LsaLogonUser and EAP-MSCHAPv2
(too old to reply)
2010-03-04 00:07:01 UTC
I'm trying to use LsaLogonUser to validate an NtResponse receieved for a
comupter account in an EAP-MSCHAPv2 payload but always revieve
STATUS_LOGON_FAILURE. If I manually add a computer to AD via VB script with a
password of my choosing and create my own NtResponse it works. I can only
assume that there is something wrong with how a machine secret is established
with when a computer joins a domain or how I am configuring the call to
LsaLogonUser or some policy setting problem. I thought it may be related to
NTLMv2 so I set:

logon->ParameterControl = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |

MSV1_0_ALLOW_MSVCHAPV2 was a guess as I could not find any documenation on
this recently added bit.

I'm sending the simple name of the machine followed by a $ as user-name
enventhough EAP-MSCHAPv2 sends name as host/<fdqn>. I've tried many values
for the workstation name besides leaving null with no success (I thought
NETLOGON may be checking even though I'm calling LsaLogonUser as Network
logon so null should be fine).

But it did not help. I also tried setting registry on my test client (XP
SP3) to not update the secret thinking password defaulted to the name of the
machine initailly but no luck as the intial secret appears to be some other
value or random. I guess what the value is as my test client and AD are the
only ones that must know. I was just hoping to run my own NtResponse to see
if I could get same answer as client. I know this is a lot and would
appreciate any thoughts on how to get this working. I'm also curious to know
how to trace client (XP SP3), machine calling LsaLogonUser (Vista), and DC
(Server 2008/DC in 2003 mode) to see if I can get a reason why authentication
is failing.


2014-05-14 07:30:36 UTC
Have you make this done yet? And now i meet the same thing as you do.