using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using Vanara.Extensions;
using Vanara.InteropServices;
using static Vanara.PInvoke.AdvApi32;
using FILETIME = System.Runtime.InteropServices.ComTypes.FILETIME;
namespace Vanara.PInvoke
{
/// Functions, enumerations and structures found in Secur32.dll.
public static partial class Secur32
{
/// Microsoft CredSSP Security Provider.
[PInvokeData("credssp.h")]
public const string CREDSSP_NAME = "CREDSSP";
/// The Kerberos authentication package name.
[PInvokeData("Ntsecapi.h")]
public const string MICROSOFT_KERBEROS_NAME = "Kerberos";
/// The MSV1_0 authentication package name.
[PInvokeData("Ntsecapi.h")]
public const string MSV1_0_PACKAGE_NAME = "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0";
/// The Negotiate authentication package name.
[PInvokeData("Security.h")]
public const string NEGOSSP_NAME = "Negotiate";
/// The NTLM authentication package name.
[PInvokeData("Security.h")]
public const string NTLMSP_NAME = "NTLM";
/// TS Service Security Package
[PInvokeData("Ntsecapi.h")]
public const string PKU2U_PACKAGE_NAME = "pku2u";
/// TS Service Security Package
[PInvokeData("credssp.h")]
public const string TS_SSP_NAME = "TSSSP";
/// Digest Authentication for Windows.
[PInvokeData("wdigest.h")]
public const string WDIGEST_SP_NAME = "WDigest";
/// Kerberos encryption types.
[PInvokeData("Ntsecapi.h", MSDNShortId = "3b088c94-810b-44c7-887a-58e8dbd13603")]
public enum KERB_ETYPE
{
///
KERB_ETYPE_NULL = 0,
///
KERB_ETYPE_DES_CBC_CRC = 1,
///
KERB_ETYPE_DES_CBC_MD4 = 2,
///
KERB_ETYPE_DES_CBC_MD5 = 3,
///
KERB_ETYPE_AES128_CTS_HMAC_SHA1_96 = 17,
///
KERB_ETYPE_AES256_CTS_HMAC_SHA1_96 = 18,
///
KERB_ETYPE_RC4_MD4 = -128,
///
KERB_ETYPE_RC4_PLAIN2 = -129,
///
KERB_ETYPE_RC4_LM = -130,
///
KERB_ETYPE_RC4_SHA = -131,
///
KERB_ETYPE_DES_PLAIN = -132,
///
KERB_ETYPE_RC4_HMAC_OLD = -133,
///
KERB_ETYPE_RC4_PLAIN_OLD = -134,
///
KERB_ETYPE_RC4_HMAC_OLD_EXP = -135,
///
KERB_ETYPE_RC4_PLAIN_OLD_EXP = -136,
///
KERB_ETYPE_RC4_PLAIN = -140,
///
KERB_ETYPE_RC4_PLAIN_EXP = -141,
///
KERB_ETYPE_AES128_CTS_HMAC_SHA1_96_PLAIN = -148,
///
KERB_ETYPE_AES256_CTS_HMAC_SHA1_96_PLAIN = -149,
///
KERB_ETYPE_NTLM_HASH = -150,
///
KERB_ETYPE_DSA_SHA1_CMS = 9,
///
KERB_ETYPE_RSA_MD5_CMS = 10,
///
KERB_ETYPE_RSA_SHA1_CMS = 11,
///
KERB_ETYPE_RC2_CBC_ENV = 12,
///
KERB_ETYPE_RSA_ENV = 13,
///
KERB_ETYPE_RSA_ES_OEAP_ENV = 14,
///
KERB_ETYPE_DES_EDE3_CBC_ENV = 15,
///
KERB_ETYPE_DSA_SIGN = 8,
///
KERB_ETYPE_RSA_PRIV = 9,
///
KERB_ETYPE_RSA_PUB = 10,
///
KERB_ETYPE_RSA_PUB_MD5 = 11,
///
KERB_ETYPE_RSA_PUB_SHA1 = 12,
///
KERB_ETYPE_PKCS7_PUB = 13,
///
KERB_ETYPE_DES3_CBC_MD5 = 5,
///
KERB_ETYPE_DES3_CBC_SHA1 = 7,
///
KERB_ETYPE_DES3_CBC_SHA1_KD = 16,
///
KERB_ETYPE_DES_CBC_MD5_NT = 20,
///
KERB_ETYPE_RC4_HMAC_NT = 23,
///
KERB_ETYPE_RC4_HMAC_NT_EXP = 24
}
/// The KERB_LOGON_SUBMIT_TYPE enumeration identifies the type of logon being requested.
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ne-ntsecapi-kerb_logon_submit_type
// typedef enum _KERB_LOGON_SUBMIT_TYPE { KerbInteractiveLogon, KerbSmartCardLogon, KerbWorkstationUnlockLogon, KerbSmartCardUnlockLogon, KerbProxyLogon, KerbTicketLogon, KerbTicketUnlockLogon, KerbS4ULogon, KerbCertificateLogon, KerbCertificateS4ULogon, KerbCertificateUnlockLogon, KerbNoElevationLogon, KerbLuidLogon } KERB_LOGON_SUBMIT_TYPE, *PKERB_LOGON_SUBMIT_TYPE;
[PInvokeData("ntsecapi.h", MSDNShortId = "500bee53-638b-4782-b42d-1df158396fb6")]
public enum KERB_LOGON_SUBMIT_TYPE
{
/// Perform an interactive logon.
KerbInteractiveLogon = 2,
/// Logon using a smart card.
KerbSmartCardLogon = 6,
/// Unlock a workstation.
KerbWorkstationUnlockLogon,
/// Unlock a workstation using a smart card.
KerbSmartCardUnlockLogon,
/// Logon using a proxy server.
KerbProxyLogon,
/// Logon using a valid Kerberos ticket as a credential.
KerbTicketLogon,
/// Unlock a workstation by using a Kerberos ticket.
KerbTicketUnlockLogon,
/// Perform a service for user logon.
KerbS4ULogon,
/// Logon interactively using a certificate stored on a smart card.
KerbCertificateLogon,
/// Perform a service for user logon using a certificate stored on a smart card.
KerbCertificateS4ULogon,
/// Unlock a workstation using a certificate stored on a smart card.
KerbCertificateUnlockLogon,
///
KerbNoElevationLogon = 83,
///
KerbLuidLogon,
}
///
///
/// The KERB_PROTOCOL_MESSAGE_TYPE enumeration lists the types of messages that can be sent to the Kerberos authentication
/// package by calling the LsaCallAuthenticationPackage function.
///
/// Each message corresponds to a dispatch routine and causes the Kerberos authentication package to perform a different task.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ne-ntsecapi-_kerb_protocol_message_type typedef enum
// _KERB_PROTOCOL_MESSAGE_TYPE { KerbDebugRequestMessage, KerbQueryTicketCacheMessage, KerbChangeMachinePasswordMessage,
// KerbVerifyPacMessage, KerbRetrieveTicketMessage, KerbUpdateAddressesMessage, KerbPurgeTicketCacheMessage,
// KerbChangePasswordMessage, KerbRetrieveEncodedTicketMessage, KerbDecryptDataMessage, KerbAddBindingCacheEntryMessage,
// KerbSetPasswordMessage, KerbSetPasswordExMessage, KerbAddExtraCredentialsMessage, KerbQueryTicketCacheExMessage,
// KerbPurgeTicketCacheExMessage, KerbRefreshSmartcardCredentialsMessage, KerbQuerySupplementalCredentialsMessage,
// KerbTransferCredentialsMessage, KerbQueryTicketCacheEx2Message, KerbSubmitTicketMessage, KerbAddExtraCredentialsExMessage,
// KerbQueryKdcProxyCacheMessage, KerbPurgeKdcProxyCacheMessage, KerbQueryTicketCacheEx3Message,
// KerbCleanupMachinePkinitCredsMessage, KerbAddBindingCacheEntryExMessage, KerbQueryBindingCacheMessage,
// KerbPurgeBindingCacheMessage, KerbPinKdcMessage, KerbUnpinAllKdcsMessage, KerbQueryDomainExtendedPoliciesMessage,
// KerbQueryS4U2ProxyCacheMessage } KERB_PROTOCOL_MESSAGE_TYPE, *PKERB_PROTOCOL_MESSAGE_TYPE;
[PInvokeData("ntsecapi.h", MSDNShortId = "8ad183d2-3fe8-4f52-bfa4-16f2a711f0c3")]
public enum KERB_PROTOCOL_MESSAGE_TYPE
{
/// Reserved.
KerbDebugRequestMessage,
/// This dispatch routine returns information about all of the cached tickets for the specified user logon session.
KerbQueryTicketCacheMessage,
/// This constant is reserved.
KerbChangeMachinePasswordMessage,
/// This constant is reserved.
KerbVerifyPacMessage,
///
/// This dispatch routine retrieves the ticket-granting ticket from the ticket cache of the specified user logon session.
///
KerbRetrieveTicketMessage,
/// This constant is reserved.
KerbUpdateAddressesMessage,
///
/// This dispatch routine allows selected tickets to be removed from the user logon session's ticket cache. It can also remove
/// all cached tickets.
///
KerbPurgeTicketCacheMessage,
///
/// This message causes the use of Kerberos Password Change Protocol to change the user's password in a Windows domain or
/// configured non-Windows Kerberos realm that supports this service. The caller must know the current password to change the
/// password for an account. When changing the password of an account in a non-Windows Kerberos realm, the local computer's
/// registry is consulted to locate the Kerberos password service for the requested domain name.
///
KerbChangePasswordMessage,
///
/// This message retrieves the specified ticket, either from the cache, if it is already there, or by requesting it from the
/// Kerberos key distribution center (KDC).
///
KerbRetrieveEncodedTicketMessage,
/// This constant is reserved.
KerbDecryptDataMessage,
/// This constant is reserved.
KerbAddBindingCacheEntryMessage,
///
/// This message uses a modified Kerberos Password Change Protocol to change the user's password in the domain or configured
/// non-Windows Kerberos realm that supports this service. The caller must have permission to set the password for the target
/// account. The caller does not need to know the current password for the account. When changing the password for an account in
/// a non-Windows Kerberos realm, the local computer registry is used to locate the Kerberos password service for the requested
/// domain name.
///
KerbSetPasswordMessage,
/// This message extends KerbSetPasswordMessage by specifying the client name and realm.
KerbSetPasswordExMessage,
///
/// This message is to add, remove, or replace an extra credential. The SeTcbPrivilege is required to alter another logon
/// account's credentials.
///
KerbVerifyCredentialsMessage,
/// This message extends KerbQueryTicketCacheMessage by specifying the client name and realm.
KerbQueryTicketCacheExMessage,
/// This message extends KerbPurgeTicketCacheMessage by specifying the client name and realm.
KerbPurgeTicketCacheExMessage,
/// This message is a request to refresh the smart card credentials.
KerbRefreshSmartcardCredentialsMessage,
///
KerbAddExtraCredentialsMessage,
/// This constant is reserved.
KerbQuerySupplementalCredentialsMessage,
///
/// The dispatch routine transfers credentials from one LUID to another LUID. The SeTcbPrivilege is required. Windows Server 2003
/// and Windows XP: This constant is not supported.
///
KerbTransferCredentialsMessage,
///
KerbQueryTicketCacheEx2Message,
///
/// The dispatch routine gets the tickets from the KDC and updates the ticket cache. The SeTcbPrivilege is required to access
/// another logon account's ticket cache. Windows Server 2003 and Windows XP: This constant is not supported.
///
KerbSubmitTicketMessage,
///
KerbAddExtraCredentialsExMessage,
///
/// This message returned information about the KDC proxy cached tickets. Windows Server 2008, Windows Vista, Windows Server 2003
/// and Windows XP: This constant is not supported.
///
KerbQueryKdcProxyCacheMessage,
///
KerbPurgeKdcProxyCacheMessage,
///
/// The dispatch routine queries the Kerberos ticket cache for the specified logon session. The number of tickets information is
/// returned in addition to the other information returned when using the KerbQueryTicketCacheEx2Message message type. The
/// SeTcbPrivilege is required. Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This constant is not supported.
///
KerbQueryTicketCacheEx3Message,
///
KerbCleanupMachinePkinitCredsMessage,
///
/// This message is for adding a binding cache entry. The SeTcbPrivilege is required. Windows Server 2008, Windows Vista, Windows
/// Server 2003 and Windows XP: This constant is not supported.
///
KerbAddBindingCacheEntryExMessage,
///
KerbQueryBindingCacheMessage,
///
/// This message is to clean up entries in the binding cache. Windows Server 2008, Windows Vista, Windows Server 2003 and Windows
/// XP: This constant is not supported.
///
KerbPurgeBindingCacheMessage,
///
KerbPinKdcMessage,
///
KerbUnpinAllKdcsMessage,
///
KerbQueryDomainExtendedPoliciesMessage,
///
/// This message queries the proxy cache for the information about a service for user (S4U) logon. Windows Server 2008, Windows
/// Vista, Windows Server 2003 and Windows XP: This constant is not supported.
///
KerbQueryS4U2ProxyCacheMessage,
}
/// Ticket flags, as defined in Internet RFC 4120. This parameter can be one or more of the following values.
