sspi for NTLM or Kerberos-CFANZ编程社区

sspi for NTLM or Kerberos_ide sspi for NTLM or Kerberos_#include_02 代码

1 /*

2 You can get a locally valid logon session (a network logon session) by using SSPI.

3 Simply specify alternate credentials when you call AcquireCredentialsHandle,

4 and then after you follow the normal InitializeSecurityContext/AcceptSecurityContext

5 handshake, you'll end up with a logon session for the user,

6 without having to have the TCB privilege.

8 See the attached example...

10 Keith

11 */

13 // this version requires Windows 2000

14 #define _WIN32_WINNT 0x500

15 #define UNICODE

16 #include <windows.h>

17 #include <stdio.h>

18 #define SECURITY_WIN32

19 #include <security.h>

20 #pragma comment(lib, "secur32.lib")

22 // brain-dead error routine that dumps the last error and exits

23 void _err(const wchar_t* pszFcn, DWORD nErr = GetLastError())

24 {

26 wchar_t szErr[256];

27 if (FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, 0, nErr, 0,

28 szErr, sizeof szErr / sizeof *szErr, 0))

29 wprintf(L"%s failed: %s", pszFcn, szErr);

30 else wprintf(L"%s failed: 0x%08X", nErr);

31 exit(1);

32 }

34 // Upon success, returns a handle to a NETWORK logon session

35 // for the specified principal (it will *not* have network

36 // credentials). Call CloseHandle to dispose of it when

37 // you are finished.

38 HANDLE _logonUserWithSSPI(wchar_t* pszSSP,

39 DWORD grfDesiredAccessToToken,

40 wchar_t* pszAuthority,

41 wchar_t* pszPrincipal,

42 wchar_t* pszPassword) {

44 // the following code loads the SSPI interface DLL

45 // and initializes it, getting a table of function ptrs

46 HINSTANCE hdll = LoadLibrary(L"security.dll");

47 if (!hdll)

48 _err(L"LoadLibrary");

49 INIT_SECURITY_INTERFACE_W initSecurityInterface =

50 (INIT_SECURITY_INTERFACE_W)GetProcAddress(hdll,

51 SECURITY_ENTRYPOINT_ANSIW);

52 if (!initSecurityInterface)

53 _err(L"GetProcAddress");

54 PSecurityFunctionTable pSSPI = initSecurityInterface();

56 // here's where we specify the credentials to verify

57 SEC_WINNT_AUTH_IDENTITY_EX authIdent = {

58 SEC_WINNT_AUTH_IDENTITY_VERSION,

59 sizeof authIdent,

60 pszPrincipal, lstrlenW(pszPrincipal),

61 pszAuthority, lstrlenW(pszAuthority),

62 pszPassword, lstrlenW(pszPassword),

63 SEC_WINNT_AUTH_IDENTITY_UNICODE,

64 0, 0

65 };

67 // get an SSPI handle for these credentials

68 CredHandle hcredClient;

69 TimeStamp expiryClient;

70 SECURITY_STATUS err =

71 pSSPI->AcquireCredentialsHandle(0, pszSSP,

72 SECPKG_CRED_OUTBOUND,

73 0, &authIdent,

74 0, 0,

75 &hcredClient,

76 &expiryClient);

77 if (err)

78 _err(L"AcquireCredentialsHandle for client", err);

80 // use the caller's credentials for the server

81 CredHandle hcredServer;

82 TimeStamp expiryServer;

83 err = pSSPI->AcquireCredentialsHandle(0, pszSSP,

84 SECPKG_CRED_INBOUND,

85 0, 0, 0, 0,

86 &hcredServer,

87 &expiryServer);

88 if (err)

89 _err(L"AcquireCredentialsHandle for server", err);

91 CtxtHandle hctxClient;

92 CtxtHandle hctxServer;

94 // create two buffers:

95 // one for the client sending tokens to the server,

96 // one for the server sending tokens to the client

97 // (buffer size chosen based on current Kerb SSP setting

98 // for cbMaxToken - you may need to adjust this)

