,
OUT PKERB_EXT_ERROR pExtendedError
)
{
KERBERR Status = KDC_ERR_NONE;
PKERB_ENCRYPTED_TICKET EncryptedTicket = NULL;
LARGE_INTEGER TicketLifespan;
LARGE_INTEGER TicketRenewspan;
ULONG KdcOptions = 0;
TRACE(KDC, BuildTicketAS, DEB_FUNCTION);
EncryptedTicket = (PKERB_ENCRYPTED_TICKET) NewTicket->encrypted_part.cipher_text.value;
KdcOptions = KerbConvertFlagsToUlong(&RequestBody->kdc_options);
NewTicket->ticket_version = KERBEROS_VERSION;
D_DebugLog(( DEB_T_TICKETS, "Building an AS ticket to %wZ for %wZ\n",
&ClientTicketInfo->AccountName, &ServiceTicketInfo->AccountName ));
// Since this is the AS ticket, we fake the TGTFlags parameter to be the
// maximum the client is allowed to have.
TicketLifespan = SecData.KdcTgtTicketLifespan();
TicketRenewspan = SecData.KdcTicketRenewSpan();
Status = KdcBuildTicketTimesAndFlags(
ClientTicketInfo->fTicketOpts,
ServiceTicketInfo->fTicketOpts,
&TicketLifespan,
&TicketRenewspan,
LogoffTime,
AccountExpiry,
RequestBody,
NULL, // no source ticket
EncryptedTicket,
pExtendedError
);
if (!KERB_SUCCESS(Status))
{
D_DebugLog((DEB_TRACE,"KLIN(%x) Failed to build ticket times and flags: 0x%x\n",
KLIN(FILENO,__LINE__), Status));
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
goto Cleanup;
}
*((PULONG)EncryptedTicket->flags.value) |= KerbConvertUlongToFlagUlong(KERB_TICKET_FLAGS_initial);
//
// Turn on preauth flag if necessary
//
if (PreAuthType != 0)
{
*((PULONG)EncryptedTicket->flags.value) |= KerbConvertUlongToFlagUlong(KERB_TICKET_FLAGS_pre_authent);
}
Status = KerbMakeKey(
CommonEType,
&EncryptedTicket->key
);
if (!KERB_SUCCESS(Status))
{
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
goto Cleanup;
}
//
// Insert the service names. If the client requested canoncalization,
// return our realm name & sam account name. Otherwise copy what the
// client requested
//
if (((KdcOptions & KERB_KDC_OPTIONS_name_canonicalize) != 0) &&
((ServiceTicketInfo->UserAccountControl & USER_USE_DES_KEY_ONLY) == 0))
{
PKERB_INTERNAL_NAME TempServiceName = NULL;
//
// Build the service name for the ticket. For interdomain trust
// accounts, this is "krbtgt / domain name"
//
if (ServiceTicketInfo->UserId == DOMAIN_USER_RID_KRBTGT)
{
Status = KerbBuildFullServiceKdcName(
SecData.KdcDnsRealmName(),
SecData.KdcServiceName(),
KRB_NT_SRV_INST,
&TempServiceName
);
if (!KERB_SUCCESS(Status))
{
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
goto Cleanup;
}
Status = KerbConvertKdcNameToPrincipalName(
&NewTicket->server_name,
TempServiceName
);
KerbFreeKdcName(&TempServiceName);
if (!KERB_SUCCESS(Status))
{
goto Cleanup;
}
}
else if ((ServiceTicketInfo->UserAccountControl & USER_INTERDOMAIN_TRUST_ACCOUNT) != 0)
{
Status = KerbBuildFullServiceKdcName(
&ServiceTicketInfo->AccountName,
SecData.KdcServiceName(),
KRB_NT_SRV_INST,
&TempServiceName
);
if (!KERB_SUCCESS(Status))
{
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
goto Cleanup;
}
Status = KerbConvertKdcNameToPrincipalName(
&NewTicket->server_name,
TempServiceName
);
KerbFreeKdcName(&TempServiceName);
if (!KERB_SUCCESS(Status))
{
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
goto Cleanup;
}
}
else
{
Status = KerbConvertStringToPrincipalName(
&NewTicket->server_name,
&ServiceTicketInfo->AccountName,
KRB_NT_PRINCIPAL
);
if (!KERB_SUCCESS(Status))
{
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
goto Cleanup;
}
}
}
else
{
//
// No canonicalzation, so copy in all the names as the client
// requested them.
//
Status = KerbDuplicatePrincipalName(
&NewTicket->server_name,
ServerName
);
if (!KERB_SUCCESS(Status))
{
goto Cleanup;
}
}
NewTicket->realm = SecData.KdcKerbDnsRealmName();
//
// Insert the client names. If the client requested canoncalization,
// return our realm name & sam account name. Otherwise copy what the
// client requested
//
if (((KdcOptions & KERB_KDC_OPTIONS_name_canonicalize) != 0) &&
((ClientTicketInfo->UserAccountControl & USER_USE_DES_KEY_ONLY) == 0))
{
Status = KerbConvertStringToPrincipalName(
&EncryptedTicket->client_name,
&ClientTicketInfo->AccountName,
KRB_NT_PRINCIPAL
);
if (!KERB_SUCCESS(Status))
{
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
goto Cleanup;
}
}
else
{
Status = KerbDuplicatePrincipalName(
&EncryptedTicket->client_name,
ClientName
);
if (!KERB_SUCCESS(Status))
{
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
goto Cleanup;
}
}
EncryptedTicket->client_realm = SecData.KdcKerbDnsRealmName();
if (HostAddresses != NULL)
{
EncryptedTicket->bit_mask |= KERB_ENCRYPTED_TICKET_client_addresses_present;
EncryptedTicket->KERB_ENCRYPTED_TICKET_client_addresses = HostAddresses;
}
else
{
EncryptedTicket->bit_mask &= ~KERB_ENCRYPTED_TICKET_client_addresses_present;
EncryptedTicket->KERB_ENCRYPTED_TICKET_client_addresses = NULL;
}
if (TransitedRealm->Length > 0)
{
STRING TempString;
Status = KerbUnicodeStringToKerbString(
&TempString,
TransitedRealm
);
if (!KERB_SUCCESS(Status))
{
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
goto Cleanup;
}
EncryptedTicket->transited.transited_type = DOMAIN_X500_COMPRESS;
EncryptedTicket->transited.contents.value = (PUCHAR) TempString.Buffer;
EncryptedTicket->transited.contents.length = (int) TempString.Length;
}
else
{
RtlZeroMemory(
&EncryptedTicket->transited,
sizeof(KERB_TRANSITED_ENCODING)
);
}
EncryptedTicket->KERB_ENCRYPTED_TICKET_authorization_data = NULL;
#if DBG
PrintTicket( DEB_T_TICKETS, "BuildTicketAS: Final ticket", NewTicket );
#endif
Cleanup:
if (!KERB_SUCCESS(Status))
{
KdcFreeInternalTicket(NewTicket);
}
return(Status);
}
//
// String defines of the service names for the change PW SPNs
// for use with the KerbCheckIfSPNIsChangePW function
//
#define KERB_KADMIN_CHG_PW L"kadmin/changepw"
//+-------------------------------------------------------------------------
//
// Function: KerbCheckIfSPNIsChangePW
//
// Synopsis: Check if the service name is kadmin/changepw.