[PInvokeData("ntsecapi.h", MSDNShortId = "742e2795-ec74-4856-a680-7a1c233a2934")]
[Flags]
public enum KERB_TICKET_FLAGS : uint
{
///
/// The ticket-granting server can issue a new ticket-granting ticket with a different network address, based on the presented ticket.
///
KERB_TICKET_FLAGS_forwardable = 0x40000000,
///
/// The ticket has either been forwarded or was issued based on authentication that involved a forwarded ticket-granting ticket.
///
KERB_TICKET_FLAGS_forwarded = 0x20000000,
///
/// The protocol employed for initial authentication required the use of hardware expected to be possessed solely by the named
/// client. The hardware authentication method is selected by the KDC, and the strength of the method is not indicated.
///
KERB_TICKET_FLAGS_hw_authent = 0x00100000,
///
/// The ticket was issued by using the Authentication Service protocol instead of being based on a ticket-granting ticket.
///
KERB_TICKET_FLAGS_initial = 0x00400000,
/// The ticket is not valid.
KERB_TICKET_FLAGS_invalid = 0x01000000,
///
/// Indicates to the ticket-granting server that a postdated ticket can be issued based on this ticket-granting ticket.
///
KERB_TICKET_FLAGS_may_postdate = 0x04000000,
///
/// The target of the ticket is trusted by the directory service for delegation. Thus, the clients may delegate their
/// credentials to the server, which lets the server act as the client when talking to other services.
///
KERB_TICKET_FLAGS_ok_as_delegate = 0x00040000,
///
/// The ticket has been postdated. The end service can check the ticket's authtime member to determine when the original
/// authentication occurred.
///
KERB_TICKET_FLAGS_postdated = 0x02000000,
///
/// During initial authentication, the client was authenticated by the KDC before a ticket was issued. The strength of the
/// preauthentication method is not indicated but is acceptable to the KDC.
///
KERB_TICKET_FLAGS_pre_authent = 0x00200000,
///
/// Indicates to the ticket-granting server that only nonticket-granting tickets can be issued with different network addresses.
///
KERB_TICKET_FLAGS_proxiable = 0x10000000,
/// The ticket is a proxy.
KERB_TICKET_FLAGS_proxy = 0x08000000,
///
/// The ticket is renewable. If this flag is set, the time limit for renewing the ticket is set in the RenewTime member of a
/// KERB_TICKET_CACHE_INFO structure. A renewable ticket can be used to obtain a replacement ticket that expires at a later date.
///
KERB_TICKET_FLAGS_renewable = 0x00800000,
/// Reserved for future use. Do not set this flag.
KERB_TICKET_FLAGS_reserved = 0x80000000,
/// Reserved.
KERB_TICKET_FLAGS_reserved1 = 0x00000001,
}
/// Kerberos name type.
[PInvokeData("ntsecapi.h", MSDNShortId = "8ed37546-6443-4010-a078-4359dd1c2861")]
public enum KRB_NT : short
{
/// Unknown name type.
KRB_NT_UNKNOWN = 0,
/// Name of the user or a Kerberos name type principal in the case of a DCE.
KRB_NT_PRINCIPAL = 1,
/// Name of the principal and its SID.
KRB_NT_PRINCIPAL_AND_ID = -131,
/// Service name and other unique name as instance (krbtgt).
KRB_NT_SRV_INST = 2,
/// SPN and SID
KRB_NT_SRV_INST_AND_ID = -132,
/// Service name with host name as instance (telnet, rcommands).
KRB_NT_SRV_HST = 3,
/// Service name with host as instance other than krbtgt, telnet, or rcommands.
KRB_NT_SRV_XHST = 4,
/// Unique ID.
KRB_NT_UID = 5,
/// User principal name (UPN) or service principal name (SPN).
KRB_NT_ENTERPRISE_PRINCIPAL = 10,
/// Well-known principal names
KRB_NT_WELLKNOWN = 11,
/// UPN and security identifier (SID).
KRB_NT_ENT_PRINCIPAL_AND_ID = -130,
/// Windows NT 4.0–style name.
KRB_NT_MS_PRINCIPAL = -128,
/// Windows NT 4.0–style name with SID.
KRB_NT_MS_PRINCIPAL_AND_ID = -129,
/// Branch ID
KRB_NT_MS_BRANCH_ID = -133,
}
/// The user flags for the logon session.
[PInvokeData("ntsecapi.h", MSDNShortId = "284ddb9a-fd08-4f38-b1d0-242596c114a8")]
[Flags]
public enum LogonUserFlags : uint
{
/// The logon is an optimized logon session.
LOGON_OPTIMIZED = 0x4000,
/// The logon was created for Winlogon.
LOGON_WINLOGON = 0x8000,
/// The Kerberos PKINIT extension was used to authenticate the user in this logon session.
LOGON_PKINIT = 0x10000,
/// Optimized logon has been disabled for this account.
LOGON_NOT_OPTIMIZED = 0x20000,
}
///
/// The MSV1_0_LOGON_SUBMIT_TYPE enumeration indicates the kind of logon being requested.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ne-ntsecapi-_msv1_0_logon_submit_type typedef enum
// _MSV1_0_LOGON_SUBMIT_TYPE { MsV1_0InteractiveLogon, MsV1_0Lm20Logon, MsV1_0NetworkLogon, MsV1_0SubAuthLogon,
// MsV1_0WorkstationUnlockLogon, MsV1_0S4ULogon, MsV1_0VirtualLogon, MsV1_0NoElevationLogon, MsV1_0LuidLogon }
// MSV1_0_LOGON_SUBMIT_TYPE, *PMSV1_0_LOGON_SUBMIT_TYPE;
[PInvokeData("ntsecapi.h", MSDNShortId = "03bf43f0-44f4-40c6-8d5d-381f36ebdd0e")]
public enum MSV1_0_LOGON_SUBMIT_TYPE
{
///
/// Requests an interactive user logon. This dispatch routine handles NTLM interactive logons initiated by LsaLogonUser or LogonUser.
///
MsV1_0InteractiveLogon = 2,
///
/// Requests the second half of an NTLM 2.0 protocol logon. The first half of this type of logon is performed by calling
/// LsaCallAuthenticationPackage with the MsV1_0Lm20ChallengeRequest message. For more information see, MSV1_0_PROTOCOL_MESSAGE_TYPE.
///
MsV1_0Lm20Logon,
///
/// Requests a network logon. The only difference between this dispatch routine and MsV1_0Lm20Logon is that MsV1_0NetworkLogon
/// uses a ParameterControl member.
///
MsV1_0NetworkLogon,
///
/// Requests the second half of an NTLM 2.0 protocol logon using a subauthentication package. When MSV1_0 initializes itself, it
/// checks a registry key to determine whether it should load a subauthentication package. For more information about
/// subauthentication packages used with MSV1_0, see the subauthentication sample included in the Platform SDK.
///
MsV1_0SubAuthLogon,
/// Requests a logon unlock of a workstation. Note Windows Server 2003Windows XPThis constant is not supported.
MsV1_0WorkstationUnlockLogon,
///
/// Requests a service for user (S4U) logon. Note Windows Server 2003 with SP2Windows VistaWindows Server 2003Windows XPThis
/// constant is not supported.
///
MsV1_0S4ULogon = 12,
///
/// Requests a logon from a remote session. Note Windows Server 2003 with SP2Windows VistaWindows Server 2003Windows XPThis
/// constant is not supported.
///
MsV1_0VirtualLogon = 82,
///
MsV1_0NoElevationLogon = 83,
///
MsV1_0LuidLogon = 84,
}
///
/// The POLICY_AUDIT_EVENT_TYPE enumeration defines values that indicate the types of events the system can audit. The
/// LsaQueryInformationPolicy and LsaSetInformationPolicy functions use this enumeration when their InformationClass parameters are
/// set to PolicyAuditEventsInformation.
///
///
/// The POLICY_AUDIT_EVENT_TYPE enumeration may expand in future versions of Windows. Because of this, you should not compute
/// the number of values in this enumeration directly. Instead, you should obtain the count of values by calling
/// LsaQueryInformationPolicy with the InformationClass parameter set to PolicyAuditEventsInformation and extract the count from the
/// MaximumAuditEventCount member of the returned POLICY_AUDIT_EVENTS_INFO structure.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ne-ntsecapi-policy_audit_event_type typedef enum
// _POLICY_AUDIT_EVENT_TYPE { AuditCategorySystem, AuditCategoryLogon, AuditCategoryObjectAccess, AuditCategoryPrivilegeUse,
// AuditCategoryDetailedTracking, AuditCategoryPolicyChange, AuditCategoryAccountManagement, AuditCategoryDirectoryServiceAccess,
// AuditCategoryAccountLogon } POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE;
[PInvokeData("ntsecapi.h", MSDNShortId = "e8dbd1d5-37d5-4a97-9d1c-c645871dc7a5")]
public enum POLICY_AUDIT_EVENT_TYPE
{
/// Determines whether the operating system must audit any of the following attempts:
AuditCategorySystem = 0,
///
/// Determines whether the operating system must audit each time this computer validates the credentials of an account. Account
/// logon events are generated whenever a computer validates the credentials of one of its local accounts. The credential
/// validation can be in support of a local logon or, in the case of an Active Directory domain account on a domain controller,
/// can be in support of a logon to another computer. Audited events for local accounts must be logged on the local security log
/// of the computer. Account logoff does not generate an event that can be audited.
///
AuditCategoryLogon,
///
/// Determines whether the operating system must audit each instance of user attempts to access a non-Active Directory object,
/// such as a file, that has its own system access control list (SACL) specified. The type of access request, such as Write,
/// Read, or Modify, and the account that is making the request must match the settings in the SACL.
///
AuditCategoryObjectAccess,
/// Determines whether the operating system must audit each instance of user attempts to use privileges.
AuditCategoryPrivilegeUse,
///
/// Determines whether the operating system must audit specific events, such as program activation, some forms of handle
/// duplication, indirect access to an object, and process exit.
///
AuditCategoryDetailedTracking,
///
/// Determines whether the operating system must audit attempts to change Policy object rules, such as user rights assignment
/// policy, audit policy, account policy, or trust policy.
///
AuditCategoryPolicyChange,
///
/// Determines whether the operating system must audit attempts to create, delete, or change user or group accounts. Also, audit
/// password changes.
///
AuditCategoryAccountManagement,
///
/// Determines whether the operating system must audit attempts to access the directory service. The Active Directory object has
/// its own SACL specified. The type of access request, such as Write, Read, or Modify, and the account that is making the
/// request must match the settings in the SACL.
///
AuditCategoryDirectoryServiceAccess,
///
/// Determines whether the operating system must audit each instance of a user attempt to log on or log off this computer. Also
/// audits logon attempts by privileged accounts that log on to the domain controller. These audit events are generated when the
/// Kerberos Key Distribution Center (KDC) logs on to the domain controller. Logoff attempts are generated whenever the logon
/// session of a logged-on user account is terminated.
///
AuditCategoryAccountLogon,
}
///
/// The POLICY_NOTIFICATION_INFORMATION_CLASS enumeration defines the types of policy information and policy domain
/// information for which your application can request notification of changes.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ne-ntsecapi-policy_notification_information_class typedef enum
// _POLICY_NOTIFICATION_INFORMATION_CLASS { PolicyNotifyAuditEventsInformation, PolicyNotifyAccountDomainInformation,
// PolicyNotifyServerRoleInformation, PolicyNotifyDnsDomainInformation, PolicyNotifyDomainEfsInformation,
// PolicyNotifyDomainKerberosTicketInformation, PolicyNotifyMachineAccountPasswordInformation, PolicyNotifyGlobalSaclInformation,
// PolicyNotifyMax } POLICY_NOTIFICATION_INFORMATION_CLASS, *PPOLICY_NOTIFICATION_INFORMATION_CLASS;
[PInvokeData("ntsecapi.h", MSDNShortId = "cf8eea7a-d3b0-4c3a-b05b-3027024ab025")]
public enum POLICY_NOTIFICATION_INFORMATION_CLASS
{
/// Notify when any of the audited categories are changed.
PolicyNotifyAuditEventsInformation = 1,
/// Notify when the account domain information changes.
PolicyNotifyAccountDomainInformation,
/// Notify when the LSA server changes its role from primary to backup, or vice versa.
PolicyNotifyServerRoleInformation,
/// Notify when the DNS domain information changes or if the primary domain information changes.
PolicyNotifyDnsDomainInformation,
/// Notify when the Encrypting File System (EFS) domain information changes.
PolicyNotifyDomainEfsInformation,
/// Notify when the Kerberos ticket for the domain changes.
PolicyNotifyDomainKerberosTicketInformation,
/// Notify when the machine account password changes.
PolicyNotifyMachineAccountPasswordInformation,
///
PolicyNotifyGlobalSaclInformation,
}
/// The SECURITY_LOGON_TYPE enumeration indicates the type of logon requested by a logon process.
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ne-ntsecapi-_security_logon_type typedef enum _SECURITY_LOGON_TYPE {
// UndefinedLogonType, Interactive, Network, Batch, Service, Proxy, Unlock, NetworkCleartext, NewCredentials, RemoteInteractive,
// CachedInteractive, CachedRemoteInteractive, CachedUnlock } SECURITY_LOGON_TYPE, *PSECURITY_LOGON_TYPE;
[PInvokeData("ntsecapi.h", MSDNShortId = "d775d782-9403-47b2-bb43-8f677db49eb9")]
public enum SECURITY_LOGON_TYPE
{
/// The undefined logon type
UndefinedLogonType = 0,
/// The security principal is logging on interactively.
