Solved

Retrieving User information

Posted on 1998-04-30
8
254 Views
Last Modified: 2008-02-01
Hello,

I am trying to implement a Smart Card reader for security reasons into the NT logon sequence.

Question is: How do I retrieve the user information (user, domain, password etc) from C++?

When this is done I will verify the current user against his/hers smart card.

How can I make this verification happen directly after the user logon sequence in the NT4.0 environment?

Appreciate help with this issue!

Best regards, Anders Karlsson
0
Comment
Question by:Kalle 2
8 Comments
 
LVL 32

Expert Comment

by:jhance
Comment Utility
0
 

Author Comment

by:Kalle 2
Comment Utility
Yes I have looked at it.
The Drive I am using at the moment does not support the
standards so I figured using the API supplied with the
Drive (ASEDrive v1.4) and make my own calls to NT Security (SSPI)
to verify the Card.

So what I am looking for is some kind of directions telling me which
function calls to use and what I need to establish to retrieve the current
users name, domain and password.

And my second question, how to make this verification happen
directly after the logon sequence so that I can choose to logoff
the user directly if the Userid - Smartcard doesn't match.

// Anders Karlsson
0
 
LVL 2

Expert Comment

by:lortega
Comment Utility
there are one api, but not necesary compatible betwen NT and 95,

BOOL LogonUser(
    LPTSTR lpszUsername,// string that specifies the user name
    LPTSTR lpszDomain,//str that specifies the domain or server
    LPTSTR lpszPassword,// string that specifies the password
    DWORD dwLogonType,// specifies the type of logon operation
    DWORD dwLogonProvider,// specifies the logon provider
    PHANDLE phToken// pointer to variable to receive token handle
   );      


a. you can store some of the login information on smartcard
b. try to logon with that information
c. if logon succed then ok else do your message to inform that
d. the last parameter is good for other calls tha you can use, calls like CreateProcessAsUser or ImpersonateLoggedOnUser.

i hope this will help you,
lortega
0
 

Author Comment

by:Kalle 2
Comment Utility
Yes, this would do. The problem I am having is that the
existing NT logon is still there and I don't believe I can override
this in any way.
So what I want is not to logon to the system, it is retrieveing the
already given user+password to verify if the user logged on
matches the one given on the Smart card supplied by the user.

This is not the best solution, that would be incorporating the
Smart card control into the current NT login sequence itself
but I think (?) that would be to hard to accomplish, am I right?

// Anders Karlsson
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Expert Comment

by:gantriis
Comment Utility
Hej Anders.

What you need is to replace the GINA (Graphical Identification and Authentication DLL) on the Windows NT systems that will use the SmartCard reader.

Microsoft Visual C++ contains a sample project (\samples\sdk\winnt\security\gina) that shows you all the functions that such a GINA replacement needs to handle (all the ways it is expected to interact with WinLogon).

Building your own GINA is not an easy task, but to accomplish the task you are describing you would probably like to:

1. Start by installing and compiling the VC++ sample project.
2. Insert the routines that will verity the user on some external device of your choise (Smartcard reader, camera, microphone or whatever you can think of).

You might also find the below general information about the functions that your GINA is expected to take care of useful:

http://premium.microsoft.com/msdn/library/devprods/vc++/vcsamples/f14/f20/d4f/s1cf6f.htm

http://premium.microsoft.com/msdn/library/specs/winntsec/f1/d2/s119e9.htm

http://premium.microsoft.com/msdn/library/specs/winntsec/f1/d2/s119f4.htm

Med venlig hälsning
Gantriis
0
 
LVL 1

Expert Comment

by:dreamPeace
Comment Utility
Perhaps you should look into the system/windows.ini and try to change the shell to be the login procedure? U can use the registry to check the current username, and the WinLogon will take care of password. Shell will simply fail if the authentication fails...
0
 

Accepted Solution

by:
naveedi earned 100 total points
Comment Utility
The identification and authentication aspects of the logon are implemented in the GINA DLL. By default the standard GINA is MSGINA.DLL. This can be replaced so you can do your own authentication. The WinLogon process can also load additional network provider DLLs. Secondary authentication can occur here. It sounds to me like you want WinLogon GINA to validate the user's NT domain login. You then want your card reader, implemented as a network provider DLL, to do a seconary authentication. If both these tests are good allow the logon to proceed. You will probally have to implement your own GINA because by default the WINAPIWlxLoggedOutSas will not return password information to secondary network provider DLLs. Your GINA implementation will have to insure that the parameter [OUT] PWLX_MPR_NOTIFY_INFO pMprNotifyInfo for WINAPIWlxLoggedOutSas function points to valid password info. This parameter can than be used by your secondary network provider DLL to do your SmartCard validation.



How to get the domain name?
How to get the user name?
How to get the password?

All this information is part of the WLX_MPR_NOTIFY_INFO  structure that your GINA implementation will pass back to your secondary network login DLL.


From WINWLX.H
-------------
typedef struct _WLX_MPR_NOTIFY_INFO
{
    PWSTR           pszUserName;      
    PWSTR           pszDomain
    PWSTR           pszPassword;  
    PWSTR           pszOldPassword;  
} WLX_MPR_NOTIFY_INFO, * PWLX_MPR_NOTIFY_INFO;


These DLLs are not easy to implement. A bad GINA will prevent NT from booting.

0
 

Author Comment

by:Kalle 2
Comment Utility
Thanks for your help.
I realize that this will be a hard one to accomplish.
Except for the sample code provided by MS, do you know
any other information sources with sample code on this
subject?

Best regards, Anders
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

When writing generic code, using template meta-programming techniques, it is sometimes useful to know if a type is convertible to another type. A good example of when this might be is if you are writing diagnostic instrumentation for code to generat…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
The goal of the video will be to teach the user the concept of local variables and scope. An example of a locally defined variable will be given as well as an explanation of what scope is in C++. The local variable and concept of scope will be relat…
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now