If you are supporting a system that defines a new type of logon procedure, such as retinal scanning or voice recognition, you must create a custom authentication package to analyze the new logon data and determine whether to accept the user's credentials. You can also create new authentication packages that use standard logon data but implement new security protocols.

The LSA calls the Functions Implemented by Authentication Packages when it receives an authentication service request from a logon application. When a user attempts to log on to the system, the authentication package must check the user's logon data against the credentials information on file. The authentication packages provided with Windows store this information either in the security accounts manager (SAM) database or in the Active Directory (depending on the version and configuration of the operating system).

The system does not permit applications that are not part of the operating system to access existing credentials data directly; to do so would create a security risk. Your custom authentication package must call MSV1_0 to access the user's authentication information. Your package calls MSV1_0 to perform the initial authentication and create a logon session. If the initial authentication is successful, your package then performs additional processing to support the new logon protocol or algorithm and sends an authentication result to the LSA. In essence, your custom authentication package wraps MSV1_0, extending its functionality to support the new logon protocol. This following illustration shows this process.

Both the custom authentication package and MSV1_0 support the authentication package interface (see Functions Implemented by Authentication Packages). The LSA calls the authentication package interface functions in the custom package which, in turn, call the functions in MSV1_0. The custom package must be able to pass the incoming logon information using data structures supported by MSV1_0. In addition, the structures passed to MSV1_0 should be allocated in the address space of the logon process, not the LSA address space.

The MSV1_0 package processes the authentication request and returns a result (and if successful, an LUID) to the custom package. The custom package can then perform additional authentication checks, such as deciding whether the scanned-in fingerprint matches the user account, and return an authentication success or failure back to the LSA. If your custom package revokes a logon allowed by MSV1_0, it must delete the logon session created by MSV1_0 by calling the DeleteLogonSession function.

Send comments about this topic to Microsoft

Build date: 9/25/2008