Well, that’s just @#*!
One more suggestion. You have a custom directory and want Windows
users to be able to login using those credentials. The next
suggestion is to use a directory synchronizer. There are a few
products that replicate non-Windows accounts/passwords to Windows and
vice-versa. Microsoft bought one a few years ago and has renamed it
twice. It was called Forefront and I forget what its called now.
This is a “hot” server that keeps both sides up to date continuously,
but it can be run in batch mode if you prefer. You’d probably need to
write a provider for your server/app/os/whatever it is. I’d think it
would be much easier to do that than write a vlan driver. Now, it
*would* be much more fun to write the vlan driver…
On 12/11/10, David Mott wrote:
> Hi David, thanks for the reply. I experimented with LSA several months ago
> but it doesn’t really provide what the documents infer. I opened a support
> ticket with Microsoft and they indicated as much, said it was misleading and
> would be removed in future platform SDKs. It seems it only allows an
> application to enlist in the login process and get some information about
> logins but doesn’t really allow Windows to authenticate logins to 3rd party
> sources like we need. It also allows a vendor to create different types of
> logins such as retinal scanners, finger print scanners, etc but the users
> must still reside in the SAM or AD.
>
> Another challenge we have is nothing can be installed on the client machine
> and we can’t modify the RPC client app. The OS implements the various login
> and authentication protocols natively and has these ports already reserved.
> It expects them to work so we cannot just hijack the ports without screwing
> up the OS. Thats why I think a virtual lan is the way to go and piggy back
> on the existing NIC or require a dedicated NIC on the server. This way we
> can implement the (massive) domain trust and authentication protocols
> without interfering with the OS and the OS will assume it’s communicating
> with a separate NT domain. My difficulty is the lack of DDK expertise and
> finding out what exactly is needed to create a virtual LAN and getting IP
> fragments off the wire, etc. Virtual machine apps do something similar to
> provide NICs to VMs.
>
> Any direction is greatly appreciated,
> –
> David Mott
> –
>
>
> -----Original Message-----
> From: David Luxford
> To: “Windows System Software Devs Interest List”
> Date: Sat, 11 Dec 2010 05:55:06 -0500
> Subject: Re: [ntdev] Beginner Guidance
>
> In that case, it sounds like what you really want is for a user to be
> able to login to Windows using credentials from your proprietary
> server. In other words, you want Windows to be able to authenticate
> to you. That way you don’t have to rewrite Rpc or LDAP. What you
> want to write is called an LSA, a Local Security Authority.
>
> I had a similar issue at my previous company. They wanted SSO for
> users of a Tomcat webapp using CAS and a Windows client/server app.
> Writing an LSA certainly sounded interesting to me, but it turned out
> that in all cases they would have an AD server and did not really have
> two separate directories, so it was much easier, although less
> interesting, to add NTLM support to CAS and proxy credentials from the
> Windows client to CAS for Windows->Tomcat. Tomcat->Windows was easy
> because the Windows app authenticated to its own server anyway,
> maintaining a separate SID from that of the current Windows user. So
> all we had to do was have webapp get a ticket, provide it to our
> ActiveX control, then verify the ticket and lookup the username, and
> finally resolve that to a SID. Otherwise, I would have needed to
> proxy NTLM the other direction too.
>
> As a brief aside, you may ask, why NTLM and not Kerberos? Because
> NTLM doesn’t require policy changes, works out of the box everywhere,
> and needs no setup. It turns out to be used in many places because of
> that. Just be sure to use NTLM2 as it is more secure.
>
> An LSA is a user-mode DLL, so if you go this route you’ll want to post
> further questions elsewhere. Writing an LSA is a non-trivial
> undertaking: they are not real well documented and debugging will
> likely have some difficulties. I recommend disabling UAC to start, or
> better yet writing it on XP and then adding Vista+ support. LSA’s do
> more than just handling login/logout. I seem to recall that Windows
> 2000+ supports an LSA “light”, one that is intended for just such a
> thing as you’re doing since that is what most developers needed, but
> it has been a while and my mind could be inventing wishful fantasies.
>
> I hope this provides useful direction, or at least food for thought.
> Personally I would probably do this by making your app able to
> authenticate to Windows instead and then adding a tool for initial
> directory population. Things just work easier that way. But then I
> know only like 100 characters about your system. Have fun!
>
> David L-
>
> On 12/10/10, David Mott wrote:
>> Maxim, thanks for the reply, a few comments.
>>
>>> The best way of solving this is to go the way SQL Server went around 17
>> years ago, and introduce the “Integrated Windows Security” mode to your
>> product.
>>
>> This is what we presently have and it is the problem. Our users are not
>> Windows users and never will be homed as Windows users. As a work around
> we
>> must create a Windows user so RPC will authenticate them which is
>> undesirable. We’ve got it working with impersonation and so forth, our
>> solution for discovering the authenticated user is a little more simple,
>> using the authentication callback in RpcServerRegisterIfEx passes a
> unicode
>> string of the authenticated user in the Context parameter in the form of:
>> domain\login so we only need the text domain\login mapping.
>>
>>>Reimplementing LDAP and Kerberos just to solve such a task is a massive
>> overkill…
>>
>> Understood, fortunately I have an open ended commitment to get it done and
>>
> a
>> proper implementation opens a huge potential for our servers and market.
>> Getting the RPC to authenticate is the edge case, there’s a great deal
> more
>> we intend to accomplish with a functional solution. We already have LDAP,
>> Kerberos and CA servers in our main product which will need some tweaking
> to
>> support Microsoft’s extensions so it won’t be built entirely from the
> ground
>> up. We have several design constraints and must work within them. One is
>> the users cannot be AD users. From my understanding the way around this
> is
>> to create a system that acts as a trusted domain which Windows trusts to
>> authenticate against instead of AD. The protocols are well defined, I
> just
>> cannot begin implementing them without interfering with the OS which
> already
>> has the ports reserved for internal use. I believe a vlan is the way to
> go,
>> just don’t have the expertise or know what portions of the DDK to
> research.
>> It will no doubt be a massive project and take a good number of man years
> to
>> achieve and probably create a few jobs, but I’ve got the approval to do
> it,
>> just don’t know where to begin research on working with TCP/IP at it’s
> lower
>> levels without interfering with the OS.
>>
>> Any help is appreciated, thanks in advance.
>> –
>>
>> David Mott
>> –
>>
>>
>>
>>
>> Disclaimer: This transmission (including any attachments) may contain
>> confidential information, privileged material (including material
> protected
>> by the solicitor-client or other applicable privileges), or constitute
>> non-public information. Any use of this information by anyone other than
>> the intended recipient is prohibited. If you have received this
>> transmission in error, please immediately reply to the sender and delete
>> this information from your system. Use, dissemination, distribution, or
>> reproduction of this transmission by unintended recipients is not
> authorized
>> and may be unlawful.
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
> –
> Sent from my mobile device
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> Disclaimer: This transmission (including any attachments) may contain
> confidential information, privileged material (including material protected
> by the solicitor-client or other applicable privileges), or constitute
> non-public information. Any use of this information by anyone other than
> the intended recipient is prohibited. If you have received this
> transmission in error, please immediately reply to the sender and delete
> this information from your system. Use, dissemination, distribution, or
> reproduction of this transmission by unintended recipients is not authorized
> and may be unlawful.
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
–
Sent from my mobile device
Buying some COTS product isn’t cool.