99 BYTE bufC2S[8000];

100 BYTE bufS2C[8000];

101 SecBuffer sbufC2S = { sizeof bufC2S, SECBUFFER_TOKEN, bufC2S };

102 SecBuffer sbufS2C = { sizeof bufS2C, SECBUFFER_TOKEN, bufS2C };

103 SecBufferDesc bdC2S = { SECBUFFER_VERSION, 1, &sbufC2S };

104 SecBufferDesc bdS2C = { SECBUFFER_VERSION, 1, &sbufS2C };

105

106 // don't really need any special context attributes

107 DWORD grfRequiredCtxAttrsClient = ISC_REQ_DATAGRAM;//ISC_REQ_DELEGATE

108 DWORD grfRequiredCtxAttrsServer = ASC_REQ_DATAGRAM;

109

110 // set up some aliases to make it obvious what's happening

111 PCtxtHandle pClientCtxHandleIn = 0;

112 PCtxtHandle pClientCtxHandleOut = &hctxClient;

113 PCtxtHandle pServerCtxHandleIn = 0;

114 PCtxtHandle pServerCtxHandleOut = &hctxServer;

115 SecBufferDesc* pClientInput = 0;

116 SecBufferDesc* pClientOutput = &bdC2S;

117 SecBufferDesc* pServerInput = &bdC2S;

118 SecBufferDesc* pServerOutput = &bdS2C;

119 DWORD grfCtxAttrsClient = 0;

120 DWORD grfCtxAttrsServer = 0;

121 TimeStamp expiryClientCtx;

122 TimeStamp expiryServerCtx;

123

124 // since the caller is acting as the server, we need

125 // a server principal name so that the client will

126 // be able to get a Kerb ticket (if Kerb is used)

127 wchar_t szSPN[256]={0};

128 ULONG cchSPN = sizeof szSPN / sizeof *szSPN;

129 GetUserNameEx(NameSamCompatible, szSPN, &cchSPN);

130

131 //sevice class / host: port / service instance

132

133 // wcscpy (szSPN, TEXT("192.168.1.11"));

134 // wcscpy (szSPN, TEXT("testwork-AD11.testwork.com"));

135 // wcscpy (szSPN, TEXT("192.168.1.11"));

136 // wcscpy (szSPN, TEXT("TESTWORK\\administrator"));

137 // wcscpy (szSPN, TEXT("..."));

138 printf("%ws\n",szSPN);

139 // perform the authentication handshake, playing the

140 // role of both client *and* server.

141 bool bClientContinue = true;

142 bool bServerContinue = true;

143 int count=1;

144 while (bClientContinue || bServerContinue) {

145

146 if (bClientContinue) {

147

148 sbufC2S.cbBuffer = sizeof bufC2S;

149 err = pSSPI->InitializeSecurityContext(

150 &hcredClient, pClientCtxHandleIn,

151 szSPN,

152 grfRequiredCtxAttrsClient,

153 0, SECURITY_NETWORK_DREP,

154 pClientInput, 0,

155 pClientCtxHandleOut,

156 pClientOutput,

157 &grfCtxAttrsClient,

158 &expiryClientCtx);

159 switch (err) {

160 case 0:

161 bClientContinue = false;

162 break;

163 case SEC_I_CONTINUE_NEEDED:

164 pClientCtxHandleIn = pClientCtxHandleOut;

165 pClientInput = pServerOutput;

166 break;

167 default:

168 printf("err=%x\n",err);

169 _err(L"InitializeSecurityContext", err);

170 }

171 }

172

173 if (bServerContinue) {

174 sbufS2C.cbBuffer = sizeof bufS2C;

175 err = pSSPI->AcceptSecurityContext(

176 &hcredServer, pServerCtxHandleIn,

177 pServerInput,

178 grfRequiredCtxAttrsServer,

179 SECURITY_NETWORK_DREP,

180 pServerCtxHandleOut,

181 pServerOutput,

182 &grfCtxAttrsServer,

183 &expiryServerCtx);

184 switch (err) {

185 case 0:

186 bServerContinue = false;

187 break;

188 case SEC_I_CONTINUE_NEEDED:

189 pServerCtxHandleIn = pServerCtxHandleOut;

190 break;

191 default:

192 _err(L"AcceptSecurityContext", err);

193 }

194 }

195 printf("%d bClientContinue %d bServerContinue %d\n",count++,bClientContinue,bServerContinue);

196 }

197 // if everything has gone smoothly, we've now got a logon

198 // session for the client - let's grab the token now

199 pSSPI->ImpersonateSecurityContext(pServerCtxHandleOut);

200 HANDLE htok;

201 if (!OpenThreadToken(GetCurrentThread(),

202 grfDesiredAccessToToken,

203 TRUE, &htok))

204 _err(L"OpenThreadToken");

205 pSSPI->RevertSecurityContext(pServerCtxHandleOut);

206

207 // clean up

208 pSSPI->FreeCredentialsHandle(&hcredClient);

209 pSSPI->FreeCredentialsHandle(&hcredServer);

210 pSSPI->DeleteSecurityContext(pServerCtxHandleOut);

211 pSSPI->DeleteSecurityContext(pClientCtxHandleOut);

212

213 return htok;

214 }

215

216 // here's an example of usage

217 void main() {

218 // use "NTLM" or "Kerberos"

219

220 //Kerbero需要在加入域或者有域环境下才能正确运行

221 HANDLE htok = _logonUserWithSSPI(L"Kerberos",

222 TOKEN_QUERY,

223 NULL,

224 L"administrator",

225 L"!QAZsx");

226 if (htok) {

227 // password is valid!

228 CloseHandle(htok);

229 }

230 }

231

232 sspi for NTLM or Kerberos_#include_03

sspi for NTLM or Kerberos_#define_04 sspi for NTLM or Kerberos_ide_05