Portable Systems Group MSV1_0 SubAuthentication DLL Design Note Revision 1.3, March 7, 1996 1. INTRODUCTION 2. INTERFACE TO A SUBAUTHENTICATION DLL 3. REGISTERING A SUBAUTHENTICATION DLL 4. REQUESTING A SUBAUTHENTICATION DLL 1. Introduction This document describes the purpose of and the interface to a SubAuthentication DLL for the MSV1_0 authentication package. The MSV1_0 authentication package is the standard LSA authentication package for Windows NT. It provides or supports: Authentication of users in the SAM database. Pass-Thru authentication of users in trusted domains. Windows NT allows SubAuthentication DLLs to be used in conjunction with the MSV1_0 authentication package. A SubAuthentication DLL allows the authentication and validation criteria stored in SAM to be replaced for particular subsystems that use the MSV1_0 authentication package. For instance, a particular server might supply a SubAuthentication DLL that validates a user’s password via a different algorithm, uses a different granularity of logon hours, and/or specifies workstation restrictions in a different format. All of this can be accomplished using SubAuthentication DLLs without sacrificing use of the SAM database (and losing its administration tools) or losing pass-thru authentication. 2. Interface to a SubAuthentication DLL There are two interfaces that may be supported by SubAuthentication DLLs. The first is Msv1_0SubAuthenticationRoutine, which is called for SubAuthentication packages other than package zero. These SubAuthentication DLLs are called after the correct Domain Controller has been located and the user to be authenticated has been looked up in the SAM database. No attributes of the user will be validated by the MSV1_0 authentication package. That is the responsibility of the SubAuthentication DLL. The SubAuthentication DLL must contain a procedure named Msv1_0SubAuthenticationRoutine with the following interface: NTSTATUS NTAPI Msv1_0SubAuthenticationRoutine( IN NETLOGON_LOGON_INFO_CLASS LogonLevel, IN PVOID LogonInformation, IN ULONG Flags, IN PUSER_ALL_INFORMATION UserAll, OUT PULONG WhichFields, OUT PULONG UserFlags, OUT PBOOLEAN Authoritative, OUT PLARGE_INTEGER LogoffTime, OUT PLARGE_INTEGER KickoffTime ); The second SubAuthentication interface is Msv1_0SubAuthenticationFilter, which is only called for SubAuthentication DLL zero. In this case, after the MSV1_0 authentication package has validated a logon (including network, interactive, service, and batch logons) it will call the filter routine to do additional validation. The filter routine may return success, indicating that the logon should proceed, or failure, indicating that the the additional validation failed. In addition, the filter routine may modify the UserParameters field in the USER_ALL_INFORMATION structure and set the USER_ALL_PARAMETRS flag in the WhichFields parameter to indicate that the change should be written to the user object. NTSTATUS NTAPI Msv1_0SubAuthenticationFilter( IN NETLOGON_LOGON_INFO_CLASS LogonLevel, IN PVOID LogonInformation, IN ULONG Flags, IN PUSER_ALL_INFORMATION UserAll, OUT PULONG WhichFields, OUT PULONG UserFlags, OUT PBOOLEAN Authoritative, OUT PLARGE_INTEGER LogoffTime, OUT PLARGE_INTEGER KickoffTime ); 3. Registering a SubAuthentication DLL Each SubAuthentication DLL is assigned a DLL number in the range 0 through 255. The DLL number is used to associate the subsystem calling LsaLogonUser with the appropriate SubAuthentication DLL. DLL number 0 is reserved to indicate that the SubAuthentication Filter is to be used. It allows the package to do additional password or logon validation on top of what MSV1_0 normally provides. DLL numbers 1 through 127 are reserved for Microsoft. DLL numbers 128 through 255 are available to ISVs. ISVs can be assigned a DLL number by Microsoft by sending email to subauth@microsoft.com. Registering your subauthentication pacakge with Microsoft prevents collision of package IDs when multiple subauthentication packages are installed on a system. Microsoft will not assign the value of 255 for any subauthentication DLL. If you are developing a subauthentication DLL for use only within your company or facility, you can use the subauthentication ID number 255. In this case, it is not necessary to register your subauthentication package with Microsoft. Once the ISV has picked a DLL number, the DLL can be registered under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0. If the key doesn't exist, the ISV's installation procedure should create it. Under that key, the ISV should create a value named AuthN where N is the DLL number (e.g., Auth128). The value should be a REG_SZ and specify the name of the DLL which must be in the default DLL load path. For instance, Auth128=SubAuth The MSV1_0 authentication package will load the named DLL the first time the SubAuthentication DLL is requested. 4. Requesting a SubAuthentication DLL A subsystem can request a particular SubAuthentication DLL when calling LsaLogonUser. The subsystem calls the MSV1_0 authentication package (as described in the LSAAUTH.HLP file in the Windows NT DDK) passing in the MSV1_0_LM20_LOGON structure. typedef struct _MSV1_0_LM20_LOGON { MSV1_0_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING LogonDomainName; UNICODE_STRING UserName; UNICODE_STRING Workstation; UCHAR ChallengeToClient[MSV1_0_CHALLENGE_LENGTH]; STRING CaseSensitiveChallengeResponse; STRING CaseInsensitiveChallengeResponse; ULONG ParameterControl; } MSV1_0_LM20_LOGON, * PMSV1_0_LM20_LOGON; The MessageType field must be set to MsV1_0NetworkLogon (Interactive logons may not be authenticated by a SubAuthentication DLL). The LogonDomainName field should be set to the domain name of the domain containing the SAM database to be used for authentication. The MSV1_0 authentication package and the Netlogon Service will pass thru the authentication request to that domain. The SubAuthentication DLL will be called on a domain controller in the domain. The UserName field must specify the name of a user in the SAM database on that domain. The Workstation, ChallengeToClient, CaseSensitiveChallengeResponse, and CaseInsensitiveChallengeResponse fields may be set to any SubAuthentication DLL specific values. They will be ignored by the MSV1_0 authentication package. The ParameterControl field should be set as follows. Set the various control flags as appropriate. Set the most significant byte of Parameter control to the DLL number of the SubAuthentication DLL to use. #define MSV1_0_CLEARTEXT_PASSWORD_ALLOWED 0x02 #define MSV1_0_UPDATE_LOGON_STATISTICS 0x04 #define MSV1_0_RETURN_USER_PARAMETERS 0x08 #define MSV1_0_DONT_TRY_GUEST_ACCOUNT 0x10 // // The high order byte is a value indicating the SubAuthentication DLL. // Zero indicates no SubAuthentication DLL. // #define MSV1_0_SUBAUTHENTICATION_DLL 0xFF000000 #define MSV1_0_SUBAUTHENTICATION_DLL_SHIFT 24