• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 272
  • Last Modified:

Retrieving User information


I am trying to implement a Smart Card reader for security reasons into the NT logon sequence.

Question is: How do I retrieve the user information (user, domain, password etc) from C++?

When this is done I will verify the current user against his/hers smart card.

How can I make this verification happen directly after the user logon sequence in the NT4.0 environment?

Appreciate help with this issue!

Best regards, Anders Karlsson
Kalle 2
Kalle 2
1 Solution
Kalle 2Author Commented:
Yes I have looked at it.
The Drive I am using at the moment does not support the
standards so I figured using the API supplied with the
Drive (ASEDrive v1.4) and make my own calls to NT Security (SSPI)
to verify the Card.

So what I am looking for is some kind of directions telling me which
function calls to use and what I need to establish to retrieve the current
users name, domain and password.

And my second question, how to make this verification happen
directly after the logon sequence so that I can choose to logoff
the user directly if the Userid - Smartcard doesn't match.

// Anders Karlsson
there are one api, but not necesary compatible betwen NT and 95,

BOOL LogonUser(
    LPTSTR lpszUsername,// string that specifies the user name
    LPTSTR lpszDomain,//str that specifies the domain or server
    LPTSTR lpszPassword,// string that specifies the password
    DWORD dwLogonType,// specifies the type of logon operation
    DWORD dwLogonProvider,// specifies the logon provider
    PHANDLE phToken// pointer to variable to receive token handle

a. you can store some of the login information on smartcard
b. try to logon with that information
c. if logon succed then ok else do your message to inform that
d. the last parameter is good for other calls tha you can use, calls like CreateProcessAsUser or ImpersonateLoggedOnUser.

i hope this will help you,
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Kalle 2Author Commented:
Yes, this would do. The problem I am having is that the
existing NT logon is still there and I don't believe I can override
this in any way.
So what I want is not to logon to the system, it is retrieveing the
already given user+password to verify if the user logged on
matches the one given on the Smart card supplied by the user.

This is not the best solution, that would be incorporating the
Smart card control into the current NT login sequence itself
but I think (?) that would be to hard to accomplish, am I right?

// Anders Karlsson
Hej Anders.

What you need is to replace the GINA (Graphical Identification and Authentication DLL) on the Windows NT systems that will use the SmartCard reader.

Microsoft Visual C++ contains a sample project (\samples\sdk\winnt\security\gina) that shows you all the functions that such a GINA replacement needs to handle (all the ways it is expected to interact with WinLogon).

Building your own GINA is not an easy task, but to accomplish the task you are describing you would probably like to:

1. Start by installing and compiling the VC++ sample project.
2. Insert the routines that will verity the user on some external device of your choise (Smartcard reader, camera, microphone or whatever you can think of).

You might also find the below general information about the functions that your GINA is expected to take care of useful:




Med venlig hälsning
Perhaps you should look into the system/windows.ini and try to change the shell to be the login procedure? U can use the registry to check the current username, and the WinLogon will take care of password. Shell will simply fail if the authentication fails...
The identification and authentication aspects of the logon are implemented in the GINA DLL. By default the standard GINA is MSGINA.DLL. This can be replaced so you can do your own authentication. The WinLogon process can also load additional network provider DLLs. Secondary authentication can occur here. It sounds to me like you want WinLogon GINA to validate the user's NT domain login. You then want your card reader, implemented as a network provider DLL, to do a seconary authentication. If both these tests are good allow the logon to proceed. You will probally have to implement your own GINA because by default the WINAPIWlxLoggedOutSas will not return password information to secondary network provider DLLs. Your GINA implementation will have to insure that the parameter [OUT] PWLX_MPR_NOTIFY_INFO pMprNotifyInfo for WINAPIWlxLoggedOutSas function points to valid password info. This parameter can than be used by your secondary network provider DLL to do your SmartCard validation.

How to get the domain name?
How to get the user name?
How to get the password?

All this information is part of the WLX_MPR_NOTIFY_INFO  structure that your GINA implementation will pass back to your secondary network login DLL.

typedef struct _WLX_MPR_NOTIFY_INFO
    PWSTR           pszUserName;      
    PWSTR           pszDomain
    PWSTR           pszPassword;  
    PWSTR           pszOldPassword;  

These DLLs are not easy to implement. A bad GINA will prevent NT from booting.

Kalle 2Author Commented:
Thanks for your help.
I realize that this will be a hard one to accomplish.
Except for the sample code provided by MS, do you know
any other information sources with sample code on this

Best regards, Anders
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now