//
// Arguments: pServerName - Contains the service name
// pLogonRestrictionsFlags - Output flags value.
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOID
KerbCheckIfSPNIsChangePW(
IN PUNICODE_STRING pServerName,
IN ULONG *pLogonRestrictionsFlags)
{
if ((pServerName->Length == (sizeof(KERB_KADMIN_CHG_PW) - sizeof(WCHAR))) &&
RtlCompareMemory(pServerName->Buffer,
KERB_KADMIN_CHG_PW,
sizeof(KERB_KADMIN_CHG_PW) - sizeof(WCHAR)))
{
*pLogonRestrictionsFlags |= KDC_RESTRICT_IGNORE_PW_EXPIRATION;
}
return;
}
//+-------------------------------------------------------------------------
//
// Function: I_GetASTicket
//
// Synopsis: Gets an authentication service ticket to the requested
// service.
//
// Effects: Allocates and encrypts a KDC reply
//
// Arguments: RequestMessage - Contains the AS request message
// Pdu - PDU to pack the reply body with.
// InputMessage - buffer client sent, used for replay detection
// OutputMessage - Contains the AS reply message
// ErrorData - contains any error data for an error message
//
// Requires:
//
// Returns: KDC_ERR_ or KRB_AP_ERR errors only
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR
I_GetASTicket(
IN OPTIONAL PSOCKADDR ClientAddress,
IN PKERB_AS_REQUEST RequestMessage,
IN PUNICODE_STRING RequestRealm,
IN ULONG Pdu,
IN ULONG ReplyPdu,
IN PKERB_MESSAGE_BUFFER InputMessage,
OUT PKERB_MESSAGE_BUFFER OutputMessage,
OUT PKERB_MESSAGE_BUFFER ErrorData,
OUT PKERB_EXT_ERROR pExtendedError,
OUT PUNICODE_STRING ClientRealm
)
{
KERBERR KerbErr = KDC_ERR_NONE;
NTSTATUS LogonStatus = STATUS_SUCCESS;
KDC_TICKET_INFO ClientTicketInfo = {0};
KDC_TICKET_INFO ServiceTicketInfo = {0};
SAMPR_HANDLE UserHandle = NULL;
PUSER_INTERNAL6_INFORMATION UserInfo = NULL;
SID_AND_ATTRIBUTES_LIST GroupMembership = {0};
KERB_ENCRYPTION_KEY EncryptionKey = {0};
PKERB_ENCRYPTION_KEY ServerKey = NULL;
PKERB_ENCRYPTION_KEY ClientKey = NULL ;
KERB_TICKET Ticket = {0};
KERB_ENCRYPTED_TICKET EncryptedTicket = {0};
KERB_ENCRYPTED_KDC_REPLY ReplyBody = {0};
KERB_KDC_REPLY Reply = {0};
PKERB_KDC_REQUEST_BODY RequestBody = NULL;
PKERB_AUTHORIZATION_DATA PacAuthData = NULL;
PKERB_PA_DATA_LIST OutputPreAuthData = NULL;
PKERB_INTERNAL_NAME ClientName = NULL;
PKERB_INTERNAL_NAME ServerName = NULL;
UNICODE_STRING ClientNetbiosAddress = {0};
UNICODE_STRING ServerStringName = {0};
UNICODE_STRING ClientStringName = {0};
UNICODE_STRING ServerRealm = {0};
UNICODE_STRING MappedClientName = {0};
UNICODE_STRING TransitedRealm = {0};
LARGE_INTEGER LogoffTime;
LARGE_INTEGER AccountExpiry;
ULONG NameFlags = 0;
ULONG PreAuthType = 0;
ULONG KdcOptions = 0;
ULONG TicketFlags = 0;
ULONG ReplyTicketFlags = 0;
ULONG CommonEType;
ULONG ClientEType;
ULONG Nonce = 0;
ULONG LogonRestrictionsFlags = 0;
ULONG WhichFields = 0;
BOOLEAN AuditedFailure = FALSE;
BOOLEAN BuildPac = FALSE;
BOOLEAN ClientReferral = FALSE;
BOOLEAN ServerReferral = FALSE;
BOOLEAN LoggedFailure = FALSE;
BOOLEAN PasswordCorrect = FALSE;
KDC_AS_EVENT_INFO ASEventTraceInfo = {0};
TRACE(KDC, I_GetASTicket, DEB_FUNCTION);
//
// Initialize local variables
//
EncryptedTicket.flags.value = (PUCHAR) &TicketFlags;
EncryptedTicket.flags.length = sizeof(ULONG) * 8;
ReplyBody.flags.value = (PUCHAR) &ReplyTicketFlags;
ReplyBody.flags.length = sizeof(ULONG) * 8;
RtlInitUnicodeString( ClientRealm, NULL );
Ticket.encrypted_part.cipher_text.value = (PUCHAR) &EncryptedTicket;
//
// Assume that this isn't a logon request. If we manage to fail before
// we've determined it's a logon attempt, we won't mark it as a failed
// logon.
//
RequestBody = &RequestMessage->request_body;
//
// There are many options that are invalid for an AS ticket.