Interactive = 2,
/// The security principal is logging using a network.
Network,
/// The logon is for a batch process.
Batch,
/// The logon is for a service account.
Service,
/// Not supported.
Proxy,
/// The logon is an attempt to unlock a workstation.
Unlock,
/// The logon is a network logon with plaintext credentials.
NetworkCleartext,
///
/// Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has
/// the same local identity but uses different credentials for other network connections.
///
NewCredentials,
/// A terminal server session that is both remote and interactive.
RemoteInteractive,
/// Attempt to use the cached credentials without going out across the network.
CachedInteractive,
/// Same as RemoteInteractive, except used internally for auditing purposes.
CachedRemoteInteractive,
/// The logon is an attempt to unlock a workstation.
CachedUnlock,
}
///
///
/// The LsaCallAuthenticationPackage function is used by a logon application to communicate with an authentication package.
///
/// This function is typically used to access services provided by the authentication package.
///
/// A handle obtained from a previous call to LsaRegisterLogonProcess or LsaConnectUntrusted.
///
/// Supplies the identifier of the authentication package. This value is obtained by calling LsaLookupAuthenticationPackage.
///
///
/// An authentication package–specific message buffer passed to the authentication package.
/// For information about the format and content of this buffer, see the documentation for the individual authentication package.
///
/// Indicates the length, in bytes, of the ProtocolSubmitBuffer buffer.
///
/// A pointer that receives the address of the buffer returned by the authentication package.
/// For information about the format and content of this buffer, see the documentation for the individual authentication package.
///
/// This buffer is allocated by this function. When you have finished using this buffer, free the memory by calling the
/// LsaFreeReturnBuffer function.
///
///
/// A pointer to a ULONG that receives the length of the returned buffer, in bytes.
///
/// If the function succeeds, this parameter receives a pointer to an NTSTATUS code that indicates the completion status of
/// the authentication package.
///
///
///
/// If the function succeeds, the return value is STATUS_SUCCESS. Check the ProtocolStatus parameter to obtain the status returned by
/// the authentication package.
///
/// If the function fails, the return value is an NTSTATUS code. The following are possible error codes.
///
///
/// Return code
/// Description
///
/// -
/// STATUS_QUOTA_EXCEEDED
/// The call could not be completed because the client's memory quota is not sufficient to allocate the return buffer.
///
/// -
/// STATUS_NO_SUCH_PACKAGE
/// The specified authentication package is not recognized by the LSA.
///
/// -
/// STATUS_PKINIT_FAILURE
///
/// The Kerberos client received a KDC certificate that is not valid. For device logon, strict KDC validation is required, so the KDC
/// must have certificates that use the "Kerberos Authentication" template or equivalent. Also the KDC certificate could be expired,
/// revoked, or the client is under active attack of sending requests to the wrong server.
///
///
/// -
/// STATUS_PKINIT_CLIENT_FAILURE
///
/// The Kerberos client is using a system certificate that is not valid. For device logon, there must be a DNS name. Also, the system
/// certificate could be expired or the wrong one could be selected.
///
///
///
/// For more information, see LSA Policy Function Return Values.
/// The LsaNtStatusToWinError function converts an NTSTATUS code to a Windows error code.
///
///
///
/// Logon applications can call LsaCallAuthenticationPackage to communicate with an authentication package. There are several
/// reasons why an application may do this:
///
///
/// -
/// To implement multiple-message authentication protocols, such as the NTLM Challenge-Response protocol.
///
/// -
///
/// To pass state change information to the authentication package. For example, the NTLM might notify the MSV1_0 package that a
/// previously unreachable domain controller is now reachable. The authentication package would then re-logon any users logged on to
/// that domain controller.
///
///
///
///
/// Typically, this function is used to exchange information with a custom authentication package. This function is not needed by an
/// application that is using one of the authentication packages supplied with Windows, such as MSV1_0 or Kerberos.
///
///
/// You must call LsaCallAuthenticationPackage to clean up PKINIT device credentials for LOCAL_SYSTEM and NETWORK_SERVICE.
/// When there is no PKINIT device credential, a successful call does no operation. When there is a PKINIT device credential, a
/// successful call cleans up the PKINIT device credential so that only the password credential remains.
///
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsacallauthenticationpackage NTSTATUS
// LsaCallAuthenticationPackage( HANDLE LsaHandle, ULONG AuthenticationPackage, PVOID ProtocolSubmitBuffer, ULONG SubmitBufferLength,
// PVOID *ProtocolReturnBuffer, PULONG ReturnBufferLength, PNTSTATUS ProtocolStatus );
[DllImport(Lib.Secur32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "b891fa60-28b3-4819-9a92-e4524677fa4f")]
public static extern NTStatus LsaCallAuthenticationPackage(LsaConnectionHandle LsaHandle, uint AuthenticationPackage, [In] IntPtr ProtocolSubmitBuffer, uint SubmitBufferLength, out SafeLsaReturnBufferHandle ProtocolReturnBuffer,
out uint ReturnBufferLength, out NTStatus ProtocolStatus);
///
/// The LsaConnectUntrusted function establishes an untrusted connection to the LSA server.
///
///
/// Pointer to a handle that receives the connection handle, which must be provided in future authentication services.
///
///
/// If the function succeeds, the return value is STATUS_SUCCESS.
/// If the function fails, the return value is an NTSTATUS code. For more information, see LSA Policy Function Return Values.
/// The LsaNtStatusToWinError function converts an NTSTATUS code to a Windows error code.
///
///
///
/// LsaConnectUntrusted returns a handle to an untrusted connection; it does not verify any information about the caller. The
/// handle should be closed using the LsaDeregisterLogonProcess function.
///
///
/// If your application simply needs to query information from authentication packages, you can use the handle returned by this
/// function in calls to LsaCallAuthenticationPackage and LsaLookupAuthenticationPackage.
///
/// Applications with the SeTcbPrivilege privilege may create a trusted connection by calling LsaRegisterLogonProcess.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsaconnectuntrusted NTSTATUS LsaConnectUntrusted(
// PHANDLE LsaHandle );
[DllImport(Lib.Secur32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "b54917c8-51cd-4891-9613-f37a4a46448b")]
public static extern NTStatus LsaConnectUntrusted(out SafeLsaConnectionHandle LsaHandle);
///
/// The LsaDeregisterLogonProcess function deletes the caller's logon application context and closes the connection to the LSA server.
///
/// Handle obtained from a LsaRegisterLogonProcess or LsaConnectUntrusted call.
///
/// If the function succeeds, the return value is STATUS_SUCCESS.
/// If the function fails, the return value is an NTSTATUS code. For more information, see LSA Policy Function Return Values.
/// The LsaNtStatusToWinError function converts an NTSTATUS code to a Windows error code.
///
[DllImport(Lib.Secur32, ExactSpelling = true)]
[PInvokeData("Ntsecapi.h", MSDNShortId = "aa378269")]
public static extern NTStatus LsaDeregisterLogonProcess(LsaConnectionHandle LsaHandle);
///
/// The LsaEnumerateLogonSessions function retrieves the set of existing logon session identifiers (LUIDs) and the number of sessions.
///
///
/// Pointer to a long integer that receives the number of elements returned in the array returned in LogonSessionList parameter.
///
///
/// Address of a pointer to a LUID. The pointer receives the first element of an array of logon session identifiers. The memory used
/// by the array is allocated by the LSA. When the array is no longer needed, call the LSAFreeReturnBuffer function to free it.
///
///
/// If the function succeeds, the return value is STATUS_SUCCESS.
/// If the function fails, the return value is an NTSTATUS code indicating the reason.
///
///
/// To retrieve information about the logon sessions returned by LsaEnumerateLogonSessions, call the LsaGetLogonSessionData function.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsaenumeratelogonsessions NTSTATUS
// LsaEnumerateLogonSessions( PULONG LogonSessionCount, PLUID *LogonSessionList );
[DllImport(Lib.Secur32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "ddf3b9ec-dea7-4333-9ffe-142811048c83")]
public static extern NTStatus LsaEnumerateLogonSessions(out uint LogonSessionCount, out SafeLsaReturnBufferHandle LogonSessionList);
///
/// The LsaFreeReturnBuffer function frees the memory used by a buffer previously allocated by the LSA.
///
///
/// Pointer to the buffer to be freed.
///
///
/// If the function succeeds, the return value is STATUS_SUCCESS.
/// If the function fails, the return value is an NTSTATUS code. For more information, see LSA Policy Function Return Values.
/// The LsaNtStatusToWinError function converts an NTSTATUS code to a Windows error code.
///
///
///
/// Some of the LSA authentication functions allocate memory buffers to hold returned information, for example, LsaLogonUser and
/// LsaCallAuthenticationPackage. Your application should call LsaFreeReturnBuffer to free these buffers when they are no
/// longer needed.
///
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsafreereturnbuffer _IRQL_requires_same_ NTSTATUS
// LsaFreeReturnBuffer( PVOID Buffer );
[DllImport(Lib.Secur32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "e814ed68-07e7-4936-ba96-5411086f43f6")]
public static extern uint LsaFreeReturnBuffer(IntPtr Buffer);
///
/// The LsaGetLogonSessionData function retrieves information about a specified logon session.
/// To retrieve information about a logon session, the caller must be the owner of the session or a local system administrator.
///
///
/// Specifies a pointer to a LUID that identifies the logon session whose information will be retrieved. For information about
/// valid values for this parameter, see Remarks.
///
///
/// Address of a pointer to a SECURITY_LOGON_SESSION_DATA structure containing information on the logon session specified by LogonId.
/// This structure is allocated by the LSA. When the information is no longer needed, call the LSAFreeReturnBuffer function to free
/// the memory used by this structure.
///
///
/// If the function succeeds, the return value is STATUS_SUCCESS.
/// If the function fails, the return value is an NTSTATUS code indicating the reason.
///
///
///
/// To obtain valid logon session identifiers that may be passed to this function's LogonId parameter, call the
/// LsaEnumerateLogonSessions function.
///
///
/// If LogonID specifies the LocalSystem account (0x0:0x3e7), then this function returns zero for the logon session data retrieved in
/// ppLogonSessionData. The reason is that the LocalSystem account does not get logged on in the typical logon manner. Rather, the
/// LocalSystem account is active after the system starts.
///
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsagetlogonsessiondata NTSTATUS LsaGetLogonSessionData(
// PLUID LogonId, PSECURITY_LOGON_SESSION_DATA *ppLogonSessionData );
[DllImport(Lib.Secur32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "b1478a7a-f508-4b98-8c7b-adeb2f07bb86")]
public static extern NTStatus LsaGetLogonSessionData(in LUID LogonId, out SafeLsaReturnBufferHandle ppLogonSessionData);
///
/// The LsaLogonUser function authenticates a security principal's logon data by using stored credentials information.
/// If the authentication is successful, this function creates a new logon session and returns a user token.
///
/// When a new ticket granting ticket (TGT) is obtained by using new certificate credentials, then all of the system's TGTs and
/// service tickets are purged. Any user service tickets that are of a compound identity are also purged.
///
///
///
/// A handle obtained from a previous call to LsaRegisterLogonProcess.
/// The caller is required to have SeTcbPrivilege only if one or more of the following is true:
///
/// -
/// A Subauthentication package is used.
///
/// -
/// KERB_S4U_LOGON is used, and the caller requests an impersonation token.
///
/// -
/// The LocalGroups parameter is not NULL.
///
///
/// If
/// SeTcbPrivilege
/// is not required, call
/// LsaConnectUntrusted
/// to obtain the handle.
///
///
/// A string that identifies the origin of the logon attempt. For more information, see Remarks.
///
///
///
/// A value of the SECURITY_LOGON_TYPE enumeration that specifies the type of logon requested. If LogonType is Interactive or Batch,
/// a primary token is generated to represent the new user. If LogonType is Network, an impersonation token is generated.
///
///
///
/// An identifier of the authentication package to use for the authentication. You can obtain this value by calling LsaLookupAuthenticationPackage.
///
///
///
/// A pointer to an input buffer that contains authentication information, such as user name and password. The format and content of
/// this buffer are determined by the authentication package.
///
/// This parameter can be one of the following input buffer structures for the MSV1_0 and Kerberos authentication packages.
///
///
/// Value
/// Meaning
///
/// -
/// MSV1_0_INTERACTIVE_LOGON MSV1_0
///
/// Authenticating an interactive user logon. The LogonDomainName, UserName, and Password members of the MSV1_0_INTERACTIVE_LOGON
/// structure must point to buffers in memory that are contiguous to the structure itself. The value of the
/// AuthenticationInformationLength parameter must take into account the length of these buffers.
///
///
/// -
/// KERB_INTERACTIVE_LOGON Kerberos
/// Authenticating an interactive user logon.
///
/// -
/// KERB_TICKET_LOGON Kerberos
/// Authenticating a user on initial network logon or disconnect.
///
/// -
/// KERB_TICKET_UNLOCK_LOGON Kerberos
/// Authenticating a user on ticket refresh, a variation of the normal workstation unlock logon.
///
/// -
/// KERB_CERTIFICATE_LOGON Kerberos
/// Authenticating a user using an interactive smart card logon.
///
/// -
/// KERB_CERTIFICATE_S4U_LOGON Kerberos
/// Authenticating a user using a service for user (S4U) logon.
