Dear,
I am developing a custom credential provider (CP for short) for my business. I plan to use that CP to replace the built-in credential provider. My service works with Terminal Service to run remote application via RDWeb but uses my custom CP instead
of the built-in CP. When testing with RDWeb default page, I'm always prompted for credentials twice: first is the built-in and the second is my custom CP. Custom Provider Filter doesn't help here. From my point of view, the first prompt is useless because
I don't need to provide valid information to pass that prompt (just type anything on username/password). My configuration of RDP connection is: TCP transport and RDP Security Layer without Network Level Authentication After that, I get to the second prompt
of my custom CP. My question is that:
- Is there any ways to get rid of the first prompt (that is useless) ?
Beside the custom CP, I also developed another custom Authentication Package (call AP for short) which does not base on the username/password authentication. I learnt that build-in AP MSV1_0 work as following:
- Everytime WinLogon wants to logon a user to the system, it calls LsaLogonUser, specifying its own LSA logon process Handle, the Package ID of Msv1_0 and the user’s username and password in the call. This ends up in LsaApLogonUserEx implemented in MSV1_0.DLL, here the user’s username and password are authenticated using the SAM Database (local or remote), and if the authentication was successfull, a logon session is created calling LsaCreateLogonSession assigning to it a LogonId (LUID) generated by the package. After this, MSv1_0 adds supplementary credentials to the logon session by calling LsaAddCredential, this credential happen to be the user’s username, domain name and LM/NT hashes of his/her password. This information is then used by the LAN Manager and other services when the user attempts to access remote nodes.
My question is what is input for LsaAddCredential. I developed a sample AP and it works with the local user account but I got the error for domain account "No mapping between account names and security IDs was done". From my opinion, I think my call for LsaAddCredential is not correct. Could you please enlighten me on this ?
Regards,
Quan