LSALogonUser and smart cards....
Kusman@discussions.microsoft.com Lev Kusman
I have the following question concerning smart card logon on windows station.
We are trying to implement logon to Windows Domain using certificate which
we query from a smart card (or any other certificate store). The possible
client machines are Win2000, WinXp, WinVista.
As far as we understand now we have to use a function named “LSALogonUser()”
with the appropriate parameters. We have tried to use this function with the
following structures which are defined in “nesecapi.h” and have had zero
success.
1. KERB_SMART_CARD_LOGON
2. KERB_CERTIFICATE_LOGON
3. KERB_SMARTCARD_CSP_INFO
The error code returned has been always “(0xC000000D) Invalid parameter was
passed to a service or function”.
So our questions are as follows:
1. Can this type of certificate logon be done at all?
2. How to implement certificate logon programmatically using LsaLogonUser
function? It is possible that we are trying to use absolutely incorrect
function?
3. Can we have a small sample or at least clear set of instructions of how
to pack KERB_CERTIFICATE_LOGON and KERB_SMARTCARD_CSP_INFO structure into an
LSA authentication message so LSALogonUser would not throw “Invalid
parameter” error code? The documentation provided with MSDN is incomplete and
we have failed to understand from it how to use those structures to pack an
authentication message to LSALogonUser().
4. What is the exact format of data in “CspData” field in
KERB_SMART_CARD_LOGON structure? What should be put where?
Thanks in advance for any help, which would be greatly appriciated.