///
/// -
/// KERB_CERTIFICATE_UNLOCK_LOGON Kerberos
/// Authenticating a user to unlock a workstation that has been locked during an interactive smart card logon session.
///
/// -
/// KERB_SMARTCARD_LOGON Kerberos
/// Authenticating a user smart card logon using LOGON32_PROVIDER_WINNT50 or LOGON32_PROVIDER_DEFAULT.
///
/// -
/// KERB_SMARTCARD_UNLOCK_LOGON Kerberos
/// Authenticating a user to unlock a workstation that has been locked during a smart card logon session.
///
/// -
/// KERB_S4U_LOGON Kerberos
///
/// Authenticating a user using S4U client requests. For constrained delegation, a call to LsaLogonUser is not necessary if the
/// client logged on using an LSA-mode authentication package. On Windows operating systems, these include Kerberos, NTLM, Secure
/// Channel, and Digest. For this call to succeed, the following must be true: The ClientUpn and ClientRealm members of the
/// KERB_S4U_LOGON structure must point to buffers in memory that are contiguous to the structure itself. The value of the
/// AuthenticationInformationLength parameter must take into account the length of these buffers.
///
///
/// -
/// MSV1_0_LM20_LOGON MSV1_0
///
/// Processing the second half of an NTLM 2.0 protocol logon. The first half of this type of logon is performed by calling
/// LsaCallAuthenticationPackage with the MsV1_0Lm20ChallengeRequest message. For more information, see the description of
/// MsV1_0Lm20ChallengeRequest in MSV1_0_PROTOCOL_MESSAGE_TYPE. This type of logon can use a subauthentication package.
///
///
/// -
/// MSV1_0_SUBAUTH_LOGON MSV1_0
/// Authenticating a user with subauthentication.
///
///
///
/// For more information about the buffer used by other authentication packages, see the documentation for those authentication packages.
///
///
///
/// The length, in bytes, of the AuthenticationInformation buffer.
///
///
///
/// A list of additional group identifiers to add to the token of the authenticated user. These group identifiers will be added,
/// along with the default group WORLD and the logon type group (Interactive, Batch, or Network), which are automatically included in
/// every user token.
///
///
///
///
/// A TOKEN_SOURCE structure that identifies the source module—for example, the session manager—and the context that may be useful to
/// that module. This information is included in the user token and can be retrieved by calling GetTokenInformation.
///
///
///
///
/// A pointer to a void pointer that receives the address of an output buffer that contains authentication information, such as the
/// logon shell and home directory.
///
/// This parameter can be one of the following output buffer structures for the MSV1_0 and Kerberos authentication packages.
///
///
/// Value
/// Meaning
///
/// -
/// MSV1_0_INTERACTIVE_PROFILE MSV1_0
/// An interactive user's logon profile.
///
/// -
/// KERB_TICKET_PROFILE Kerberos
/// Logon, disconnect, and ticket refresh authentication output.
///
/// -
/// MSV1_0_LM20_LOGON MSV1_0
/// Output when processing the second half of a NTLM 2.0 protocol logon.
///
/// -
/// MSV1_0_LM20_LOGON_PROFILE MSV1_0
/// Output when using authentication with subauthentication.
///
///
///
/// For more information about the buffer used by other authentication packages, see the documentation for that authentication package.
///
///
/// When this buffer is no longer needed, the calling application must free this buffer by calling the LsaFreeReturnBuffer function.
///
///
///
/// A pointer to a ULONG that receives the length, in bytes, of the returned profile buffer.
///
///
///
/// A pointer to a buffer that receives an LUID that uniquely identifies the logon session. This LUID is assigned by the
/// domain controller that authenticated the logon information.
///
///
///
///
/// A pointer to a handle that receives the new user token created for this session. When you have finished using the token, release
/// it by calling the CloseHandle function.
///
///
///
///
/// When a primary token is returned, this parameter receives a QUOTA_LIMITS structure that contains the process quota limits
/// assigned to the newly logged on user's initial process.
///
///
///
///
/// If the logon failed due to account restrictions, this parameter receives information about why the logon failed. This value is
/// set only if the account information of the user is valid and the logon is rejected.
///
/// This parameter can be one of the following SubStatus values for the MSV1_0 authentication package.
///
///
/// Value
/// Meaning
///
/// -
/// STATUS_INVALID_LOGON_HOURS
/// The user account has time restrictions and cannot be used to log on at this time.
///
/// -
/// STATUS_INVALID_WORKSTATION
/// The user account has workstation restrictions and cannot be used to log on from the current workstation.
///
/// -
/// STATUS_PASSWORD_EXPIRED
/// The user-account password has expired.
///
/// -
/// STATUS_ACCOUNT_DISABLED
/// The user account is currently disabled and cannot be used to log on.
///
///
///
///
/// If the function succeeds, the function returns STATUS_SUCCESS.
/// If the function fails, it returns an NTSTATUS code, which can be one of the following values.
///
///
/// Value
/// Description
///
/// -
/// STATUS_QUOTA_EXCEEDED
/// The caller's memory quota is insufficient to allocate the output buffer returned by the authentication package.
///
/// -
/// STATUS_ACCOUNT_RESTRICTION
///
/// The user account and password are legitimate, but the user account has a restriction that prevents logon at this time. For more
/// information, see the value stored in the SubStatus parameter.
///
///
/// -
/// STATUS_BAD_VALIDATION_CLASS
/// The authentication information provided is not recognized by the authentication package.
///
/// -
/// STATUS_LOGON_FAILURE
///
/// The logon attempt failed. The reason for the failure is not specified, but typical reasons include misspelled user names and
/// misspelled passwords.
///
///
/// -
/// STATUS_NO_LOGON_SERVERS
/// No domain controllers are available to service the authentication request.
///
/// -
/// STATUS_NO_SUCH_PACKAGE
/// The specified authentication package is not recognized by the LSA.
///
/// -
/// STATUS_PKINIT_FAILURE
///
/// The Kerberos client received a KDC certificate that is not valid. For device logon, strict KDC validation is required, so the KDC
/// must have certificates that use the "Kerberos Authentication" template or equivalent. Also, the KDC certificate could be expired,
/// revoked, or the client is under active attack of sending requests to the wrong server.
///
///
/// -
/// STATUS_PKINIT_CLIENT_FAILURE
///
/// The Kerberos client is using a system certificate that is not valid. For device logon, there must be a DNS name. Also, the system
/// certificate could be expired or the wrong one could be selected.
///
///
///
/// For more information, see LSA Policy Function Return Values.
/// The LsaNtStatusToWinError function converts an NTSTATUS code to a Windows error code.
///
///
///
/// The OriginName parameter should specify meaningful information. For example, it might contain "TTY1" to indicate terminal one or
/// "NTLM - remote node JAZZ" to indicate a network logon that uses NTLM through a remote node called "JAZZ".
///
///
/// You must call LsaLogonUser separately to update PKINIT device credentials for LOCAL_SYSTEM and NETWORK_SERVICE. When there
/// is no PKINIT device credential, a successful call does no operation. When there is a PKINIT device credential, a successful call
/// cleans up the PKINIT device credential so that only the password credential remains.
///
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsalogonuser NTSTATUS LsaLogonUser( HANDLE LsaHandle,
// PLSA_STRING OriginName, SECURITY_LOGON_TYPE LogonType, ULONG AuthenticationPackage, PVOID AuthenticationInformation, ULONG
// AuthenticationInformationLength, PTOKEN_GROUPS LocalGroups, PTOKEN_SOURCE SourceContext, PVOID *ProfileBuffer, PULONG
// ProfileBufferLength, PLUID LogonId, PHANDLE Token, PQUOTA_LIMITS Quotas, PNTSTATUS SubStatus );
[DllImport(Lib.Secur32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "75968d53-5af2-4d77-9486-26403b73c954")]
public static extern NTStatus LsaLogonUser(LsaConnectionHandle LsaHandle, [In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaStringMarshaler))] string OriginName, SECURITY_LOGON_TYPE LogonType,
uint AuthenticationPackage, [In] IntPtr AuthenticationInformation, uint AuthenticationInformationLength, in TOKEN_GROUPS LocalGroups, in TOKEN_SOURCE SourceContext, out SafeLsaReturnBufferHandle ProfileBuffer,
out uint ProfileBufferLength, out LUID LogonId, out SafeHTOKEN Token, out QUOTA_LIMITS Quotas, out NTStatus SubStatus);
///
/// The LsaLogonUser function authenticates a security principal's logon data by using stored credentials information.
/// If the authentication is successful, this function creates a new logon session and returns a user token.
///
/// When a new ticket granting ticket (TGT) is obtained by using new certificate credentials, then all of the system's TGTs and
/// service tickets are purged. Any user service tickets that are of a compound identity are also purged.
///
///
///
/// A handle obtained from a previous call to LsaRegisterLogonProcess.
/// The caller is required to have SeTcbPrivilege only if one or more of the following is true:
///
/// -
/// A Subauthentication package is used.
///
/// -
/// KERB_S4U_LOGON is used, and the caller requests an impersonation token.
///
/// -
/// The LocalGroups parameter is not NULL.
///
///
/// If
/// SeTcbPrivilege
/// is not required, call
/// LsaConnectUntrusted
/// to obtain the handle.
///
///
/// A string that identifies the origin of the logon attempt. For more information, see Remarks.
///
///
///
/// A value of the SECURITY_LOGON_TYPE enumeration that specifies the type of logon requested. If LogonType is Interactive or Batch,
/// a primary token is generated to represent the new user. If LogonType is Network, an impersonation token is generated.
///
///
///
/// An identifier of the authentication package to use for the authentication. You can obtain this value by calling LsaLookupAuthenticationPackage.
///
///
///
/// A pointer to an input buffer that contains authentication information, such as user name and password. The format and content of
/// this buffer are determined by the authentication package.
///
/// This parameter can be one of the following input buffer structures for the MSV1_0 and Kerberos authentication packages.
///
///
/// Value
/// Meaning
///
/// -
/// MSV1_0_INTERACTIVE_LOGON MSV1_0
///
/// Authenticating an interactive user logon. The LogonDomainName, UserName, and Password members of the MSV1_0_INTERACTIVE_LOGON
/// structure must point to buffers in memory that are contiguous to the structure itself. The value of the
/// AuthenticationInformationLength parameter must take into account the length of these buffers.
///
///
/// -
/// KERB_INTERACTIVE_LOGON Kerberos
/// Authenticating an interactive user logon.
///
/// -
/// KERB_TICKET_LOGON Kerberos
/// Authenticating a user on initial network logon or disconnect.
///
/// -
/// KERB_TICKET_UNLOCK_LOGON Kerberos
/// Authenticating a user on ticket refresh, a variation of the normal workstation unlock logon.
///
/// -
/// KERB_CERTIFICATE_LOGON Kerberos
/// Authenticating a user using an interactive smart card logon.
///
/// -
/// KERB_CERTIFICATE_S4U_LOGON Kerberos
/// Authenticating a user using a service for user (S4U) logon.
///
/// -
/// KERB_CERTIFICATE_UNLOCK_LOGON Kerberos
/// Authenticating a user to unlock a workstation that has been locked during an interactive smart card logon session.
///
/// -
/// KERB_SMARTCARD_LOGON Kerberos
/// Authenticating a user smart card logon using LOGON32_PROVIDER_WINNT50 or LOGON32_PROVIDER_DEFAULT.
///
/// -
/// KERB_SMARTCARD_UNLOCK_LOGON Kerberos
/// Authenticating a user to unlock a workstation that has been locked during a smart card logon session.
///
/// -
/// KERB_S4U_LOGON Kerberos
///
/// Authenticating a user using S4U client requests. For constrained delegation, a call to LsaLogonUser is not necessary if the
/// client logged on using an LSA-mode authentication package. On Windows operating systems, these include Kerberos, NTLM, Secure
/// Channel, and Digest. For this call to succeed, the following must be true: The ClientUpn and ClientRealm members of the
/// KERB_S4U_LOGON structure must point to buffers in memory that are contiguous to the structure itself. The value of the
/// AuthenticationInformationLength parameter must take into account the length of these buffers.
///
///
/// -
/// MSV1_0_LM20_LOGON MSV1_0
///
/// Processing the second half of an NTLM 2.0 protocol logon. The first half of this type of logon is performed by calling
/// LsaCallAuthenticationPackage with the MsV1_0Lm20ChallengeRequest message. For more information, see the description of
/// MsV1_0Lm20ChallengeRequest in MSV1_0_PROTOCOL_MESSAGE_TYPE. This type of logon can use a subauthentication package.
///
///
/// -
/// MSV1_0_SUBAUTH_LOGON MSV1_0
/// Authenticating a user with subauthentication.
///
///
///
/// For more information about the buffer used by other authentication packages, see the documentation for those authentication packages.
///
///
///
/// The length, in bytes, of the AuthenticationInformation buffer.
///
///
///
/// A list of additional group identifiers to add to the token of the authenticated user. These group identifiers will be added,
/// along with the default group WORLD and the logon type group (Interactive, Batch, or Network), which are automatically included in
/// every user token.
///
///
///
///
/// A TOKEN_SOURCE structure that identifies the source module—for example, the session manager—and the context that may be useful to
/// that module. This information is included in the user token and can be retrieved by calling GetTokenInformation.
