LsaApLogonUser Function (Windows)

MSDN Library
Win32 and COM Development
Security
Authentication
Authentication Reference
Authentication Functions

AcceptSecurityContext (General)
AcquireCredentialsHandle (General)
AddConnectNotify
AddSecurityPackage
AddCredential
AllocateClientBuffer
AllocateHeap
AllocateLsaHeap
AllocateSharedMemory
ApplyControlToken
AuditAccountLogon
AuditLogon
CallPackage
CallPackageEx
CallPackagePassthrough
CancelConnectNotify
CancelNotification
ChangeAccountPassword
ClientCallback
ClientCallback Function Prototype
CloseSamUser
CompleteAuthToken
ConvertAuthDataToToken
CopyFromClientBuffer
CopyToClientBuffer
CrackSingleName
CreateLogonSession
CreateSharedMemory
CreateThread
CreateToken
CredDelete
CredEnumerate
CredFindBestCredential
CredFree
CredGetSessionTypes
CredGetTargetInfo
CredIsMarshaledCredential
CredIsProtected
CredMarshalCredential
CredMarshalTargetInfo
CredPackAuthenticationBuffer
CredProtect
CredRead
CredReadDomainCredentials
CredRename
CredUICmdLinePromptForCredentials
CredUIConfirmCredentials
CredUIParseUserName
CredUIPromptForCredentials
CredUIPromptForWindowsCredentials
CredUIReadSSOCredW
CredUIStoreSSOCredW
CredUnmarshalCredential
CredUnPackAuthenticationBuffer
CredUnprotect
CredWrite
CredWriteDomainCredentials
DecryptMessage (General)
DeleteCredential
DeleteLogonSession
DeleteSecurityContext
DeleteSecurityPackage
DeleteSharedMemory
DuplicateHandle
EncryptMessage (General)
EnumerateSecurityPackages
ExportSecurityContext
FreeClientBuffer
FreeContextBuffer
FreeCredentialsHandle
FreeHeap
FreeLsaHeap
FreeReturnBuffer
FreeSharedMemory
GetAuthDataForUser
GetCallInfo
GetClientInfo
GetCredentials
GetOpenCardName
GetUserAuthData
ImpersonateClient
ImpersonateSecurityContext
ImportSecurityContext
InitializeSecurityContext (General)
InitSecurityInterface
LogonUser
LogonUserEx
LogonUserExExW
LsaApCallPackage
LsaApCallPackagePassthrough
LsaApCallPackageUntrusted
LsaApInitializePackage
LsaApLogonTerminated