//
KdcOptions = KerbConvertFlagsToUlong(&RequestBody->kdc_options);
//
// Start event tracing (capture error cases too)
//
if (KdcEventTraceFlag){
ASEventTraceInfo.EventTrace.Guid = KdcGetASTicketGuid;
ASEventTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_START;
ASEventTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID;
ASEventTraceInfo.EventTrace.Size = sizeof (EVENT_TRACE_HEADER) + sizeof (ULONG);
ASEventTraceInfo.KdcOptions = KdcOptions;
TraceEvent(
KdcTraceLoggerHandle,
(PEVENT_TRACE_HEADER)&ASEventTraceInfo
);
}
if (KdcOptions &
(KERB_KDC_OPTIONS_forwarded |
KERB_KDC_OPTIONS_proxy |
KERB_KDC_OPTIONS_unused7 |
KERB_KDC_OPTIONS_unused9 |
KERB_KDC_OPTIONS_renew |
KERB_KDC_OPTIONS_validate |
KERB_KDC_OPTIONS_reserved |
KERB_KDC_OPTIONS_enc_tkt_in_skey ) )
{
KerbErr = KDC_ERR_BADOPTION;
goto Cleanup;
}
if (( RequestBody->bit_mask & addresses_present ) &&
( RequestBody->addresses == NULL ))
{
KerbErr = KDC_ERR_BADOPTION;
goto Cleanup;
}
//
// Make sure a client name was supplied
//
if ((RequestBody->bit_mask & KERB_KDC_REQUEST_BODY_client_name_present) != 0)
{
KerbErr = KerbConvertPrincipalNameToKdcName(
&ClientName,
&RequestBody->KERB_KDC_REQUEST_BODY_client_name
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
KerbErr = KerbConvertKdcNameToString(
&ClientStringName,
ClientName,
NULL
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
}
else
{
D_DebugLog((DEB_ERROR,"KLIN(%x) No principal name supplied to AS request - not allowed\n",
KLIN(FILENO,__LINE__)));
KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto Cleanup;
}
//
// Copy out the service name. This is not an optional field.
//
if ((RequestBody->bit_mask & KERB_KDC_REQUEST_BODY_server_name_present) == 0)
{
D_DebugLog((DEB_ERROR,"KLIN(%x) Client %wZ sent AS request with no server name\n",
KLIN(FILENO,__LINE__),
&ClientStringName));
FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST, FILENO, __LINE__);
KerbErr = KDC_ERR_BADOPTION;
goto Cleanup;
}
KerbErr = KerbConvertPrincipalNameToKdcName(
&ServerName,
&RequestBody->KERB_KDC_REQUEST_BODY_server_name
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
KerbErr = KerbConvertKdcNameToString(
&ServerStringName,
ServerName,
NULL
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
//
// Check if the client said to canonicalize the name
//
if ((KdcOptions & KERB_KDC_OPTIONS_name_canonicalize) != 0)
{
NameFlags |= KDC_NAME_CHECK_GC;
}
else
{
//
// canonicalize bit is not set so we want to check if the service
// name is kadmin/changepw, if it is we set the flag to indicate
// that we will ignore password expiration checking
//
KerbCheckIfSPNIsChangePW(
&ServerStringName,
&LogonRestrictionsFlags);
}
D_DebugLog((DEB_TRACE, "Getting an AS ticket to "));
D_KerbPrintKdcName( DEB_TRACE, ServerName );
D_DebugLog((DEB_TRACE, "\tfor " ));
D_KerbPrintKdcName( DEB_TRACE, ClientName );
//
// Get the client's NETBIOS address.
//
if ((RequestBody->bit_mask & addresses_present) != 0)
{
KerbErr = KerbGetClientNetbiosAddress(
&ClientNetbiosAddress,
RequestBody->addresses
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
}
//
// Normalize the client name.
//
if ( !IsSubAuthFilterPresent()) {
WhichFields = USER_ALL_KERB_CHECK_LOGON_RESTRICTIONS |
USER_ALL_KDC_CHECK_PREAUTH_DATA |
USER_ALL_ACCOUNTEXPIRES |
USER_ALL_KDC_GET_PAC_AUTH_DATA |
USER_ALL_SUCCESSFUL_LOGON;
} else {
//
// We do not know what the subauth routine needs, so get everything
//
WhichFields = 0xFFFFFFFF & ~USER_ALL_UNDEFINED_MASK;
}
KerbErr = KdcNormalize(
ClientName,
NULL,
RequestRealm,
NameFlags | KDC_NAME_CLIENT | KDC_NAME_FOLLOW_REFERRALS,
&ClientReferral,
ClientRealm,
&ClientTicketInfo,
pExtendedError,
&UserHandle,
WhichFields,
0L,
&UserInfo,
&GroupMembership
);
if (!KERB_SUCCESS(KerbErr))
{
DebugLog((DEB_ERROR,"KLIN(%x) Failed to normalize name ",KLIN(FILENO,__LINE__)));
KerbPrintKdcName(DEB_ERROR,ClientName);
goto Cleanup;
}
// If Credential count is zero and there was no error, we do not have
// NT_OWF info so return Error since Kerb can not auth
if (ClientTicketInfo.Passwords->CredentialCount <= CRED_ONLY_LM_OWF)
{
KerbErr = KDC_ERR_ETYPE_NOTSUPP;
DebugLog((DEB_ERROR,"KLIN(%x) Failed to normalize name - no creds ", KLIN(FILENO,__LINE__)));
KerbPrintKdcName(DEB_ERROR,ClientName);
goto Cleanup;
}
// If the UserHandle was NULL and there was no error, this must be
// a cross realm trust account logon. Fail it, we have no account
// to work with.
if (!UserHandle || !UserInfo)
{
KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN;
D_DebugLog((DEB_ERROR,"KLIN(%x) Failed to normalize name", KLIN(FILENO,__LINE__)));
KerbPrintKdcName(DEB_ERROR,ClientName);
goto Cleanup;
}
//
// If this is a referral, return an error and the true realm name
// of the client
//
if (ClientReferral)
{
KerbErr = KDC_ERR_WRONG_REALM;
D_DebugLog((DEB_WARN,
"KLIN(%x) Client tried to logon to account in another realm\n",
KLIN(FILENO,__LINE__)));
goto Cleanup;
}
if (!KERB_SUCCESS(KerbErr))
{
DebugLog((DEB_ERROR, "KLIN(%x) Error getting client ticket info for %wZ: 0x%x \n",
KLIN(FILENO,__LINE__), &MappedClientName, KerbErr));
goto Cleanup;
}
//
// The below function will return true for pkinit
//
if (KerbFindPreAuthDataEntry(
KRB5_PADATA_PK_AS_REP,
RequestMessage->KERB_KDC_REQUEST_preauth_data) != NULL)
{
LogonRestrictionsFlags = KDC_RESTRICT_PKINIT_USED | KDC_RESTRICT_IGNORE_PW_EXPIRATION;
}
//
// Check logon restrictions before preauth data, so we don't accidentally
// leak information about the password.