///
///
///
///
/// A pointer to a void pointer that receives the address of an output buffer that contains authentication information, such as the
/// logon shell and home directory.
///
/// This parameter can be one of the following output buffer structures for the MSV1_0 and Kerberos authentication packages.
///
///
/// Value
/// Meaning
///
/// -
/// MSV1_0_INTERACTIVE_PROFILE MSV1_0
/// An interactive user's logon profile.
///
/// -
/// KERB_TICKET_PROFILE Kerberos
/// Logon, disconnect, and ticket refresh authentication output.
///
/// -
/// MSV1_0_LM20_LOGON MSV1_0
/// Output when processing the second half of a NTLM 2.0 protocol logon.
///
/// -
/// MSV1_0_LM20_LOGON_PROFILE MSV1_0
/// Output when using authentication with subauthentication.
///
///
///
/// For more information about the buffer used by other authentication packages, see the documentation for that authentication package.
///
///
/// When this buffer is no longer needed, the calling application must free this buffer by calling the LsaFreeReturnBuffer function.
///
///
///
/// A pointer to a ULONG that receives the length, in bytes, of the returned profile buffer.
///
///
///
/// A pointer to a buffer that receives an LUID that uniquely identifies the logon session. This LUID is assigned by the
/// domain controller that authenticated the logon information.
///
///
///
///
/// A pointer to a handle that receives the new user token created for this session. When you have finished using the token, release
/// it by calling the CloseHandle function.
///
///
///
///
/// When a primary token is returned, this parameter receives a QUOTA_LIMITS structure that contains the process quota limits
/// assigned to the newly logged on user's initial process.
///
///
///
///
/// If the logon failed due to account restrictions, this parameter receives information about why the logon failed. This value is
/// set only if the account information of the user is valid and the logon is rejected.
///
/// This parameter can be one of the following SubStatus values for the MSV1_0 authentication package.
///
///
/// Value
/// Meaning
///
/// -
/// STATUS_INVALID_LOGON_HOURS
/// The user account has time restrictions and cannot be used to log on at this time.
///
/// -
/// STATUS_INVALID_WORKSTATION
/// The user account has workstation restrictions and cannot be used to log on from the current workstation.
///
/// -
/// STATUS_PASSWORD_EXPIRED
/// The user-account password has expired.
///
/// -
/// STATUS_ACCOUNT_DISABLED
/// The user account is currently disabled and cannot be used to log on.
///
///
///
///
/// If the function succeeds, the function returns STATUS_SUCCESS.
/// If the function fails, it returns an NTSTATUS code, which can be one of the following values.
///
///
/// Value
/// Description
///
/// -
/// STATUS_QUOTA_EXCEEDED
/// The caller's memory quota is insufficient to allocate the output buffer returned by the authentication package.
///
/// -
/// STATUS_ACCOUNT_RESTRICTION
///
/// The user account and password are legitimate, but the user account has a restriction that prevents logon at this time. For more
/// information, see the value stored in the SubStatus parameter.
///
///
/// -
/// STATUS_BAD_VALIDATION_CLASS
/// The authentication information provided is not recognized by the authentication package.
///
/// -
/// STATUS_LOGON_FAILURE
///
/// The logon attempt failed. The reason for the failure is not specified, but typical reasons include misspelled user names and
/// misspelled passwords.
///
///
/// -
/// STATUS_NO_LOGON_SERVERS
/// No domain controllers are available to service the authentication request.
///
/// -
/// STATUS_NO_SUCH_PACKAGE
/// The specified authentication package is not recognized by the LSA.
///
/// -
/// STATUS_PKINIT_FAILURE
///
/// The Kerberos client received a KDC certificate that is not valid. For device logon, strict KDC validation is required, so the KDC
/// must have certificates that use the "Kerberos Authentication" template or equivalent. Also, the KDC certificate could be expired,
/// revoked, or the client is under active attack of sending requests to the wrong server.
///
///
/// -
/// STATUS_PKINIT_CLIENT_FAILURE
///
/// The Kerberos client is using a system certificate that is not valid. For device logon, there must be a DNS name. Also, the system
/// certificate could be expired or the wrong one could be selected.
///
///
///
/// For more information, see LSA Policy Function Return Values.
/// The LsaNtStatusToWinError function converts an NTSTATUS code to a Windows error code.
///
///
///
/// The OriginName parameter should specify meaningful information. For example, it might contain "TTY1" to indicate terminal one or
/// "NTLM - remote node JAZZ" to indicate a network logon that uses NTLM through a remote node called "JAZZ".
///
///
/// You must call LsaLogonUser separately to update PKINIT device credentials for LOCAL_SYSTEM and NETWORK_SERVICE. When there
/// is no PKINIT device credential, a successful call does no operation. When there is a PKINIT device credential, a successful call
/// cleans up the PKINIT device credential so that only the password credential remains.
///
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsalogonuser NTSTATUS LsaLogonUser( HANDLE LsaHandle,
// PLSA_STRING OriginName, SECURITY_LOGON_TYPE LogonType, ULONG AuthenticationPackage, PVOID AuthenticationInformation, ULONG
// AuthenticationInformationLength, PTOKEN_GROUPS LocalGroups, PTOKEN_SOURCE SourceContext, PVOID *ProfileBuffer, PULONG
// ProfileBufferLength, PLUID LogonId, PHANDLE Token, PQUOTA_LIMITS Quotas, PNTSTATUS SubStatus );
[DllImport(Lib.Secur32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "75968d53-5af2-4d77-9486-26403b73c954")]
public static extern NTStatus LsaLogonUser(LsaConnectionHandle LsaHandle, [In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaStringMarshaler))] string OriginName, SECURITY_LOGON_TYPE LogonType,
uint AuthenticationPackage, [In] IntPtr AuthenticationInformation, uint AuthenticationInformationLength, [Optional] IntPtr LocalGroups, in TOKEN_SOURCE SourceContext, out SafeLsaReturnBufferHandle ProfileBuffer,
out uint ProfileBufferLength, out LUID LogonId, out SafeHTOKEN Token, out QUOTA_LIMITS Quotas, out NTStatus SubStatus);
/// The LsaLookupAuthenticationPackage function obtains the unique identifier of an authentication package.
/// Handle obtained from a previous call to LsaRegisterLogonProcess or LsaConnectUntrusted.
/// A string that specifies the name of the authentication package. The package name must not exceed 127 bytes in length. The following table lists the names of the Microsoft-provided authentication packages.
///
/// ValueMeaning
/// - MSV1_0_PACKAGE_NAMEThe MSV1_0 authentication package name.
/// - MICROSOFT_KERBEROS_NAMEThe Kerberos authentication package name.
/// - NEGOSSP_NAMEThe Negotiate authentication package name.
///
///
/// Pointer to a ULONG that receives the authentication package identifier.
/// If the function succeeds, the return value is STATUS_SUCCESS.
/// If the function fails, the return value is an NTSTATUS code. The following are possible error codes.
///
/// Return codeDescription
/// - STATUS_NO_SUCH_PACKAGEThe specified authentication package is unknown to the LSA.
/// - STATUS_NAME_TOO_LONGThe authentication package name exceeds 127 bytes.
///
[DllImport(Lib.Secur32, ExactSpelling = true)]
[PInvokeData("Ntsecapi.h", MSDNShortId = "aa378297")]
public static extern NTStatus LsaLookupAuthenticationPackage(LsaConnectionHandle LsaHandle, [In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaStringMarshaler))] string PackageName, out uint AuthenticationPackage);
///
/// The LsaRegisterLogonProcess function establishes a connection to the LSA server and verifies that the caller is a logon application.
///
///
/// String identifying the logon application. This should be a printable name suitable for display to administrators. For example,
/// the Windows logon application might use the name "User32LogonProcess". This name is used by the LSA during auditing.
/// LsaRegisterLogonProcess does not check whether the name is already in use. This string must not exceed 127 bytes.
///
/// Pointer that receives a handle used in future authentication function calls.
/// The value returned is not meaningful and should be ignored.
///
/// If the function succeeds, the return value is STATUS_SUCCESS.
/// If the function fails, the return value is an NTSTATUS code. For more information, see LSA Policy Function Return Values.
/// The LsaNtStatusToWinError function converts an NTSTATUS code to a Windows error code.
///
[DllImport(Lib.Secur32, ExactSpelling = true)]
[PInvokeData("Ntsecapi.h", MSDNShortId = "aa378318")]
public static extern NTStatus LsaRegisterLogonProcess([In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaStringMarshaler))] string LogonProcessName, out SafeLsaConnectionHandle LsaHandle, out uint SecurityMode);
///
/// The LsaRegisterPolicyChangeNotification function registers an event handle with the local security authority (LSA). This
/// event handle is signaled whenever the indicated LSA policy is modified.
///
///
///
/// A POLICY_NOTIFICATION_INFORMATION_CLASS value that specifies the type of policy changes about which your application will be
/// notified. Specify one of the following values.
///
///
///
/// Value
/// Meaning
///
/// -
/// PolicyNotifyAuditEventsInformation
/// Auditing policy changes.
///
/// -
/// PolicyNotifyAccountDomainInformation
/// Account domain information changes.
///
/// -
/// PolicyNotifyServerRoleInformation
/// Server role changes.
///
/// -
/// PolicyNotifyDomainEfsInformation
/// EFS policy information changes.
///
/// -
/// PolicyNotifyDomainKerberosTicketInformation
/// Kerberos ticket policy information changes.
///
/// -
/// PolicyNotifyDnsDomainInformation
/// Domain Name System (DNS) information, name, or SID of the system's primary domain changes.
///
///
///
///
/// A handle to an event obtained by calling the CreateEvent function. The event can be either named or unnamed.
///
///
/// If the function succeeds, the return value is STATUS_SUCCESS.
/// If the function fails, the return value is an NTSTATUS code. For more information, see LSA Policy Function Return Values.
/// You can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.
///
///
///
/// When you have finished using a notification event that has been registered by the LsaRegisterPolicyChangeNotification
/// function, unregister it by calling the LsaUnregisterPolicyChangeNotification function.
///
/// For an example that demonstrates calling this function, see Receiving Policy Change Events.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsaregisterpolicychangenotification NTSTATUS
// LsaRegisterPolicyChangeNotification( POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass, HANDLE NotificationEventHandle );
[DllImport(Lib.Secur32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "0c713d2b-e13a-44e0-8b48-68b233d1c562")]
public static extern NTStatus LsaRegisterPolicyChangeNotification(POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass, Kernel32.SafeEventHandle NotificationEventHandle);
/// The LsaUnregisterPolicyChangeNotification function disables a previously registered notification event.
///
///
/// A POLICY_NOTIFICATION_INFORMATION_CLASS value that specifies the policy changes that your application will stop receiving
/// notifications for. Specify one of the following values.
///
///
///
/// Value
/// Meaning
///
/// -
/// PolicyNotifyAuditEventsInformation
/// Auditing policy changes.
///
/// -
/// PolicyNotifyAccountDomainInformation
/// Account domain information changes.
///
/// -
/// PolicyNotifyServerRoleInformation
/// Server role changes.
///
/// -
/// PolicyNotifyDomainEfsInformation
/// EFS policy information changes.
///
/// -
/// PolicyNotifyDomainKerberosTicketInformation
/// Kerberos ticket policy information changes.
///
/// -
/// PolicyNotifyDnsDomainInformation
/// Domain Name System (DNS) information, name, or SID of the system's primary domain changes.
///
///
///
/// A handle to the notification event to unregister.
///
/// If the function succeeds, the return value is STATUS_SUCCESS.
/// If the function fails, the return value is an NTSTATUS code. For more information, see LSA Policy Function Return Values.
/// You can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.
///
/// For an example that demonstrates calling this function see Receiving Policy Change Events.
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsaunregisterpolicychangenotification NTSTATUS
// LsaUnregisterPolicyChangeNotification( POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass, HANDLE NotificationEventHandle );
[DllImport(Lib.Secur32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "c1000904-20a6-40db-9b59-2cbb79e00a67")]
public static extern NTStatus LsaUnregisterPolicyChangeNotification(POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass, Kernel32.SafeEventHandle NotificationEventHandle);
/// The KERB_CRYPTO_KEY structure contains information about a Kerberos cryptographic session key.
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-kerb_crypto_key typedef struct KERB_CRYPTO_KEY { LONG
// KeyType; ULONG Length; PUCHAR Value; } KERB_CRYPTO_KEY, *PKERB_CRYPTO_KEY;
[PInvokeData("ntsecapi.h", MSDNShortId = "ac7ea61c-b1e0-4dc0-931e-81bb6fd74888")]
[StructLayout(LayoutKind.Sequential)]
public struct KERB_CRYPTO_KEY
{
///
/// Indicates the type of session key stored in the structure. It can be one of the following values.
///
///
/// Value
/// Meaning
///
/// -
/// KERB_ETYPE_DES_CBC_CRC
/// Use DES encryption in cipher-block-chaining mode with a CRC-32 checksum.
///
/// -
/// KERB_ETYPE_DES_CBC_MD4
/// Use DES encryption in cipher-block-chaining mode with a MD4 checksum.
///
/// -
/// KERB_ETYPE_DES_CBC_MD5
/// Use DES encryption in cipher-block-chaining mode with a MD5 checksum.
///
/// -
/// KERB_ETYPE_NULL
/// Use no encryption.
