Using LSA from a Logon Application

The Local Security Authority (LSA) provides several functions that logon processes, such as custom GINAs, can call to authenticate users. They are described in detail in the LSA Logon Functions reference section. To call these functions, your process must have the SeTcbPrivilege (trusted computing base) privilege.

Before requesting authentication services, your logon process must establish a connection to the LSA by calling LsaRegisterLogonProcess. This function establishes a connection to the LSA and returns a handle to it to be used in future calls to the LSA. When the connection to the LSA is no longer needed, call LsaDeregisterLogonProcess.

After you have obtained a handle, you can call LsaLogonUser to attempt to log a user on to a system. During this call, you will need to specify the identifier of an authentication package to handle the logon request. If you know the name of the authentication package, you can look up its identifier by calling the LsaLookupAuthenticationPackage function.

If the user successfully logs on, the LSA returns a token containing the user's security information to your logon process. Your logon process can use this token to check access permissions, to create processes as the user, and for other operations requiring a token. For more information, see Access Control and the CreateProcessAsUser and AccessCheck functions documented in the Platform Software Development Kit (SDK).

In addition to the standard authentication functions, authentication packages can provide services that are package-specific. Your application can communicate with an authentication package to request a service by calling the LsaCallAuthenticationPackage function. The content and format of the input and output buffers used during a call to LsaCallAuthenticationPackage are specific to the authentication package; the LSA does not interpret the data but simply forwards it to the authentication package. For more information, see the LsaCallAuthenticationPackage reference page.

Note  Typically, if you have written a custom GINA to handle non-standard logon data, you must also write a custom authentication package that can interpret that data. For more information, see Creating Custom Authentication Packages. To learn how to write a custom GINA, see Winlogon and GINA.

 

 

Send comments about this topic to Microsoft

Build date: 4/6/2010