kerberos login

C

christiana

Hello,

I'm working on a kerberos project, involving windows 2000
user login using kerberos. Windows 2000 Kerberos
Authentication white paper has been a good resource, but
unfortunately it doesn't answer some of my concerns as I
might need to replace the GINA in the windows 2000 in order
to achieve what I want.

I need to know, when the authentication failed because KDC
returns KDC_ERR_PREAUTH_REQUIRED or KDC_ERR_KEY_EXPIRED,
upon capturing the error, how does the KDC tell GINA about
the failure ? Will GINA be able to know the exact cause of
the error SSP (KDC_ERR_PREAUTH_REQUIRED or
KDC_ERR_KEY_EXPIRED) or will SSP hide the actual error code
from GINA ? If it doesn't tell GINA the actual error code,
how does GINA know that it's supposed to prompt user for
new password in the case of KDC_ERR_KEY_EXPIRED.
Which program is responsible to log the kerberos error to
event viewer ?

thank you,
christiana
 
G

Guest

hi,

I found a little light in my search, but haven't found a
complete answer yet:

When a user invoke the SAS sequence, winlogon will call
GINA function: WlxWkstatLockedSAS, which in turn will call
LsaLogonUser.
LsaLogonUser does the authentication. If the authentication
fails, it may return for example STATUS_LOGON_FAILURE (if
username or password are wrong), STATUS_ACCOUNT_RESTRICTION
(for example if the username and password are correct but
the password has expired). In the later case, the
LsaLogonUser will set SubStatus to STATUS_PASSWORD_EXPIRED.
(I simplify the whole process to my own needs by the way,
it should be more complicated than this)

So I conclude (correct me if I'm wrong) that when the KDC
returns KDC_ERR_PREAUTH_REQUIRED, LsaLogonUser will simply
return STATUS_LOGON_FAILURE to GINA or
STATUS_ACCOUNT_RESTRICTION when the KDC returns
KDC_ERR_KEY_EXPIRED.

In case of KDC_ERR_PREAUTH_REQUIRED, is there any way for
GINA to know that the exact error code, and not just
STATUS_LOGON_FAILURE ?

In case of STATUS_ACCOUNT_RESTRICTION because of password
expired, who will invoke the popped-up message telling the
user that the password has expired, the user needs to
change password, and finally the message box asking the
user to enter new password ?
and which function is used to display the message box ?

thank you,
christiana
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Not getting KDC_ERR_KEY_EXPIRED from Win2K Kerberos service 0
kerberos - the saga continues 0
Kerberos Error 594 1
Can a GINA STUB fulfil my requirement? 0
Kerberos Logon to Terminal Services? 2
kerberos 5
kerberos problem 2
Kerberos Error Message 6

Top