handling of kerberos error in win2k

Lara Adianto m1r4cle_26 at yahoo.com
Mon Jun 21 07:50:59 EDT 2004


I found a little light in my search, but haven't found
a complete answer yet:

When a user invoke the SAS sequence, winlogon will
call GINA function: WlxWkstatLockedSAS, which in turn
will call LsaLogonUser.
LsaLogonUser does the authentication. If the
authentication fails, it may return for example
STATUS_LOGON_FAILURE (if username or password are
wrong), STATUS_ACCOUNT_RESTRICTION (for example if the
username and password are correct but the password has
expired). In the later case, the LsaLogonUser will set
SubStatus to STATUS_PASSWORD_EXPIRED. (I simplify the
whole process to my own needs by the way, it should be
more complicated than this)

So I conclude (correct me if I'm wrong) that when the
will simply return STATUS_LOGON_FAILURE to GINA or

In case of KDC_ERR_PREAUTH_REQUIRED, is there any way
for GINA to know that the exact error code, and not


--- Lara Adianto <m1r4cle_26 at yahoo.com> wrote:
> Hi,
> I'm experimenting with MIT KDC and windows 2000 as
> the
> client that authenticates to MIT KDC, and I might
> need
> to replace the GINA in the windows client in order
> to
> achieve what I want. 
> Does anybody know, in windows 2000, who (LSA, GINA,
> SSP) handles the following issue and how it is
> handled
> ?
> 1. If the authentication is failed because MIT KDC
> KDC_ERR_KEY_EXPIRED, how does the SSP (I believe
> it's
> SSP who captured this error from KDC) tell the GINA
> about the failed login ? Will SSP tell GINA the
> exact
> error message (KDC_ERR_PREAUTH_REQUIRED or
> KDC_ERR_KEY_EXPIRED) or will SSP return another type
> of error code or even a general error code (in this
> case GINA is not aware of what caused the error) ?
> 2. who (GINA, LSA,...) logs the error to event
> viewer
> ?
> This might not be the right forum to discuss it, but
> I'm not sure to which mailing list I can address
> this
> issue 
> thank you,
> lara
> =====
> La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
>                    - Guy de Maupassant -
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail Address AutoComplete - You start. We
> finish.
> http://promotions.yahoo.com/new_mail 

La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -

Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!

More information about the Kerberos mailing list