Solved

Retrieving User information

Posted on 1998-04-30
8
265 Views
Last Modified: 2008-02-01
Hello,

I am trying to implement a Smart Card reader for security reasons into the NT logon sequence.

Question is: How do I retrieve the user information (user, domain, password etc) from C++?

When this is done I will verify the current user against his/hers smart card.

How can I make this verification happen directly after the user logon sequence in the NT4.0 environment?

Appreciate help with this issue!

Best regards, Anders Karlsson
0
Comment
Question by:Kalle 2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 1168297
0
 

Author Comment

by:Kalle 2
ID: 1168298
Yes I have looked at it.
The Drive I am using at the moment does not support the
standards so I figured using the API supplied with the
Drive (ASEDrive v1.4) and make my own calls to NT Security (SSPI)
to verify the Card.

So what I am looking for is some kind of directions telling me which
function calls to use and what I need to establish to retrieve the current
users name, domain and password.

And my second question, how to make this verification happen
directly after the logon sequence so that I can choose to logoff
the user directly if the Userid - Smartcard doesn't match.

// Anders Karlsson
0
 
LVL 2

Expert Comment

by:lortega
ID: 1168299
there are one api, but not necesary compatible betwen NT and 95,

BOOL LogonUser(
    LPTSTR lpszUsername,// string that specifies the user name
    LPTSTR lpszDomain,//str that specifies the domain or server
    LPTSTR lpszPassword,// string that specifies the password
    DWORD dwLogonType,// specifies the type of logon operation
    DWORD dwLogonProvider,// specifies the logon provider
    PHANDLE phToken// pointer to variable to receive token handle
   );      


a. you can store some of the login information on smartcard
b. try to logon with that information
c. if logon succed then ok else do your message to inform that
d. the last parameter is good for other calls tha you can use, calls like CreateProcessAsUser or ImpersonateLoggedOnUser.

i hope this will help you,
lortega
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Kalle 2
ID: 1168300
Yes, this would do. The problem I am having is that the
existing NT logon is still there and I don't believe I can override
this in any way.
So what I want is not to logon to the system, it is retrieveing the
already given user+password to verify if the user logged on
matches the one given on the Smart card supplied by the user.

This is not the best solution, that would be incorporating the
Smart card control into the current NT login sequence itself
but I think (?) that would be to hard to accomplish, am I right?

// Anders Karlsson
0
 
LVL 2

Expert Comment

by:gantriis
ID: 1168301
Hej Anders.

What you need is to replace the GINA (Graphical Identification and Authentication DLL) on the Windows NT systems that will use the SmartCard reader.

Microsoft Visual C++ contains a sample project (\samples\sdk\winnt\security\gina) that shows you all the functions that such a GINA replacement needs to handle (all the ways it is expected to interact with WinLogon).

Building your own GINA is not an easy task, but to accomplish the task you are describing you would probably like to:

1. Start by installing and compiling the VC++ sample project.
2. Insert the routines that will verity the user on some external device of your choise (Smartcard reader, camera, microphone or whatever you can think of).

You might also find the below general information about the functions that your GINA is expected to take care of useful:

http://premium.microsoft.com/msdn/library/devprods/vc++/vcsamples/f14/f20/d4f/s1cf6f.htm

http://premium.microsoft.com/msdn/library/specs/winntsec/f1/d2/s119e9.htm

http://premium.microsoft.com/msdn/library/specs/winntsec/f1/d2/s119f4.htm

Med venlig hälsning
Gantriis
0
 
LVL 1

Expert Comment

by:dreamPeace
ID: 1168302
Perhaps you should look into the system/windows.ini and try to change the shell to be the login procedure? U can use the registry to check the current username, and the WinLogon will take care of password. Shell will simply fail if the authentication fails...
0
 

Accepted Solution

by:
naveedi earned 100 total points
ID: 1168303
The identification and authentication aspects of the logon are implemented in the GINA DLL. By default the standard GINA is MSGINA.DLL. This can be replaced so you can do your own authentication. The WinLogon process can also load additional network provider DLLs. Secondary authentication can occur here. It sounds to me like you want WinLogon GINA to validate the user's NT domain login. You then want your card reader, implemented as a network provider DLL, to do a seconary authentication. If both these tests are good allow the logon to proceed. You will probally have to implement your own GINA because by default the WINAPIWlxLoggedOutSas will not return password information to secondary network provider DLLs. Your GINA implementation will have to insure that the parameter [OUT] PWLX_MPR_NOTIFY_INFO pMprNotifyInfo for WINAPIWlxLoggedOutSas function points to valid password info. This parameter can than be used by your secondary network provider DLL to do your SmartCard validation.



How to get the domain name?
How to get the user name?
How to get the password?

All this information is part of the WLX_MPR_NOTIFY_INFO  structure that your GINA implementation will pass back to your secondary network login DLL.


From WINWLX.H
-------------
typedef struct _WLX_MPR_NOTIFY_INFO
{
    PWSTR           pszUserName;      
    PWSTR           pszDomain
    PWSTR           pszPassword;  
    PWSTR           pszOldPassword;  
} WLX_MPR_NOTIFY_INFO, * PWLX_MPR_NOTIFY_INFO;


These DLLs are not easy to implement. A bad GINA will prevent NT from booting.

0
 

Author Comment

by:Kalle 2
ID: 1168304
Thanks for your help.
I realize that this will be a hard one to accomplish.
Except for the sample code provided by MS, do you know
any other information sources with sample code on this
subject?

Best regards, Anders
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Errors will happen. It is a fact of life for the programmer. How and when errors are detected have a great impact on quality and cost of a product. It is better to detect errors at compile time, when possible and practical. Errors that make their wa…
Templates For Beginners Or How To Encourage The Compiler To Work For You Introduction This tutorial is targeted at the reader who is, perhaps, familiar with the basics of C++ but would prefer a little slower introduction to the more ad…
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
The viewer will learn how to clear a vector as well as how to detect empty vectors in C++.

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question