//
KerbErr = KerbCheckLogonRestrictions(
UserHandle,
&ClientNetbiosAddress,
&UserInfo->I1,
LogonRestrictionsFlags,
&LogoffTime,
&LogonStatus
);
if (!KERB_SUCCESS(KerbErr))
{
if (KDC_ERR_KEY_EXPIRED == KerbErr || LogonStatus == STATUS_NO_LOGON_SERVERS)
{
KERBERR TmpKerbErr;
//
// Unpack the pre-auth data.
//
TmpKerbErr = KdcCheckPreAuthData(
&ClientTicketInfo,
UserHandle,
UserInfo,
RequestMessage->KERB_KDC_REQUEST_preauth_data,
RequestBody,
&PreAuthType,
&OutputPreAuthData,
&BuildPac,
&Nonce,
&EncryptionKey,
&TransitedRealm,
ErrorData,
pExtendedError
);
if (!KERB_SUCCESS(TmpKerbErr))
{
BYTE ClientSid[MAX_SID_LEN];
KerbErr = TmpKerbErr;
RtlZeroMemory(ClientSid, MAX_SID_LEN);
KdcMakeAccountSid(ClientSid, ClientTicketInfo.UserId);
if (SecData.AuditKdcEvent(KDC_AUDIT_AS_FAILURE))
{
KdcLsaIAuditKdcEvent(
SE_AUDITID_PREAUTH_FAILURE,
&ClientTicketInfo.AccountName,
NULL, // no domain name
ClientSid,
&ServerStringName,
NULL, // no server sid
&PreAuthType,
(PULONG) &KerbErr,
NULL,
NULL,
GET_CLIENT_ADDRESS(ClientAddress),
NULL // no logon guid
);
AuditedFailure = TRUE;
}
//
// Only handle failed logon if pre-auth fails. Otherwise the error
// was something the client couldn't control, such as memory
// allocation or clock skew.
//
if (KerbErr == KDC_ERR_PREAUTH_FAILED)
{
FailedLogon(
UserHandle,
ClientAddress,
&RequestBody->KERB_KDC_REQUEST_BODY_client_name,
ClientSid,
MAX_SID_LEN,
InputMessage,
OutputMessage,
&ClientNetbiosAddress,
KerbErr
);
}
LoggedFailure = TRUE;
DebugLog((DEB_ERROR,"KLIN(%x) Failed to check pre-auth data: 0x%x\n",
KLIN(FILENO,__LINE__), KerbErr));
goto Cleanup;
}
else if (LogonStatus == STATUS_NO_LOGON_SERVERS)
{
D_DebugLog((DEB_WARN, "KLIN(%x) Logon Restriction check failed due to no logon servers\n",
KLIN(FILENO,__LINE__)));
KdcHandleNoLogonServers(UserHandle,
ClientAddress);
goto Cleanup;
}
else
{
DebugLog((DEB_WARN,"KLIN(%x) Logon restriction check failed: NTSTATUS: 0x%x KRB: 0x%x\n",
KLIN(FILENO,__LINE__),LogonStatus, KerbErr));
// Here's one case where we want to return errors to the client, so use EX
FILL_EXT_ERROR_EX(pExtendedError, LogonStatus, FILENO, __LINE__);
goto Cleanup;
}
}
else
{
DebugLog((DEB_WARN,"KLIN(%x) Logon restriction check failed: NTSTATUS: 0x%x KRB: 0x%x\n",
KLIN(FILENO,__LINE__),LogonStatus, KerbErr));
// Here' s one case where we want to return errors to the client, so use EX
FILL_EXT_ERROR_EX(pExtendedError, LogonStatus, FILENO, __LINE__);
}
goto Cleanup;
}
//
// Unpack the pre-auth data.
//
KerbErr = KdcCheckPreAuthData(
&ClientTicketInfo,
UserHandle,
UserInfo,
RequestMessage->KERB_KDC_REQUEST_preauth_data,
RequestBody,
&PreAuthType,
&OutputPreAuthData,
&BuildPac,
&Nonce,
&EncryptionKey,
&TransitedRealm,
ErrorData,
pExtendedError
);
if (!KERB_SUCCESS(KerbErr))
{
BYTE ClientSid[MAX_SID_LEN];
RtlZeroMemory(ClientSid, MAX_SID_LEN);
KdcMakeAccountSid(ClientSid, ClientTicketInfo.UserId);
if (SecData.AuditKdcEvent(KDC_AUDIT_AS_FAILURE))
{
KdcLsaIAuditKdcEvent(
SE_AUDITID_PREAUTH_FAILURE,
&ClientTicketInfo.AccountName,
NULL, // no domain name
ClientSid,
&ServerStringName,
NULL, // no server sid
&PreAuthType,
(PULONG) &KerbErr,
NULL,
NULL,
GET_CLIENT_ADDRESS(ClientAddress),
NULL // no logon guid
);
AuditedFailure = TRUE;
}
//
// Only handle failed logon if pre-auth fails. Otherwise the error
// was something the client couldn't control, such as memory
// allocation or clock skew.
//
if (KerbErr == KDC_ERR_PREAUTH_FAILED)
{
FailedLogon(
UserHandle,
ClientAddress,
&RequestBody->KERB_KDC_REQUEST_BODY_client_name,
ClientSid,
MAX_SID_LEN,
InputMessage,
OutputMessage,
&ClientNetbiosAddress,
KerbErr
);
}
LoggedFailure = TRUE;
DebugLog((DEB_ERROR,"KLIN(%x) Failed to check pre-auth data: 0x%x\n",
KLIN(FILENO,__LINE__), KerbErr));
goto Cleanup;
}
//
// Check for subauthentication
//
KerbErr = KdcCallSubAuthRoutine(
&ClientTicketInfo,
UserInfo,
&ClientNetbiosAddress,
&LogoffTime,
pExtendedError
);
if (!KERB_SUCCESS(KerbErr))
{
DebugLog((DEB_WARN,"KLIN(%x) Subuath restriction check failed: 0x%x\n",
KLIN(FILENO,__LINE__), KerbErr));
goto Cleanup;
}
//
// Figure out who the ticket is for. First break the name into
// a local name and a referral realm
//
//
// Note: We don't allow referrals here, because we should only get AS
// requests for our realm, and the krbtgt\server should always be
// in our realm.