LsaApLogonUser

LsaApLogonUserEx
LsaApLogonUserEx2
LsaCallAuthenticationPackage
LsaConnectUntrusted
LsaDeregisterLogonProcess
LsaEnumerateLogonSessions
LsaFreeReturnBuffer
LsaGetLogonSessionData
LsaLogonUser
LsaLookupAuthenticationPackage
LsaOpenPolicy
LsaQueryDomainInformationPolicy
LsaQueryForestTrustInformation
LsaQueryInformationPolicy
LsaRegisterLogonProcess
LsaSetDomainInformationPolicy
LsaSetForestTrustInformation
LsaSetInformationPolicy
MakeSignature
MapBuffer
Msv1_0SubAuthenticationFilter
Msv1_0SubAuthenticationRoutine
NPAddConnection
NPAddConnection3
NPCancelConnection
NPCloseEnum
NPDeviceMode
NPDirectoryNotify
NPEnumResource
NPFMXEditPerm
NPFMXGetPermCaps
NPFMXGetPermHelp
NPFormatNetworkName
NPGetCaps
NPGetConnection
NPGetConnection3
NPGetConnectionPerformance
NPGetDirectoryType
NPGetPropertyText
NPGetResourceInformation
NPGetResourceParent
NPGetUniversalName
NPGetUser
NPLogonNotify
NPOpenEnum
NPPasswordChangeNotify
NPPropertyDialog
NPSearchDialog
OpenSamUser
PstAcquirePrivateKey
PstGetCertificates
PstGetTrustAnchors
PstGetUserNameForCertificate
PstMapCertificate
PstValidate
QueryContextAttributes (General)
QueryCredentialsAttributes
QuerySecurityContextToken
QuerySecurityPackageInfo
RegisterCallback
RegisterNotification
RevertSecurityContext
SaslAcceptSecurityContext
SaslEnumerateProfiles
SaslGetContextOption
SaslGetProfilePackage
SaslIdentifyPackage
SaslInitializeSecurityContext
SaslSetContextOption
SCardAccessStartedEvent
SCardAddReaderToGroup
SCardBeginTransaction
SCardCancel
SCardConnect
SCardControl
SCardDisconnect
SCardEndTransaction
SCardEstablishContext
SCardForgetCardType
SCardForgetReader
SCardForgetReaderGroup
SCardFreeMemory
SCardGetAttrib
SCardGetCardTypeProviderName
SCardGetProviderId
SCardGetStatusChange
SCardGetTransmitCount
SCardIntroduceCardType
SCardIntroduceReader
SCardIntroduceReaderGroup
SCardIsValidContext
SCardListCards
SCardListInterfaces
SCardListReaderGroups
SCardListReaders
SCardLocateCards
SCardLocateCardsByATR
SCardReadCache
SCardReconnect
SCardReleaseContext
SCardReleaseStartedEvent
SCardRemoveReaderFromGroup
SCardSetAttrib
SCardSetCardTypeProviderName
SCardStatus
SCardTransmit
SCardWriteCache
SCardUIDlgSelectCard
SendSAS
SetContextAttributes
SpAcceptCredentials
SpAcceptLsaModeContext
SpAcquireCredentialsHandle
SpAddCredentials
SpApplyControlToken
SpCompleteAuthToken
SpDeleteContext
SpDeleteCredentials
SpExchangeMetaDataFn
SpExportSecurityContext
SpFormatCredentials
SpFreeCredentialsHandle
SpGetContextToken
SpGetCredentials
SpGetCredUIContextFn
SpGetExtendedInformation
SpGetInfo
SpGetUserInfo
SpImportSecurityContext
SpInitialize
SpInitLsaModeContext
SpInitUserModeContext
SpInstanceInit
SpLsaModeInitialize
SpMakeSignature
SpMarshallSupplementalCreds
SpQueryContextAttributes
SpQueryCredentialsAttributes
SpQueryMetaDataFn
SpSaveCredentials
SpSealMessage
SpSetExtendedInformation
SpShutDown
SpUnsealMessage
SpUpdateCredentialsFn
SpUserModeInitialize
SpVerifySignature
SslCrackCertificate
SslEmptyCache
SslFreeCertificate
SspiCompareAuthIdentities
SspiCopyAuthIdentity
SspiDecryptAuthIdentity
SspiEncodeAuthIdentityAsStrings
SspiEncodeStringsAsAuthIdentity
SspiEncryptAuthIdentity
SspiExcludePackage
SspiFreeAuthIdentity
SspiGetCredUIContext
SspiGetTargetHostName
SspiIsAuthIdentityEncrypted
SspiIsPromptingNeeded
SspiLocalFree
SspiMarshalAuthIdentity
SspiPrepareForCredRead
SspiPrepareForCredWrite
SspiPromptForCredentials
SspiUnmarshalAuthIdentity
SspiUnmarshalCredUIContext
SspiUpdateCredentials
SspiValidateAuthIdentity
SspiZeroAuthIdentity
UnloadPackage
UpdateCredentials
VerifySignature
WlxActivateUserShell
WlxAssignShellProtection
WlxChangePasswordNotify
WlxChangePasswordNotifyEx
WlxCloseUserDesktop
WlxCreateUserDesktop
WlxDialogBox
WlxDialogBoxIndirect
WlxDialogBoxIndirectParam
WlxDialogBoxParam
WlxDisconnect
WlxDisplayLockedNotice
WlxDisplaySASNotice
WlxDisplayStatusMessage
WlxGetConsoleSwitchCredentials
WlxGetOption
WlxGetSourceDesktop
WlxGetStatusMessage
WlxInitialize
WlxIsLockOk
WlxIsLogoffOk
WlxLoggedOnSAS
WlxLoggedOutSAS
WlxLogoff
WlxMessageBox
WlxNegotiate
WlxNetworkProviderLoad
WlxQueryClientCredentials
WlxQueryConsoleSwitchCredentials
WlxQueryInetConnectorCredentials
WlxQueryTerminalServicesData
WlxQueryTsLogonCredentials
WlxRemoveStatusMessage
WlxSasNotify
WlxScreenSaverNotify
WlxSetContextPointer
WlxSetOption
WlxSetReturnDesktop
WlxSetTimeout
WlxShutdown
WlxStartApplication
WlxSwitchDesktopToUser
WlxSwitchDesktopToWinlogon
WlxUseCtrlAltDel
WlxWin31Migrate
WlxWkstaLockedSAS
WNetSetLastError

Syntax

C++

Copy to Clipboard Print

NTSTATUS LsaApLogonUser(
  __in   PLSA_CLIENT_REQUEST ClientRequest,
  __in   SECURITY_LOGON_TYPE LogonType,
  __in   PVOID AuthenticationInformation,
  __in   PVOID ClientAuthenticationBase,
  __in   ULONG AuthenticationInformationLength,
  __out  PVOID *ProfileBuffer,
  __out  PULONG ProfileBufferLength,
  __out  PLUID LogonId,
  __out  PNTSTATUS SubStatus,
  __out  PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  __out  PVOID *TokenInformation,
  __out  PLSA_UNICODE_STRING *AccountName,
  __out  PLSA_UNICODE_STRING *AuthenticatingAuthority
);

Parameters

ClientRequest [in]

Pointer to an opaque LSA_CLIENT_REQUEST buffer that represents the LSA client's request. Your authentication package can pass this value into AllocateClientBuffer and FreeClientBuffer in order to identify the client process in which memory should be allocated or freed.