///
/// -
/// KERB_ETYPE_RC4_HMAC_NT
/// Use the RC4 stream cipher with a hash-based Message Authentication Code (MAC).
///
/// -
/// KERB_ETYPE_RC4_MD4
/// Use the RC4 stream cipher with the MD4 hash function.
///
///
/// Values greater than 127 are reserved for local values and may change without notice.
///
public int KeyType;
/// Specifies the length, in bytes, of the cryptographic session key.
public uint Length;
/// Contains the cryptographic session key.
public IntPtr Value;
}
///
/// The KERB_EXTERNAL_NAME structure contains information about an external name.
/// An external name is one used by external users. This structure is used by the KERB_EXTERNAL_TICKET structure.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-_kerb_external_name typedef struct _KERB_EXTERNAL_NAME {
// SHORT NameType; USHORT NameCount; UNICODE_STRING Names[ANYSIZE_ARRAY]; } KERB_EXTERNAL_NAME, *PKERB_EXTERNAL_NAME;
[PInvokeData("ntsecapi.h", MSDNShortId = "8ed37546-6443-4010-a078-4359dd1c2861")]
[StructLayout(LayoutKind.Explicit, Size = 24)]
public struct KERB_EXTERNAL_NAME
{
///
/// Indicates the type of the names stored in this structure.
///
///
/// Value
/// Meaning
///
/// -
/// KRB_NT_UNKNOWN
/// Unknown name type.
///
/// -
/// KRB_NT_PRINCIPAL
/// Name of the user or a Kerberos name type principal in the case of a DCE.
///
/// -
/// KRB_NT_SRV_INST
/// Service name and other unique name as instance (krbtgt).
///
/// -
/// KRB_NT_SRV_HST
/// Service name with host name as instance (telnet, rcommands).
///
/// -
/// KRB_NT_SRV_XHST
/// Service name with host as instance other than krbtgt, telnet, or rcommands.
///
/// -
/// KRB_NT_UID
/// Unique ID.
///
/// -
/// KRB_NT_ENTERPRISE_PRINCIPAL
/// User principal name (UPN) or service principal name (SPN).
///
/// -
/// KRB_NT_ENT_PRINCIPAL_AND_ID
/// UPN and security identifier (SID).
///
/// -
/// KRB_NT_MS_PRINICPAL
/// Windows NT 4.0–style name.
///
/// -
/// KRB_NT_MS_PRINCIPAL_AND_ID
/// Windows NT 4.0–style name with SID.
///
///
///
[FieldOffset(0)]
public KRB_NT NameType;
/// Indicates the number of names stored in Names.
[FieldOffset(2)]
public ushort NameCount;
/// Array of UNICODE_STRINGS containing the names.
[FieldOffset(8)]
public IntPtr Names;
/// Extracts the names from .
/// A sequence of names.
public IEnumerable GetNames()
{
if (NameCount == 0)
yield break;
using var pin = new PinnedObject(this);
foreach (var us in ((IntPtr)pin).ToIEnum(NameCount, 8))
yield return us.ToString();
}
}
///
/// The KERB_EXTERNAL_TICKET structure contains information about an external ticket.
///
/// An external ticket is a Kerberos ticket exported to external users. The Kerberos ticket is defined in Internet RFC 4120. For more
/// information, see http://www.ietf.org. This structure is used by the KERB_RETRIEVE_TKT_RESPONSE structure.
///
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-_kerb_external_ticket typedef struct
// _KERB_EXTERNAL_TICKET { PKERB_EXTERNAL_NAME ServiceName; PKERB_EXTERNAL_NAME TargetName; PKERB_EXTERNAL_NAME ClientName;
// UNICODE_STRING DomainName; UNICODE_STRING TargetDomainName; UNICODE_STRING AltTargetDomainName; KERB_CRYPTO_KEY SessionKey; ULONG
// TicketFlags; ULONG Flags; LARGE_INTEGER KeyExpirationTime; LARGE_INTEGER StartTime; LARGE_INTEGER EndTime; LARGE_INTEGER
// RenewUntil; LARGE_INTEGER TimeSkew; ULONG EncodedTicketSize; PUCHAR EncodedTicket; } KERB_EXTERNAL_TICKET, *PKERB_EXTERNAL_TICKET;
[PInvokeData("ntsecapi.h", MSDNShortId = "742e2795-ec74-4856-a680-7a1c233a2934")]
[StructLayout(LayoutKind.Sequential)]
public struct KERB_EXTERNAL_TICKET
{
/// A KERB_EXTERNAL_NAME structure that contains a multiple part, canonical, returned service name.
public IntPtr ServiceName;
/// A KERB_EXTERNAL_NAME structure that contains the multiple part service principal name (SPN).
public IntPtr TargetName;
///
/// A KERB_EXTERNAL_NAME structure that contains the client name in the ticket. This name is relative to the current domain.
///
public IntPtr ClientName;
///
/// A UNICODE_STRING that contains the name of the domain that corresponds to the ServiceName member. This is the domain
/// that issued the ticket.
///
public LSA_UNICODE_STRING DomainName;
///
/// A UNICODE_STRING that contains the name of the domain in which the ticket is valid. For an interdomain ticket, this is the
/// destination domain.
///
public LSA_UNICODE_STRING TargetDomainName;
///
/// A UNICODE_STRING that contains a synonym for the destination domain. Every domain has two names: a DNS name and a NetBIOS
/// name. If the name returned in the ticket is different from the name used to request the ticket (the Kerberos Key Distribution
/// Center (KDC) may do name mapping), this string contains the original name.
///
public LSA_UNICODE_STRING AltTargetDomainName;
/// A KERB_CRYPTO_KEY structure that contains the session key for the ticket.
public KERB_CRYPTO_KEY SessionKey;
///
/// Ticket flags, as defined in Internet RFC 4120. This parameter can be one or more of the following values.
///
///
/// Value
/// Meaning
///
/// -
/// KERB_TICKET_FLAGS_forwardable (0x40000000)
///
/// The ticket-granting server can issue a new ticket-granting ticket with a different network address, based on the presented ticket.
///
///
/// -
/// KERB_TICKET_FLAGS_forwarded (0x20000000)
///
/// The ticket has either been forwarded or was issued based on authentication that involved a forwarded ticket-granting ticket.
///
///
/// -
/// KERB_TICKET_FLAGS_hw_authent (0x00100000)
///
/// The protocol employed for initial authentication required the use of hardware expected to be possessed solely by the named
/// client. The hardware authentication method is selected by the KDC, and the strength of the method is not indicated.
///
///
/// -
/// KERB_TICKET_FLAGS_initial (0x00400000)
/// The ticket was issued by using the Authentication Service protocol instead of being based on a ticket-granting ticket.
///
/// -
/// KERB_TICKET_FLAGS_invalid (0x01000000)
/// The ticket is not valid.
///
/// -
/// KERB_TICKET_FLAGS_may_postdate (0x04000000)
/// Indicates to the ticket-granting server that a postdated ticket can be issued based on this ticket-granting ticket.
///
/// -
/// KERB_TICKET_FLAGS_ok_as_delegate (0x00040000)
///
/// The target of the ticket is trusted by the directory service for delegation. Thus, the clients may delegate their credentials
/// to the server, which lets the server act as the client when talking to other services.
///
///
/// -
/// KERB_TICKET_FLAGS_postdated (0x02000000)
///
/// The ticket has been postdated. The end service can check the ticket's authtime member to determine when the original
/// authentication occurred.
///
///
/// -
/// KERB_TICKET_FLAGS_pre_authent (0x00200000)
///
/// During initial authentication, the client was authenticated by the KDC before a ticket was issued. The strength of the
/// preauthentication method is not indicated but is acceptable to the KDC.
///
///
/// -
/// KERB_TICKET_FLAGS_proxiable (0x10000000)
///
/// Indicates to the ticket-granting server that only nonticket-granting tickets can be issued with different network addresses.
///
///
/// -
/// KERB_TICKET_FLAGS_proxy (0x08000000)
/// The ticket is a proxy.
///
/// -
/// KERB_TICKET_FLAGS_renewable (0x00800000)
///
/// The ticket is renewable. If this flag is set, the time limit for renewing the ticket is set in the RenewTime member of a
/// KERB_TICKET_CACHE_INFO structure. A renewable ticket can be used to obtain a replacement ticket that expires at a later date.
///
///
/// -
/// KERB_TICKET_FLAGS_reserved (0x80000000)
/// Reserved for future use. Do not set this flag.
///
/// -
/// KERB_TICKET_FLAGS_reserved1 (0x00000001)
/// Reserved.
///
///
///
public KERB_TICKET_FLAGS TicketFlags;
/// Reserved for future use. Set this member to zero.
public uint Flags;
/// A FILETIME structure that contains the time at which the key expires.
public FILETIME KeyExpirationTime;
/// A FILETIME structure that contains the time at which the ticket becomes valid.
public FILETIME StartTime;
/// A FILETIME structure that contains the time at which the ticket expires.
public FILETIME EndTime;
///
/// A FILETIME structure that contains the latest time a ticket can be renewed. Renewal requests sent after this time will be rejected.
///
public FILETIME RenewUntil;
///
/// A FILETIME structure that contains the measured time difference between the current time on the computer issuing the ticket
/// and the computer where the ticket will be used.
///
public FILETIME TimeSkew;
/// The size, in bytes, of the encoded ticket.
public uint EncodedTicketSize;
/// A buffer that contains the Abstract Syntax Notation One (ASN.1)-encoded ticket.
public IntPtr EncodedTicket;
// /// ServiceName value. public string ServiceNameValue => ServiceName == default ? null :
// ServiceName.ToStructure().ToString(); /// TargetName value. public string
// TargetNameValue => TargetName == default ? null : TargetName.ToStructure().ToString(); ///
// ClientName value. public string ClientNameValue => ClientName == default ? null : ClientName.ToStructure().ToString();
}
///
/// The KERB_INTERACTIVE_LOGON structure contains information about an interactive logon session.
/// It is used by LsaLogonUser with the Kerberos security package using LOGON32_PROVIDER_WINNT50 or LOGON32_PROVIDER_DEFAULT.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-_kerb_interactive_logon typedef struct
// _KERB_INTERACTIVE_LOGON { KERB_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING LogonDomainName; UNICODE_STRING UserName;
// UNICODE_STRING Password; } KERB_INTERACTIVE_LOGON, *PKERB_INTERACTIVE_LOGON;
[PInvokeData("ntsecapi.h", MSDNShortId = "96aec0cc-b3e1-4b4b-aa0e-ecf05b9fabbe")]
[StructLayout(LayoutKind.Sequential)]
public struct KERB_INTERACTIVE_LOGON
{
/// KERB_LOGON_SUBMIT_TYPE value identifying the type of logon request being made. This member must be set to KerbInteractiveLogon.
public KERB_LOGON_SUBMIT_TYPE MessageType;
/// UNICODE_STRING specifying the name of the target logon domain.
public LSA_UNICODE_STRING LogonDomainName;
/// UNICODE_STRING specifying the user name.
public LSA_UNICODE_STRING UserName;
///
/// UNICODE_STRING specifying the user password. When you have finished using the password, remove the sensitive information from
/// memory by calling SecureZeroMemory. For more information on protecting the password, see Handling Passwords.
///
public LSA_UNICODE_STRING Password;
}
///
/// The KERB_PURGE_TKT_CACHE_REQUEST structure contains information used to delete entries from the ticket cache.
/// It is used by LsaCallAuthenticationPackage.
///
///
///
/// If both ServerName and RealmName are of zero length, LsaCallAuthenticationPackage will delete all tickets for the
/// logon session identified by LogonId. Otherwise, LsaCallAuthenticationPackage will search the cache tickets for
/// ServerName@ RealmName, and will delete all such tickets.
///
///
/// LsaCallAuthenticationPackage does not return this buffer. It returns STATUS_SUCCESS if one or more tickets are deleted. If no
/// tickets are found, the function returns SEC_E_NO_CREDENTIALS.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/ns-ntsecapi-kerb_purge_tkt_cache_request typedef struct
// _KERB_PURGE_TKT_CACHE_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; UNICODE_STRING ServerName; UNICODE_STRING
// RealmName; } KERB_PURGE_TKT_CACHE_REQUEST, *PKERB_PURGE_TKT_CACHE_REQUEST;
[PInvokeData("ntsecapi.h", MSDNShortId = "4e5e944a-8163-42de-b534-3b0478d9f334")]
[StructLayout(LayoutKind.Sequential)]
public struct KERB_PURGE_TKT_CACHE_REQUEST
{
/// KERB_PROTOCOL_MESSAGE_TYPE value identifying the type of request being made. This member must be set to KerbPurgeTicketCacheMessage.
public KERB_PROTOCOL_MESSAGE_TYPE MessageType;
///
/// LUID structure containing the logon session identifier. This can be zero for the current user's logon session. If not zero,
/// the caller must have the SeTcbPrivilege privilege set. If this fails, the Kerberos authentication package sets the
/// ProtocolStatus parameter of LsaCallAuthenticationPackage to STATUS_ACCESS_DENIED.
///
public LUID LogonId;
/// UNICODE_STRING containing the name of the service whose tickets should be deleted from the cache.
public LSA_UNICODE_STRING ServerName;
/// UNICODE_STRING containing the name of the realm whose tickets should be deleted from the cache.
public LSA_UNICODE_STRING RealmName;
}
///
/// The KERB_QUERY_TKT_CACHE_REQUEST structure contains information used to query the ticket cache.
