What you really want is an authentication provider SSP. Security Account
Manager (SAM) is one; Active Directory (AD) is another - both provided by
Microsoft - but they are not the exhaustive list. Of course this will be a
big project and it may seem easier to simply use what you have already.
wrote in message news:xxxxx@ntdev…
Alex, I can give you one reason why fast switching will not work. Customers
do not use Active Directory and integrated windows authentication to manage
there users. They use LDAP or database server against which we authenticate.
Probably there are other reasons that I am not aware about.
Anyway I see trapping SAS seems to be religious topic and I see no point in
continuing discussion.
Have you researched the credential provider extensions that replace
GINA functionality in Vista and alter releases and determined that
they cannot meet your requirements?
Mark Roddy
On Mon, Sep 19, 2011 at 4:33 AM, wrote: > Hi. > > I am developing an application for kiosk-like computers. When user presses Ctrl-Alt-Del combination we want to trap this event and show our custom application dialog that will block desktop and allow other user to enter the system without logging out of the windows session. Previously it was done using GINA, but since Vista this does not work, so we need to do this via keyboard filter driver. I am completely new in driver development, please help me > > 1) The first problem: I do not have much information about how Windows itself detects Ctrl-Alt-Del combination. In KbFilter_ServiceCallback of kbfiltr I have key scan codes. But It looks like Windows uses virtual keys instead so if I try to filter based on scan codes this may work incorrectly if there is some sort of remapping (for instance RAlt ->AltGr). Am I correct on this assumption? If yes, then is it possible to translate scan code to virtual key in filter driver? > > Also I don’t know whether Windows maintains some sort of state machine driven by keyboard events to detect Ctrl and Alt status when Del key make comes in? Or it asks keyboard driver to read the status from keyboard? > > 2) I need to send commands to the driver from a service to turn on/off the trapping. kbfiltr sample creates raw PDO for each device so if there are two keyboards connected there will be two PDOs. I can send command to any of them to change driver’s global state (global variable that stores on/off state). But probably it is better to create just one control object as toaster filter sample does. What do you think? > > 3) How can I get a handle to the process that sends DeviceIoControl so that if controlling user application crashes I could automatically disable the trapping? > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >
Yeah, I had an idea of implementing a Credential Provider that will authenticate against LDAP etc. but log user into the same session. But this idea was dropped by others in the team because Credential Provider model is too restrictive and would require significant rewriting existing code. So I personally would prefer CP to kernel driver.
Well I think you are going to find that the GINA/CP split is
fundamental and you are going to have to implement a credential
provider for vista and later platforms.
Mark Roddy
On Fri, Sep 23, 2011 at 3:09 AM, wrote: > Yeah, I had an idea of implementing a Credential Provider that will authenticate against LDAP etc. but log user into the same session. But this idea was dropped by others in the team because Credential Provider model is too restrictive and would require significant rewriting existing code. So I personally would prefer CP to kernel driver. > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >
> Yeah, I had an idea of implementing a Credential Provider that will authenticate against LDAP etc.
This provider is already here, called Kerberos, and is included to w2k+.
You need LDAP. Then why not run the MS’s implementation of LDAP called Active Directory? you want free software? then surely there are AD DC (LDAP+MS’s proprietarized Kerberos) implementations for Linux, just look at Samba project.
Maxim, LDAP etc. means LDAP , database,… - whatever customer use to manage there users. And note we are not a consulting firm that comes to a client and says: why do you use this, say, Oracle Directory Services when there is so nice Active Directory integrated into Windows, you just need to buy a couple of Windos Server licenses. We just have to integrate with what customers already have. )
on input - the credentials in some form, there can be a variety or forms, but the simplest one (and the one used by the auth UI) is the cleartext password.
on output - SID of the user, and the collection of the SIDs of the global groups the user belongs to.
also some IOCTL-style interface to control the DLL.
also the DLL has access to LSA’s credentials cache.
So, probably you need at least such a DLL. Do you already have one?
Then, after you have such a DLL, you can go on with keyboard filter driver.
Then you have the task of transferring Ctrl-Alt-Del caught by your filter to some process with the access to the UI. Since in Vista+ services cannot have such access, you will need the code running in the current logon session - any shell extension will suite.
Then this code catches the SAS event, switches to some newly created desktop, shows the dialog box (DP API can be used) and gets the password. Then it uses LsaLogonUser with explicit specification of your auth package. Then it calls CreateProcessAsUser on the old desktop.
> Maxim, LDAP etc. means LDAP , database,… - whatever customer use to manage there users.
BTW - you can deregister the Windows Kerberos package (used for AD domain logons) and use your own under the name of Kerberos.
Then you will not have the need in UI stuff - the standard Switch User UI will log on against some Oracle stuff or such.
You will use the standard Windows sessions, just replacing the documented auth package DLL with your own - Kerberos/AD one with your database one.
The good point is that you control these kiosk systems (you just have the requirement of some UI apps to be always running), this is not a commodity product which should work on any PC.
Also, if Oracle provides some user database solution, then probably the provide the auth package DLL for it too? am I wrong?