LogonType [in]

A SECURITY_LOGON_TYPE value identifying the type of logon requested.

AuthenticationInformation [in]

Supplies the authentication information specific to the authentication package. The LSA will free this buffer. This is the same input buffer passed into LsaLogonUser.

ClientAuthenticationBase [in]

Provides the address of the authentication information within the client process. This may be necessary to remap any pointers within the AuthenticationInformation buffer.

AuthenticationInformationLength [in]

Indicates the length, in bytes, of the AuthenticationInformation buffer.

ProfileBuffer [out]

Pointer that receives the address of the profile buffer in the client process. The authentication package is responsible for allocating the ProfileBuffer buffer within the client process by calling the AllocateClientBuffer function. However, if the LSA subsequently encounters an error that prevents a successful logon, the LSA will free this buffer.

The contents of this buffer are determined by the authentication package. The LSA does not alter this buffer; it simply returns the value to the LsaLogonUser function.

ProfileBufferLength [out]

Pointer to a ULONG that receives the length of the ProfileBuffer buffer, in bytes.

LogonId [out]

Pointer to an LUID that receives the new logon ID that uniquely identifies this logon session. The authentication package is responsible for allocating this LUID, and creating the logon session for this logon.

SubStatus [out]

Pointer to an NTSTATUS that receives the reason for failures due to account restrictions. The values returned in SubStatus are determined by the authentication package.

The following table lists the SubStatus values for the MSV1_0 and Kerberos authentication packages.

Value	Meaning
STATUS_INVALID_LOGON_HOURS	The user account has time restrictions; it cannot be used to log on at this time.
STATUS_INVALID_WORKSTATION	The user account has workstation restrictions; it cannot be used to log on to the current workstation.
STATUS_PASSWORD_EXPIRED	The user account password has expired.
STATUS_ACCOUNT_DISABLED	The user account is currently disabled and cannot be used to log on.

More information about NTSTATUS codes can be found in the Subauth.h header file shipped with the Platform SDK.

The LsaNtStatusToWinError function converts an NTSTATUS code to a Windows error code.

TokenInformationType [out]

Pointer that receives the address of an LSA_TOKEN_INFORMATION_TYPE value that indicates the type of information returned for inclusion in the token to be created. The information is returned in the TokenInformation buffer.

TokenInformation [out]

Pointer that receives information to be included in the token. The format and content of the TokenInformation buffer are indicated by the TokenInformationType parameter. Your authentication package is responsible for allocating the memory used by TokenInformation; however, this memory will be freed by the LSA.

AccountName [out]

Pointer to an LSA_UNICODE_STRING structure that receives the name of the user account. AccountName must always be returned regardless of the success or failure of the call; its string is included in the audit record for an authentication attempt. Your authentication package is responsible for allocating the memory used by AccountName; however, this memory will be freed by the LSA.

AuthenticatingAuthority [out]

Optional. Pointer to an LSA_UNICODE_STRING structure that receives the description of the authenticating authority for the logon. This parameter may be NULL. This string is included in the audit record for an authentication attempt. Your authentication package is responsible for allocating the memory used by AuthenticatingAuthority; however, this memory will be freed by the LSA.

The MSV1_0 authentication package returns the domain name of the domain validating the account. The Kerberos authentication package returns the NetBIOS domain name.

Return Value

If the function succeeds, it should return STATUS_SUCCESS.

If the function fails, it should return an NTSTATUS error code, which can be one of the following values or one of the LSA Policy Function Return Values.

Return code	Description
STATUS_NO_MEMORY	The logon could not be completed because the client's memory quota is insufficient to allocate the return buffer.
STATUS_NO_LOGON_SERVERS	No domain controllers are available to service the authentication request.
STATUS_LOGON_FAILURE	The logon attempt failed. The reason for failure is not specified; typical reasons include misspelled user names and passwords.
STATUS_ACCOUNT_RESTRICTION	The user account and password were legitimate, but user account restrictions prevent logon at this time. For additional information, see the SubStatus parameter.
STATUS_BAD_VALIDATION_CLASS	The authentication information provided is not recognized by the specified authentication package.

Calling applications can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.

Remarks

Authentication packages must implement one of the following functions: LsaApLogonUser, LsaApLogonUserEx, or LsaApLogonUserEx2.

Requirements

Minimum supported client	Windows 2000 Professional
Minimum supported server	Windows 2000 Server
Header	Ntsecpkg.h

Syntax

Parameters

Return Value

Remarks

Requirements

See Also