/// It is used by LsaCallAuthenticationPackage.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/ns-ntsecapi-kerb_query_tkt_cache_request typedef struct
// _KERB_QUERY_TKT_CACHE_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; } KERB_QUERY_TKT_CACHE_REQUEST, *PKERB_QUERY_TKT_CACHE_REQUEST;
[PInvokeData("ntsecapi.h", MSDNShortId = "3c8e63b3-9ac4-4228-87e1-6802c3d12d6c")]
[StructLayout(LayoutKind.Sequential)]
public struct KERB_QUERY_TKT_CACHE_REQUEST
{
///
///
/// KERB_PROTOCOL_MESSAGE_TYPE value identifying the type of request being made. This member must be set to
/// KerbQueryTicketCacheMessage or KerbRetrieveTicketMessage.
///
///
/// If this member is set to KerbQueryTicketCacheMessage, the request is for information about all of the cached tickets
/// for the specified user logon session. If it is set to KerbRetrieveTicketMessage, the request is for the ticket
/// granting ticket from the ticket cache of the specified user logon session.
///
///
public KERB_PROTOCOL_MESSAGE_TYPE MessageType;
///
/// LUID structure containing the logon session identifier. This can be zero for the current user's logon session. If not zero,
/// the caller must have the SeTcbPrivilege privilege set. If this fails, the Kerberos authentication package sets the
/// ProtocolStatus parameter of LsaCallAuthenticationPackage to STATUS_ACCESS_DENIED.
///
public LUID LogonId;
}
///
/// The KERB_QUERY_TKT_CACHE_RESPONSE structure contains the results of querying the ticket cache.
/// It is used by LsaCallAuthenticationPackage.
///
///
/// This buffer is allocated by the Kerberos authentication package and should be deleted by the application that called
/// LsaCallAuthenticationPackage, using LsaFreeReturnBuffer.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/ns-ntsecapi-kerb_query_tkt_cache_response typedef struct
// _KERB_QUERY_TKT_CACHE_RESPONSE { KERB_PROTOCOL_MESSAGE_TYPE MessageType; ULONG CountOfTickets; KERB_TICKET_CACHE_INFO
// Tickets[ANYSIZE_ARRAY]; } KERB_QUERY_TKT_CACHE_RESPONSE, *PKERB_QUERY_TKT_CACHE_RESPONSE;
[PInvokeData("ntsecapi.h", MSDNShortId = "2101c1de-f304-4d44-899f-f9f03cd50934")]
[StructLayout(LayoutKind.Sequential)]
[VanaraMarshaler(typeof(SafeAnysizeStructMarshaler), nameof(CountOfTickets))]
public struct KERB_QUERY_TKT_CACHE_RESPONSE
{
/// KERB_PROTOCOL_MESSAGE_TYPE value identifying the type of request being made. This member must be set to KerbQueryTicketCacheMessage.
public KERB_PROTOCOL_MESSAGE_TYPE MessageType;
///
/// Number of tickets in Tickets array. This can be zero if no tickets are available for the specified logon session.
///
public uint CountOfTickets;
/// Array of length CountOfTickets of KERB_TICKET_CACHE_INFO structures.
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 1)]
public KERB_TICKET_CACHE_INFO[] Tickets;
}
///
/// The KERB_RETRIEVE_TKT_REQUEST structure contains information used to retrieve a ticket.
///
/// It is used by LsaCallAuthenticationPackage.The Kerberos ticket is defined in Internet RFC 4120. For more information, see http://www.ietf.org.
///
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-_kerb_retrieve_tkt_request typedef struct
// _KERB_RETRIEVE_TKT_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; UNICODE_STRING TargetName; ULONG TicketFlags;
// ULONG CacheOptions; LONG EncryptionType; SecHandle CredentialsHandle; } KERB_RETRIEVE_TKT_REQUEST, *PKERB_RETRIEVE_TKT_REQUEST;
[PInvokeData("ntsecapi.h", MSDNShortId = "3b088c94-810b-44c7-887a-58e8dbd13603")]
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct KERB_RETRIEVE_TKT_REQUEST
{
/// KERB_PROTOCOL_MESSAGE_TYPE value indicating the type of request being made. This member must be set to KerbRetrieveEncodedTicketMessage.
public KERB_PROTOCOL_MESSAGE_TYPE MessageType;
///
/// LUID structure containing the logon session identifier. This can be zero for the current user's logon session. If not zero,
/// the caller must have the SeTcbPrivilege privilege set. If this fails, the Kerberos authentication package sets the
/// ProtocolStatus parameter of LsaCallAuthenticationPackage to STATUS_ACCESS_DENIED.
///
public LUID LogonId;
/// UNICODE_STRING containing the name of the target service.
public LSA_UNICODE_STRING TargetName;
///
///
/// Contains flags specifying uses for the retrieved ticket. If TicketFlags is set to zero and if there is a matching
/// ticket found in the cache, then that ticket will be returned, regardless of its flag values. If there is no match in the
/// cache, a new ticket with the default flag values will be requested.
///
/// If this member is not set to zero, the returned ticket will not be cached.
///
public uint TicketFlags;
///
///
/// Indicates options for searching the cache. Set this member to zero to indicate that the cache should be searched and if no
/// ticket if found, a new ticket should be requested.
///
/// If this member is not set to zero, the returned ticket will not be cached.
/// CacheOptions can contain the following values.
///
///
/// Value
/// Meaning
///
/// -
/// KERB_RETRIEVE_TICKET_DONT_USE_CACHE 1
///
/// Always request a new ticket; do not search the cache. If a ticket is obtained, the Kerberos authentication package returns
/// STATUS_SUCCESS in the ProtocolStatus parameter of the LsaCallAuthenticationPackage function.
///
///
/// -
/// KERB_RETRIEVE_TICKET_USE_CREDHANDLE 4
///
/// Use the CredentialsHandle member instead of LogonId to identify the logon session. The credential handle is used as the
/// client credential for which the ticket is retrieved Note This option is not available for 32-bit Windows-based applications
/// running on 64-bit Windows.
///
///
/// -
/// KERB_RETRIEVE_TICKET_USE_CACHE_ONLY 2
///
/// Return only a previously cached ticket. If such a ticket is not found, the Kerberos authentication package returns
/// STATUS_OBJECT_NAME_NOT_FOUND in the ProtocolStatus parameter of the LsaCallAuthenticationPackage function.
///
///
/// -
/// KERB_RETRIEVE_TICKET_AS_KERB_CRED 8
///
/// Return the ticket as a Kerberos credential. The Kerberos ticket is defined in Internet RFC 4120 as KRB_CRED. For more
/// information, see http://www.ietf.org.
///
///
/// -
/// KERB_RETRIEVE_TICKET_WITH_SEC_CRED 10
/// Not implemented.
///
/// -
/// KERB_RETRIEVE_TICKET_CACHE_TICKET 20
///
/// Return the ticket that is currently in the cache. If the ticket is not in the cache, it is requested and then cached. This
/// flag should not be used with the KERB_RETRIEVE_TICKET_DONT_USE_CACHE flag. Windows XP with SP1 and earlier and Windows Server
/// 2003: This option is not available.
///
///
/// -
/// KERB_RETRIEVE_TICKET_MAX_LIFETIME 40
///
/// Return a fresh ticket with maximum allowed time by the policy. The ticker is cached afterwards. Use of this flag implies that
/// KERB_RETRIEVE_TICKET_USE_CACHE_ONLY is not set and KERB_RETRIEVE_TICKET_CACHE_TICKET is set. Windows Vista, Windows Server
/// 2008, Windows XP with SP1 and earlier and Windows Server 2003: This option is not available.
///
///
///
///
public uint CacheOptions;
///
///
/// Specifies the type of encryption to use for the requested ticket. If this member is not set to zero, the returned ticket will
/// not be cached.
///
/// This member can have one of the following values.
///
///
/// Value
/// Meaning
///
/// -
/// KERB_ETYPE_DES_CBC_CRC
/// Use DES encryption in cipher-block-chaining mode with a CRC-32 checksum.
///
/// -
/// KERB_ETYPE_DES_CBC_MD4
/// Use DES encryption in cipher-block-chaining mode with a MD4 checksum.
///
/// -
/// KERB_ETYPE_DES_CBC_MD5
/// Use DES encryption in cipher-block-chaining mode with a MD5 checksum.
///
/// -
/// KERB_ETYPE_NULL
/// Use no encryption.
///
/// -
/// KERB_ETYPE_RC4_HMAC_NT
/// Use the RC4 stream cipher with a hash-based Message Authentication Code (MAC), as used by Windows.
///
/// -
/// KERB_ETYPE_RC4_MD4
/// Use the RC4 stream cipher with the MD4 hash function.
///
/// -
/// >127
/// Values greater than 127 are reserved for local values and may change without notice.
///
///
///
public KERB_ETYPE EncryptionType;
/// An SSPI credentials handle used in place of a logon session identifier.
public CredHandle CredentialsHandle;
}
///
/// The KERB_RETRIEVE_TKT_RESPONSE structure contains the response from retrieving a ticket.
/// It is used by LsaCallAuthenticationPackage.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-_kerb_retrieve_tkt_response typedef struct
// _KERB_RETRIEVE_TKT_RESPONSE { KERB_EXTERNAL_TICKET Ticket; } KERB_RETRIEVE_TKT_RESPONSE, *PKERB_RETRIEVE_TKT_RESPONSE;
[PInvokeData("ntsecapi.h", MSDNShortId = "682d4076-dc65-4291-8a82-981f207ae432")]
[StructLayout(LayoutKind.Sequential)]
public struct KERB_RETRIEVE_TKT_RESPONSE
{
/// KERB_EXTERNAL_TICKET structure containing the requested ticket.
public KERB_EXTERNAL_TICKET Ticket;
}
///
///
/// The KERB_TICKET_CACHE_INFO structure contains information about a cached Kerberos ticket. The Kerberos ticket is defined
/// in Internet RFC 4120. For more information, see http://www.ietf.org.
///
///
/// It can be used both for retrieving tickets and querying the ticket cache. The KERB_QUERY_TKT_CACHE_RESPONSE structure uses this structure.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/ns-ntsecapi-kerb_ticket_cache_info typedef struct
// _KERB_TICKET_CACHE_INFO { UNICODE_STRING ServerName; UNICODE_STRING RealmName; LARGE_INTEGER StartTime; LARGE_INTEGER EndTime;
// LARGE_INTEGER RenewTime; LONG EncryptionType; ULONG TicketFlags; } KERB_TICKET_CACHE_INFO, *PKERB_TICKET_CACHE_INFO;
[PInvokeData("ntsecapi.h", MSDNShortId = "e9ac70f0-65dc-4c5a-b41f-7c4659680333")]
[StructLayout(LayoutKind.Sequential)]
public struct KERB_TICKET_CACHE_INFO
{
///
/// A UNICODE_STRING that contains the name of the server the ticket applies to. This name is combined with the RealmName
/// value to create the full name ServerName@ RealmName.
///
public LSA_UNICODE_STRING ServerName;
/// A UNICODE_STRING that contains the name of the realm the ticket applies to.
public LSA_UNICODE_STRING RealmName;
///
/// A FILETIME structure that contains the time at which the ticket becomes valid. If the starttime member of the ticket
/// is not set, this value defaults to the time when the ticket was initially authenticated, authtime. The
/// starttime member of a ticket is optional.
///
public FILETIME StartTime;
/// A FILETIME structure that contains the time when the ticket expires.
public FILETIME EndTime;
///
/// If KERB_TICKET_FLAGS_renewable is set in TicketFlags, this member is a FILETIME structure that contains the time
/// beyond which the ticket cannot be renewed.
///
public FILETIME RenewTime;
/// The type of encryption used in the ticket.
public KERB_ETYPE EncryptionType;
///
/// The ticket flags, as defined in Internet RFC 4120. These flags can be one or more of the following values.
///
///
/// Value
/// Meaning
///
/// -
/// KERB_TICKET_FLAGS_forwardable 0x40000000
///
/// The ticket-granting server can issue a new ticket-granting ticket with a different network address based on the presented ticket.
///
///
/// -
/// KERB_TICKET_FLAGS_forwarded 0x20000000
///
/// The ticket has either been forwarded or was issued based on authentication that involved a forwarded ticket-granting ticket.
///
///
/// -
/// KERB_TICKET_FLAGS_hw_authent 0x00100000
///
/// The protocol employed for initial authentication required the use of hardware expected to be possessed solely by the named
/// client. The hardware authentication method is selected by the KDC and the strength of the method is not indicated.
///
///
/// -
/// KERB_TICKET_FLAGS_initial 0x00400000
/// The ticket was issued by using the Authentication Service protocol instead of being based on a ticket-granting ticket.
///
/// -
/// KERB_TICKET_FLAGS_invalid 0x01000000
/// The ticket is not valid.
///
/// -
/// KERB_TICKET_FLAGS_may_postdate 0x04000000
/// Indicates to the ticket-granting server that a postdated ticket can be issued based on this ticket-granting ticket.
///
/// -
/// KERB_TICKET_FLAGS_ok_as_delegate 0x00040000
///
/// The target of the ticket is trusted by the directory service for delegation. Thus, clients may delegate their credentials to
/// the server, which lets the server act as the client when talking to other services.