KerbErr = KdcNormalize(
ServerName,
NULL,
NULL, // don't use requested realm for the server - use our realm
NameFlags | KDC_NAME_SERVER,
&ServerReferral,
&ServerRealm,
&ServiceTicketInfo,
pExtendedError,
NULL, // no user handle
0L, // no additional fields to fetch
0L, // no extended fields
NULL, // no user all
NULL // no membership
);
if (!KERB_SUCCESS(KerbErr))
{
DebugLog((DEB_ERROR,"KLIN(%x) Failed to normalize name 0x%x ",
KLIN(FILENO,__LINE__), KerbErr ));
KerbPrintKdcName(DEB_ERROR, ServerName);
goto Cleanup;
}
//
// Find a common crypto system. Do it now in case we need
// to return the password for a service.
//
if (EncryptionKey.keyvalue.value == NULL)
{
KerbErr = KerbFindCommonCryptSystem(
RequestBody->encryption_type,
ClientTicketInfo.Passwords,
NULL, //ServiceTicketInfo.Passwords,
&ClientEType,
&ClientKey
);
if (!KERB_SUCCESS(KerbErr))
{
KdcReportKeyError(
&ClientTicketInfo.AccountName,
NULL,
KDCEVENT_NO_KEY_UNION_AS,
RequestBody->encryption_type,
ClientTicketInfo.Passwords
);
DebugLog((DEB_ERROR,"KLIN(%x) Failed to find common ETYPE: 0x%x\n",
KLIN(FILENO,__LINE__),KerbErr));
goto Cleanup;
}
}
else
{
//
// BUG 453284: this doesn't take into account the service ticket
// info. If the PKINIT code generated a key that the service
// doesn't suport, this key may not be usable by the client &
// server. However, in the pkinit code it is hard to know what
// types the server supports.
//
ClientEType = EncryptionKey.keytype;
}
//
// Get the etype to use for the ticket itself from the server's
// list of keys
//
KerbErr = KerbFindCommonCryptSystem(
RequestBody->encryption_type,
ServiceTicketInfo.Passwords,
NULL, // no additional passwords
&CommonEType,
&ServerKey
);
if (!KERB_SUCCESS(KerbErr))
{
KdcReportKeyError(
&ServiceTicketInfo.AccountName,
NULL,
KDCEVENT_NO_KEY_UNION_AS,
RequestBody->encryption_type,
ServiceTicketInfo.Passwords
);
DebugLog((DEB_ERROR,"KLIN(%x) Failed to find common ETYPE: 0x%x\n",
KLIN(FILENO,__LINE__), KerbErr));
goto Cleanup;
}
//
// We need to save the full domain name of the service regardless
// of whether it was provided or not. This is so name changes
// can be detected. Instead of creating a mess of trying to figure out
// which deallocator to use, allocate new memory and copy data.
//
AccountExpiry = UserInfo->I1.AccountExpires;
KerbErr = BuildTicketAS(
&ClientTicketInfo,
&RequestBody->KERB_KDC_REQUEST_BODY_client_name,
&ServiceTicketInfo,
&RequestBody->KERB_KDC_REQUEST_BODY_server_name,
((RequestBody->bit_mask & addresses_present) != 0) ? RequestBody->addresses : NULL,
&LogoffTime,
&AccountExpiry,
RequestBody,
CommonEType,
PreAuthType,
&TransitedRealm,
&Ticket,
pExtendedError
);
if (!KERB_SUCCESS(KerbErr))
{
D_DebugLog((DEB_WARN , "KLIN(%x) Failed to build AS ticket: 0x%x\n",
KLIN(FILENO,__LINE__),KerbErr));
goto Cleanup;
}
//
// If the user requested a PAC (via pre-auth data) build one now.
//
if (BuildPac)
{
//
// Now build a PAC to stick in the authorization data
//
KerbErr = KdcGetPacAuthData(
UserInfo,
&GroupMembership,
ServerKey,
&EncryptionKey,
((ServiceTicketInfo.UserAccountControl & USER_INTERDOMAIN_TRUST_ACCOUNT) == 0) &&
(ServiceTicketInfo.UserId != DOMAIN_USER_RID_KRBTGT),
// add resource groups if server is not an interdomain trust account
&EncryptedTicket,
NULL, // no S4U info here...
&PacAuthData,
pExtendedError
);
if (!KERB_SUCCESS(KerbErr))
{
D_DebugLog((DEB_ERROR,"KLIN(%x) Failed to get pac auth data for %wZ : 0x%x\n",
KLIN(FILENO,__LINE__),&ClientTicketInfo.AccountName,KerbErr));
goto Cleanup;
}
//
// Stick the auth data into the AS ticket
//
EncryptedTicket.KERB_ENCRYPTED_TICKET_authorization_data = PacAuthData;
PacAuthData = NULL;
EncryptedTicket.bit_mask |= KERB_ENCRYPTED_TICKET_authorization_data_present;
}
//
// Now build the reply
//
KerbErr = BuildReply(
&ClientTicketInfo,
(Nonce != 0) ? Nonce : RequestBody->nonce,
&Ticket.server_name,
Ticket.realm,
((RequestBody->bit_mask & addresses_present) != 0) ? RequestBody->addresses : NULL,
&Ticket,
&ReplyBody
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
//
// Now build the real reply and return it.
