Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to have LogonUser not use cached credentials?

i am using LogonUser to validate a user's set of domain credentials.

LogonUser(accountName, domain, password, 
      LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_WINNT50, ref token);

With disturbing results:

 LogonType    Current Password                Old password
 ===========  ==============================  ========================
 Network      Succeeds                        Succeeds
 Batch        Fails (0x00000569)              Fails (invalid password)
 Interactive  Succeeds                        Fails (invalid password)

Failure codes:

  • 0x00000569: Logon failure: the user has not been granted the requested logon type at this computer
  • 0x0000052E: Logon failure: Unknown username or password

Details:

  • if the user enters valid credentials the function returns true. (good)
  • if the user enters invalid credentials the function returns false. (good)

  • if the user changes their password, and enters their new valid credentials the function returns true. (good)

  • if the user enters invalid credentials the function returns false. (good)

  • if the user enters their old credentials the function returns true. (bad)

Note: if the user moves to a different machine (one that they've never logged onto before), and enter old credentials, LogonUser continues to return true. This means that the caching is not happening on the local machine - but somehow "on the network".

  • if the user changes their password again, and enters their new new credentials, the function returns true. (good)
  • if the user enters their old credentials the function returns true. (bad)
  • if the user enters their old old credentials the function returns false. (good)

How, when calling LogonUser can i instruct it to instruct the domain to not use cached credentials.

Note: If the user tries to logon to Windows with their old (or old old) password, they get invalid password error.


From MSDN:

LOGON32_LOGON_NETWORK
This logon type is intended for high performance servers to authenticate plaintext passwords. The LogonUser function does not cache credentials for this logon type.

LOGON32_LOGON_INTERACTIVE
This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operations; therefore, it is inappropriate for some client/server applications, such as a mail server.

LOGON32_LOGON_BATCH This logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct intervention. This type is also for higher performance servers that process many plaintext authentication attempts at a time, such as mail or web servers.

i am authenticating plain-text passwords, and so using LOGON32_LOGON_NETWORK. Interactive logon caches credentials, which is not permitted here. Batch, while undocumented about when it should be used, simply fails.


Update: The domain only allows:

  • the previous password (not any further back)
  • only for 60 minutes

It's plain to me that it's a "feature" of Active Directory that's giving a 1 hour grace period.

Except i don't want the grace period, and i don't want to change any settings on the domain (since i don't know any setting on the domain that would allow a one hour grace period of use of your old password).

like image 205
Ian Boyd Avatar asked Apr 30 '12 14:04

Ian Boyd


1 Answers

It's a feature of NTLM. You can change the default 60 min. by adding an OldPasswordAllowedPeriod DWORD value in minutes to HKLM\SYSTEM\CurrentControlSet\Control\Lsa key on the domain controller, or you can disable 'Enforce Password History' policy. You might also try using another logon provider like LOGON32_PROVIDER_WINNT50.

BTW if you're already providing a GUI, I see no disadvantage using LOGON32_LOGON_INTERACTIVE.

like image 135
Sertac Akyuz Avatar answered Sep 17 '22 15:09

Sertac Akyuz