///
///
/// -
/// KERB_TICKET_FLAGS_postdated 0x02000000
///
/// The ticket has been postdated. The end-service can check the ticket's authtime member to see when the original
/// authentication occurred.
///
///
/// -
/// KERB_TICKET_FLAGS_pre_authent 0x00200000
///
/// During initial authentication, the client was authenticated by the Key Distribution Center (KDC) before a ticket was issued.
/// The strength of the preauthentication method is not indicated, but is acceptable to the KDC.
///
///
/// -
/// KERB_TICKET_FLAGS_proxiable 0x10000000
///
/// Indicates to the ticket-granting server that only nonticket-granting tickets can be issued based on this ticket but with a
/// different network addresses.
///
///
/// -
/// KERB_TICKET_FLAGS_proxy 0x08000000
/// The ticket is a proxy.
///
/// -
/// KERB_TICKET_FLAGS_renewable 0x00800000
///
/// The ticket is renewable. If this flag is set, the time limit for renewing the ticket is set in RenewTime. A renewable ticket
/// can be used to obtain a replacement ticket that expires at a later date.
///
///
/// -
/// KERB_TICKET_FLAGS_reserved 0x80000000
/// Reserved for future use. Do not set this flag.
///
/// -
/// KERB_TICKET_FLAGS_reserved1 0x00000001
/// Reserved.
///
///
///
public KERB_TICKET_FLAGS TicketFlags;
}
/// The LSA_LAST_INTER_LOGON_INFO structure contains information about a logon session.
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-_lsa_last_inter_logon_info typedef struct
// _LSA_LAST_INTER_LOGON_INFO { LARGE_INTEGER LastSuccessfulLogon; LARGE_INTEGER LastFailedLogon; ULONG
// FailedAttemptCountSinceLastSuccessfulLogon; } LSA_LAST_INTER_LOGON_INFO, *PLSA_LAST_INTER_LOGON_INFO;
[PInvokeData("ntsecapi.h", MSDNShortId = "FB935FED-571F-4298-8F83-0F805408179D")]
[StructLayout(LayoutKind.Sequential)]
public struct LSA_LAST_INTER_LOGON_INFO
{
/// The time that the session owner most recently logged on successfully.
public long LastSuccessfulLogon;
/// The time of the most recent failed attempt to log on.
public long LastFailedLogon;
/// The number of failed attempts to log on since the last successful log on.
public uint FailedAttemptCountSinceLastSuccessfulLogon;
}
/// Provides a handle to an LSA connection.
[StructLayout(LayoutKind.Sequential)]
public struct LsaConnectionHandle : IHandle
{
private IntPtr handle;
/// Initializes a new instance of the struct.
/// An object that represents the pre-existing handle to use.
public LsaConnectionHandle(IntPtr preexistingHandle) => handle = preexistingHandle;
/// Returns an invalid handle by instantiating a object with .
public static LsaConnectionHandle NULL => new LsaConnectionHandle(IntPtr.Zero);
/// Gets a value indicating whether this instance is a null handle.
public bool IsNull => handle == IntPtr.Zero;
/// Performs an explicit conversion from to .
/// The handle.
/// The result of the conversion.
public static explicit operator IntPtr(LsaConnectionHandle h) => h.handle;
/// Performs an implicit conversion from to .
/// The pointer to a handle.
/// The result of the conversion.
public static implicit operator LsaConnectionHandle(IntPtr h) => new LsaConnectionHandle(h);
/// Implements the operator !=.
/// The first handle.
/// The second handle.
/// The result of the operator.
public static bool operator !=(LsaConnectionHandle h1, LsaConnectionHandle h2) => !(h1 == h2);
/// Implements the operator ==.
/// The first handle.
/// The second handle.
/// The result of the operator.
public static bool operator ==(LsaConnectionHandle h1, LsaConnectionHandle h2) => h1.Equals(h2);
///
public override bool Equals(object obj) => obj is LsaConnectionHandle h ? handle == h.handle : false;
///
public override int GetHashCode() => handle.GetHashCode();
///
public IntPtr DangerousGetHandle() => handle;
}
///
/// The MSV1_0_INTERACTIVE_LOGON structure contains information about an interactive logon.
/// It is used by the LsaLogonUser function.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-msv1_0_interactive_logon typedef struct
// _MSV1_0_INTERACTIVE_LOGON { MSV1_0_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING LogonDomainName; UNICODE_STRING UserName;
// UNICODE_STRING Password; } MSV1_0_INTERACTIVE_LOGON, *PMSV1_0_INTERACTIVE_LOGON;
[PInvokeData("ntsecapi.h", MSDNShortId = "f9b9a966-54b9-4f89-98cc-d92e3f74571d")]
[StructLayout(LayoutKind.Sequential)]
public struct MSV1_0_INTERACTIVE_LOGON
{
///
/// MSV1_0_LOGON_SUBMIT_TYPE value that specifies the type of logon being requested. This member must be set to MsV1_0InteractiveLogon.
///
public MSV1_0_LOGON_SUBMIT_TYPE MessageType;
///
///
/// UNICODE_STRING that contains the name of the logon domain. The specified domain name must be a Windows domain or mixed domain
/// that is trusted by this machine.
///
///
/// The Buffer member of the UNICODE_STRING structure must point to memory that is contiguous to the
/// MSV1_0_INTERACTIVE_LOGON structure.
///
///
public LSA_UNICODE_STRING LogonDomainName;
///
///
/// UNICODE_STRING that represents the user's account name. The name can be up to 255 bytes long. The name is treated as
/// case-insensitive. The specified UserName must have an account in domain LogonDomainName.
///
///
/// The Buffer member of the UNICODE_STRING structure must point to memory that is contiguous to the
/// MSV1_0_INTERACTIVE_LOGON structure.
///
///
public LSA_UNICODE_STRING UserName;
///
///
/// UNICODE_STRING that contains the user's plaintext password. The password may be up to 255 bytes long and contain any Unicode
/// value. When you have finished using the password, clear it from memory by calling the SecureZeroMemory function. For more
/// information on protecting the password, see Handling Passwords.
///
///
/// The Buffer member of the UNICODE_STRING structure must point to memory that is contiguous to the
/// MSV1_0_INTERACTIVE_LOGON structure.
///
///
public LSA_UNICODE_STRING Password;
}
///
/// The SECURITY_LOGON_SESSION_DATA structure contains information about a logon session.
/// This structure is used by the LsaGetLogonSessionData function.
///
///
/// This structure is allocated by the LSA. When the structure is no longer required, free it by using the LSAFreeReturnBuffer function.
///
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-_security_logon_session_data typedef struct
// _SECURITY_LOGON_SESSION_DATA { ULONG Size; LUID LogonId; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING LogonDomain;
// LSA_UNICODE_STRING AuthenticationPackage; ULONG LogonType; ULONG Session; PSID Sid; LARGE_INTEGER LogonTime; LSA_UNICODE_STRING
// LogonServer; LSA_UNICODE_STRING DnsDomainName; LSA_UNICODE_STRING Upn; ULONG UserFlags; LSA_LAST_INTER_LOGON_INFO LastLogonInfo;
// LSA_UNICODE_STRING LogonScript; LSA_UNICODE_STRING ProfilePath; LSA_UNICODE_STRING HomeDirectory; LSA_UNICODE_STRING
// HomeDirectoryDrive; LARGE_INTEGER LogoffTime; LARGE_INTEGER KickOffTime; LARGE_INTEGER PasswordLastSet; LARGE_INTEGER
// PasswordCanChange; LARGE_INTEGER PasswordMustChange; } SECURITY_LOGON_SESSION_DATA, *PSECURITY_LOGON_SESSION_DATA;
[PInvokeData("ntsecapi.h", MSDNShortId = "284ddb9a-fd08-4f38-b1d0-242596c114a8")]
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_LOGON_SESSION_DATA
{
/// The size of the structure, in bytes.
public uint Size;
/// A locally unique identifier (LUID) that identifies a logon session.
public LUID LogonId;
///
/// An LSA_UNICODE_STRING structure that contains the account name of the security principal that owns the logon session.
///
public LSA_UNICODE_STRING UserName;
///
/// An LSA_UNICODE_STRING structure that contains the name of the domain used to authenticate the owner of the logon session.
///
public LSA_UNICODE_STRING LogonDomain;
///
/// An LSA_UNICODE_STRING structure that contains the name of the authentication package used to authenticate the owner of the
/// logon session.
///
public LSA_UNICODE_STRING AuthenticationPackage;
/// A SECURITY_LOGON_TYPE value that identifies the logon method.
public SECURITY_LOGON_TYPE LogonType;
/// A Terminal Services session identifier. This member may be zero.
public uint Session;
/// A pointer to the user's security identifier (SID).
public PSID Sid;
/// The time the session owner logged on.
public long LogonTime;
///
/// An LSA_UNICODE_STRING structure that contains the name of the server used to authenticate the owner of the logon session.
///
public LSA_UNICODE_STRING LogonServer;
/// An LSA_UNICODE_STRING structure that contains the DNS name for the owner of the logon session.
public LSA_UNICODE_STRING DnsDomainName;
/// An LSA_UNICODE_STRING structure that contains the user principal name (UPN) for the owner of the logon session.
public LSA_UNICODE_STRING Upn;
///
/// The user flags for the logon session.
///
/// Windows Server 2003 R2, Windows XP with SP1 and earlier, Windows Server 2003 and Windows XP: This member is not supported.
///
///
///
/// Value
/// Meaning
///
/// -
/// LOGON_OPTIMIZED 0x4000
/// The logon is an optimized logon session.
///
/// -
/// LOGON_WINLOGON 0x8000
/// The logon was created for Winlogon.
///
/// -
/// LOGON_PKINIT 0x10000
/// The Kerberos PKINIT extension was used to authenticate the user in this logon session.
///
/// -
/// LOGON_NOT_OPTIMIZED 0x20000
/// Optimized logon has been disabled for this account.
///
///
///
public LogonUserFlags UserFlags;
///
/// An LSA_LAST_INTER_LOGON_INFO structure that contains the information on the last logon session.
///
/// Windows Server 2003 R2, Windows XP with SP1 and earlier, Windows Server 2003 and Windows XP: This member is not supported.
///
///
public LSA_LAST_INTER_LOGON_INFO LastLogonInfo;
///
/// An LSA_UNICODE_STRING structure that contains the script used for logging on.
///
/// Windows Server 2003 R2, Windows XP with SP1 and earlier, Windows Server 2003 and Windows XP: This member is not supported.
///
///
public LSA_UNICODE_STRING LogonScript;
///
/// An LSA_UNICODE_STRING structure that contains the path to the user's profile.
///
/// Windows Server 2003 R2, Windows XP with SP1 and earlier, Windows Server 2003 and Windows XP: This member is not supported.
///
///
public LSA_UNICODE_STRING ProfilePath;
///
/// An LSA_UNICODE_STRING structure that contains the home directory for the logon session.
///
/// Windows Server 2003 R2, Windows XP with SP1 and earlier, Windows Server 2003 and Windows XP: This member is not supported.
///
///
public LSA_UNICODE_STRING HomeDirectory;
///
/// An LSA_UNICODE_STRING structure that contains the drive location of the home directory of the logon session.
///
/// Windows Server 2003 R2, Windows XP with SP1 and earlier, Windows Server 2003 and Windows XP: This member is not supported.
///
///
public LSA_UNICODE_STRING HomeDirectoryDrive;
///
/// The time stamp of when the session user logged off.
///
/// Windows Server 2003 R2, Windows XP with SP1 and earlier, Windows Server 2003 and Windows XP: This member is not supported.
///
///
public long LogoffTime;
///
/// The time that the logon session must end.
///
/// Windows Server 2003 R2, Windows XP with SP1 and earlier, Windows Server 2003 and Windows XP: This member is not supported.
///
///
public long KickOffTime;
///
/// The time when the user last changed the password.
///
/// Windows Server 2003 R2, Windows XP with SP1 and earlier, Windows Server 2003 and Windows XP: This member is not supported.
///
///
public long PasswordLastSet;
///
/// The password can be changed during the logon session.
///
/// Windows Server 2003 R2, Windows XP with SP1 and earlier, Windows Server 2003 and Windows XP: This member is not supported.
///
///
public long PasswordCanChange;
///
/// The password must be changed during the logon session.
///
/// Windows Server 2003 R2, Windows XP with SP1 and earlier, Windows Server 2003 and Windows XP: This member is not supported.
///
///
public long PasswordMustChange;
}
/// Provides a for that is disposed using .
public class SafeLsaConnectionHandle : SafeHANDLE
{
/// Initializes a new instance of the class and assigns an existing handle.
/// An object that represents the pre-existing handle to use.
///
/// to reliably release the handle during the finalization phase; otherwise, (not recommended).
///
public SafeLsaConnectionHandle(IntPtr preexistingHandle, bool ownsHandle = true) : base(preexistingHandle, ownsHandle) { }
/// Initializes a new instance of the class.
private SafeLsaConnectionHandle() : base() { }
/// Performs an implicit conversion from to .
/// The safe handle instance.
/// The result of the conversion.
public static implicit operator LsaConnectionHandle(SafeLsaConnectionHandle h) => h.handle;
///
protected override bool InternalReleaseHandle() => LsaDeregisterLogonProcess(this).Succeeded;
}
}
}