//
Reply.version = KERBEROS_VERSION;
Reply.message_type = KRB_AS_REP;
Reply.KERB_KDC_REPLY_preauth_data = NULL;
Reply.bit_mask = 0;
Reply.client_realm = EncryptedTicket.client_realm;
//
// Build pw-salt if we used a user's key
//
if (ClientKey != NULL)
{
KerbErr = KdcBuildPwSalt(
ClientTicketInfo.Passwords,
ClientKey,
&OutputPreAuthData
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
}
if (OutputPreAuthData != NULL)
{
Reply.bit_mask |= KERB_KDC_REPLY_preauth_data_present;
Reply.KERB_KDC_REPLY_preauth_data = (PKERB_REPLY_PA_DATA_LIST) OutputPreAuthData;
//
// Zero this out so we don't free the preauth data twice
//
OutputPreAuthData = NULL;
}
//
// Copy in the ticket
//
KerbErr = KerbPackTicket(
&Ticket,
ServerKey,
CommonEType,
&Reply.ticket
);
if (!KERB_SUCCESS(KerbErr))
{
D_DebugLog((DEB_ERROR,"KLIN(%x) Failed to pack ticket: 0x%x\n",
KLIN(FILENO,__LINE__), KerbErr));
goto Cleanup;
}
//
// Note: these are freed elsewhere, so zero them out after
// using them
//
Reply.client_name = EncryptedTicket.client_name;
//
// Copy in the encrypted part
//
KerbErr = KerbPackKdcReplyBody(
&ReplyBody,
(EncryptionKey.keyvalue.value != NULL) ? &EncryptionKey : ClientKey,
ClientEType,
Pdu,
&Reply.encrypted_part
);
if (!KERB_SUCCESS(KerbErr))
{
D_DebugLog((DEB_ERROR,"KLIN(%x) Failed to pack KDC reply body: 0x%x\n",
KLIN(FILENO,__LINE__), KerbErr));
goto Cleanup;
}
//
// Add in PW-SALT if we used a client key
//
if (SecData.AuditKdcEvent(KDC_AUDIT_AS_SUCCESS))
{
BYTE ClientSid[MAX_SID_LEN];
BYTE ServerSid[MAX_SID_LEN];
KdcMakeAccountSid(ClientSid, ClientTicketInfo.UserId);
KdcMakeAccountSid(ServerSid, ServiceTicketInfo.UserId);
KdcLsaIAuditKdcEvent(
SE_AUDITID_AS_TICKET,
&ClientTicketInfo.AccountName,
RequestRealm,
ClientSid,
&ServiceTicketInfo.AccountName,
ServerSid,
(PULONG) &KdcOptions,
NULL, // success
&CommonEType,
&PreAuthType,
GET_CLIENT_ADDRESS(ClientAddress),
NULL // no logon guid
);
}
//
// Pack the reply
//
KerbErr = KerbPackData(
&Reply,
ReplyPdu,
&OutputMessage->BufferSize,
&OutputMessage->Buffer
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
Cleanup:
if (!KERB_SUCCESS(KerbErr))
{
DsysAssert(RequestBody != NULL);
if (!AuditedFailure && SecData.AuditKdcEvent(KDC_AUDIT_AS_FAILURE))
{
if (ClientName != NULL)
{
KdcLsaIAuditKdcEvent(
SE_AUDITID_AS_TICKET,
&ClientName->Names[0],
RequestRealm,
NULL,
&ServerStringName,
NULL,
&KdcOptions,
(PULONG) &KerbErr, // failure
NULL, // no common etype
NULL, // no preauth type
GET_CLIENT_ADDRESS(ClientAddress),
NULL // no logon guid
);
}
}
//
// If there was any preath data to return, pack it for return now.
//
if (OutputPreAuthData != NULL)
{
if (ErrorData->Buffer != NULL)
{
D_DebugLog((DEB_ERROR,
"KLIN(%x) Freeing return error data to return preauth data\n",
KLIN(FILENO,__LINE__)));
MIDL_user_free(ErrorData->Buffer);
ErrorData->Buffer = NULL;
ErrorData->BufferSize = 0;
}
(VOID) KerbPackData(
&OutputPreAuthData,
PKERB_PREAUTH_DATA_LIST_PDU,
&ErrorData->BufferSize,
&ErrorData->Buffer
);
}
}
if (UserHandle != NULL)
{
if (!KERB_SUCCESS(KerbErr))
{
if (!LoggedFailure)
{
KerbErr = FailedLogon(
UserHandle,
ClientAddress,
&RequestBody->KERB_KDC_REQUEST_BODY_client_name,
NULL,
0,
InputMessage,
OutputMessage,
&ClientNetbiosAddress,
KerbErr
);
}
}
else
{
SuccessfulLogon(
UserHandle,
ClientAddress,
InputMessage,
UserInfo
);
}
SamrCloseHandle(&UserHandle);
}
//
// Complete the WMI event
//
if (KdcEventTraceFlag){
//These variables point to either a unicode string struct containing
//the corresponding string or a pointer to KdcNullString
PUNICODE_STRING pStringToCopy;
WCHAR UnicodeNullChar = 0;
UNICODE_STRING UnicodeEmptyString = {sizeof(WCHAR),sizeof(WCHAR),&UnicodeNullChar};
ASEventTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_END;
ASEventTraceInfo.EventTrace.Flags = WNODE_FLAG_USE_MOF_PTR |
WNODE_FLAG_TRACED_GUID;
// Always output error code. KdcOptions was captured on the start event
ASEventTraceInfo.eventInfo[0].DataPtr = (ULONGLONG) &KerbErr;
ASEventTraceInfo.eventInfo[0].Length = sizeof(ULONG);
ASEventTraceInfo.EventTrace.Size =
sizeof (EVENT_TRACE_HEADER) + sizeof(MOF_FIELD);
// Build counted MOF strings from the unicode strings
if (ClientStringName.Buffer != NULL &&
ClientStringName.Length > 0)
{
pStringToCopy = &ClientStringName;
}
else {
pStringToCopy = &UnicodeEmptyString;
}
ASEventTraceInfo.eventInfo[1].DataPtr =
(ULONGLONG) &pStringToCopy->Length;
ASEventTraceInfo.eventInfo[1].Length =
sizeof(pStringToCopy->Length);
ASEventTraceInfo.eventInfo[2].DataPtr =
(ULONGLONG) pStringToCopy->Buffer;
ASEventTraceInfo.eventInfo[2].Length =
pStringToCopy->Length;
ASEventTraceInfo.EventTrace.Size += sizeof(MOF_FIELD)*2;
if (ServerStringName.Buffer != NULL &&
ServerStringName.Length > 0)
{
pStringToCopy = &ServerStringName;
}
else
{
pStringToCopy = &UnicodeEmptyString;
}
ASEventTraceInfo.eventInfo[3].DataPtr =
(ULONGLONG) &pStringToCopy->Length;
ASEventTraceInfo.eventInfo[3].Length =
sizeof(pStringToCopy->Length);
ASEventTraceInfo.eventInfo[4].DataPtr =
(ULONGLONG) pStringToCopy->Buffer;
ASEventTraceInfo.eventInfo[4].Length =
pStringToCopy->Length;
ASEventTraceInfo.EventTrace.Size += sizeof(MOF_FIELD)*2;
if (RequestRealm->Buffer != NULL &&
RequestRealm->Length > 0)
{
pStringToCopy = RequestRealm;
}
else
{
pStringToCopy = &UnicodeEmptyString;
}
ASEventTraceInfo.eventInfo[5].DataPtr =
(ULONGLONG) &(pStringToCopy->Length);
ASEventTraceInfo.eventInfo[5].Length =
sizeof(pStringToCopy->Length);
ASEventTraceInfo.eventInfo[6].DataPtr =
(ULONGLONG) (pStringToCopy->Buffer);
ASEventTraceInfo.eventInfo[6].Length =
(pStringToCopy->Length);
ASEventTraceInfo.EventTrace.Size += sizeof(MOF_FIELD)*2;
TraceEvent(
KdcTraceLoggerHandle,
(PEVENT_TRACE_HEADER)&ASEventTraceInfo
);
}
SamIFree_UserInternal6Information( UserInfo );
SamIFreeSidAndAttributesList( &GroupMembership );
KerbFreeAuthData( PacAuthData );
FreeTicketInfo( &ClientTicketInfo );
FreeTicketInfo( &ServiceTicketInfo );
KdcFreeInternalTicket( &Ticket );
KerbFreeKey( &EncryptionKey );
KerbFreeKdcName( &ClientName );
KerbFreeString( &ClientStringName );
KerbFreeString( &TransitedRealm );
KerbFreeString( &ServerStringName );
KerbFreeString( &ServerRealm );
KerbFreeKdcName( &ServerName );
KerbFreeString( &ClientNetbiosAddress );
KdcFreeKdcReplyBody( &ReplyBody );
KdcFreeKdcReply( &Reply );
KerbFreePreAuthData( OutputPreAuthData );
D_DebugLog(( DEB_TRACE, "I_GetASTicket() returning 0x%x\n", KerbErr ));
return KerbErr;
}
//+-------------------------------------------------------------------------
//
// Function: KdcGetTicket
//
// Synopsis: Generic ticket getting entrypoint to get a ticket from the KDC
//
// Effects:
//
// Arguments: Context - ATQ context - only present for TCP/IP callers
// ClientAddress - Client's IP addresses. Only present for UDP & TPC callers
// ServerAddress - address the client used to contact this KDC.
// Only present for UDP & TPC callers
// InputMessage - the input KDC request message, in ASN.1 format
// OutputMessage - Receives the KDC reply message, allocated by
// the KDC.
//
// Requires:
//
// Returns:
//
// Notes: This routine is exported from the DLL and called from the
// client dll.
//
//
//--------------------------------------------------------------------------
extern "C"
KERBERR
KdcGetTicket(
IN OPTIONAL PVOID Context,
IN OPTIONAL PSOCKADDR ClientAddress,
IN OPTIONAL PSOCKADDR ServerAddress,
IN PKERB_MESSAGE_BUFFER InputMessage,
OUT PKERB_MESSAGE_BUFFER OutputMessage
)
{
KERBERR KerbErr;
KERB_EXT_ERROR ExtendedError = {0,0};
PKERB_EXT_ERROR pExtendedError = &ExtendedError; // needed for macro
PKERB_KDC_REQUEST RequestMessage = NULL;
KERB_KDC_REPLY ReplyMessage = {0};
PKERB_ERROR ErrorMessage = NULL;
PKERB_MESSAGE_BUFFER Response = NULL;
KERB_MESSAGE_BUFFER ErrorData = {0};
ULONG InputPdu = KERB_TGS_REQUEST_PDU;
ULONG OutputPdu = KERB_TGS_REPLY_PDU;
ULONG InnerPdu = KERB_ENCRYPTED_TGS_REPLY_PDU;
UNICODE_STRING RequestRealm = {0};
PKERB_INTERNAL_NAME RequestServer = NULL;
UNICODE_STRING ClientRealm = {0};
PUNICODE_STRING ExtendedErrorServerRealm = SecData.KdcDnsRealmName();
PKERB_INTERNAL_NAME ExtendedErrorServerName = SecData.KdcInternalName();
#if DBG
DWORD StartTime = 0;
#endif
TRACE(KDC, KdcGetTicket, DEB_FUNCTION );
//
// Make sure we are allowed to execute
//
if (!NT_SUCCESS(EnterApiCall()))
{
return(KDC_ERR_NOT_RUNNING);
}
RtlZeroMemory(
&ReplyMessage,
sizeof(KERB_KDC_REPLY)
);
//
// First initialize the return parameters.
//
OutputMessage->Buffer = NULL;
OutputMessage->BufferSize = 0;
//
// Check the first byte of the message to indicate the type of message
//
if ((InputMessage->BufferSize > 0) && (
(InputMessage->Buffer[0] & KERB_BER_APPLICATION_TAG) != 0))
{
if ((InputMessage->Buffer[0] & KERB_BER_APPLICATION_MASK) == KERB_AS_REQ_TAG)
{
InputPdu = KERB_AS_REQUEST_PDU;
OutputPdu = KERB_AS_REPLY_PDU;
InnerPdu = KERB_ENCRYPTED_AS_REPLY_PDU;
}
else if ((InputMessage->Buffer[0] & KERB_BER_APPLICATION_MASK) != KERB_TGS_REQ_TAG)
{
D_DebugLog((DEB_T_SOCK,
"KLIN(%x) Bad message sent to KDC - not AS or TGS request\n",
KLIN(FILENO,__LINE__)));
KerbErr = KRB_ERR_FIELD_TOOLONG;
goto NoMsgCleanup;
}
}
else
{
D_DebugLog((DEB_T_SOCK,"KLIN(%x) Bad message sent to KDC - length to short or bad first byte\n",
KLIN(FILENO,__LINE__)));
KerbErr = KRB_ERR_FIELD_TOOLONG;
goto NoMsgCleanup;
}
//
// First decode the input message
//
KerbErr = (KERBERR) KerbUnpackData(
InputMessage->Buffer,
InputMessage->BufferSize,
InputPdu,
(PVOID *) &RequestMessage
);
if (KerbErr == KDC_ERR_MORE_DATA)
{
//
// Reallocate an retry the read from the socket
//
if (Context != NULL)
{
KerbErr = KdcAtqRetrySocketRead(
(PKDC_ATQ_CONTEXT *) Context,
InputMessage
);
//
// On success, just return so that the read continues. On failure,
// post cleanup and send an error response.
//
if (KERB_SUCCESS(KerbErr))
{
LeaveApiCall();
return(KerbErr);
}
else
{
goto NoMsgCleanup;
}
}
else
{
D_DebugLog((DEB_ERROR, "KLIN(%x) Datagram context with not enough data!\n",
KLIN(FILENO,__LINE__)));
KerbErr = KRB_ERR_FIELD_TOOLONG;
goto Cleanup;
}
}
if (!KERB_SUCCESS(KerbErr))
{
D_DebugLog((DEB_ERROR,"KLIN(%x) Failed to unpack KDC request: 0x%x\n",
KLIN(FILENO,__LINE__),KerbErr));
//
// We don't want to return an error on a badly formed
// packet,as it can be used to set up a flood attack
//
goto NoMsgCleanup;
}
//
// First check the version of the request.
//
if (RequestMessage->version != KERBEROS_VERSION)
{
D_DebugLog((DEB_ERROR,"KLIN(%x) Bad request version: 0x%x\n",
KLIN(FILENO,__LINE__), RequestMessage->version));
KerbErr = KRB_AP_ERR_BADVERSION;
goto Cleanup;
}
//
// now call the internal version to do all the hard work
//
//
// Verify the realm name in the request
//
KerbErr = KerbConvertRealmToUnicodeString(
&RequestRealm,
&RequestMessage->request_body.realm
);
if (!KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
KerbErr = KerbConvertPrincipalNameToKdcName(
&RequestServer,
&RequestMessage->request_body.server_name
);
if ( !KERB_SUCCESS(KerbErr))
{
goto Cleanup;
}
//
// Now that we have the request realm and request server, any subsequent
// error will result in those values being placed into the extended error
//
ExtendedErrorServerRealm = &RequestRealm;
ExtendedErrorServerName = RequestServer;
if (!SecData.IsOurRealm(
&RequestRealm
))
{
D_DebugLog((DEB_ERROR,"KLIN(%x) Request sent for wrong realm: %wZ\n",
KLIN(FILENO,__LINE__), &RequestRealm));
KerbErr = KDC_ERR_WRONG_REALM;
goto Cleanup;
}
if (RequestMessage->message_type == KRB_AS_REQ)
{
if (InputPdu != KERB_AS_REQUEST_PDU) {
KerbErr = KRB_ERR_FIELD_TOOLONG;
FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST,FILENO,__LINE__);
goto Cleanup;
}
SamIIncrementPerformanceCounter(
KdcAsReqCounter
);
//
// If WMI event tracing is enabled, notify it of the begin and end
// of the ticket request
//
#if DBG
StartTime = GetTickCount();
#endif
KerbErr = I_GetASTicket(
ClientAddress,
RequestMessage,
&RequestRealm,
InnerPdu,
OutputPdu,
InputMessage,
OutputMessage,
&ErrorData,
&ExtendedError,
&ClientRealm
);
#if DBG
D_DebugLog((DEB_T_PERF_STATS, "I_GetASTicket took %d m seconds\n", NetpDcElapsedTime(StartTime)));
#endif
}
else if (RequestMessage->message_type == KRB_TGS_REQ)
{
SamIIncrementPerformanceCounter(
KdcTgsReqCounter
);
#if DBG
StartTime = GetTickCount();
#endif
KerbErr = HandleTGSRequest(
ClientAddress,
RequestMessage,
&RequestRealm,
OutputMessage,
&ExtendedError
);
#if DBG
D_DebugLog((DEB_T_PERF_STATS, "HandleTGSRequest took %d m seconds\n", NetpDcElapsedTime(StartTime)));
#endif
}
else
{
D_DebugLog((DEB_ERROR,"KLIN(%x) Invalid message type: %d\n",
KLIN(FILENO,__LINE__),
RequestMessage->message_type));
FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST,FILENO,__LINE__);
KerbErr = KRB_AP_ERR_MSG_TYPE;
goto Cleanup;
}
//
// If the response is too big and we are using UDP, make the client
// change transports. We can tell the caller is UDP because it doesn't
// have an ATQ context but it does provide the client address.
//
if ((Context == NULL) && (ClientAddress != NULL))
{
if (OutputMessage->BufferSize >= KERB_MAX_KDC_RESPONSE_SIZE)
{
D_DebugLog((DEB_WARN,"KLIN(%x) KDC response too big for UDP: %d bytes\n",
KLIN(FILENO,__LINE__), OutputMessage->BufferSize ));
KerbErr = KRB_ERR_RESPONSE_TOO_BIG;
MIDL_user_free(OutputMessage->Buffer);
OutputMessage->Buffer = NULL;
OutputMessage->BufferSize = 0;
}
}
Cleanup:
// TBD: Put in extended error return goo here for client
if (!KERB_SUCCESS(KerbErr))
{
//
// We may have a message built by someone else - the PDC
//
if (OutputMessage->Buffer == NULL)
{
KerbBuildErrorMessageEx(
KerbErr,
&ExtendedError,
ExtendedErrorServerRealm,
ExtendedErrorServerName,
&ClientRealm,
ErrorData.Buffer,
ErrorData.BufferSize,
&OutputMessage->BufferSize,
&OutputMessage->Buffer
);
}
}
NoMsgCleanup:
KerbFreeString(&RequestRealm);
MIDL_user_free(RequestServer);
if (RequestMessage != NULL)
{
KerbFreeData(InputPdu,RequestMessage);
}
if (ErrorData.Buffer != NULL)
{
MIDL_user_free(ErrorData.Buffer);
}
LeaveApiCall();
return(KerbErr);
}