Added Logon Provider enum.

tyranid · tyranid · commit 92a733e283c5 · 2020-05-24T10:31:29.000+01:00
diff --git a/NtApiDotNet/Win32/LogonUtils.cs b/NtApiDotNet/Win32/LogonUtils.cs
@@ -118,7 +118,21 @@ public static class LogonUtils
         /// <returns>The logged on token.</returns>
         public static NtToken Logon(string user, string domain, string password, SecurityLogonType type)
         {
-            if (!SecurityNativeMethods.LogonUser(user, domain, password, type, 0, out SafeKernelObjectHandle handle))
+            return Logon(user, domain, password, type, Logon32Provider.Default);
+        }
+
+        /// <summary>
+        /// Logon a user with a username and password.
+        /// </summary>
+        /// <param name="user">The username.</param>
+        /// <param name="domain">The user's domain.</param>
+        /// <param name="password">The user's password.</param>
+        /// <param name="type">The type of logon token.</param>
+        /// <param name="provider">The Logon provider.</param>
+        /// <returns>The logged on token.</returns>
+        public static NtToken Logon(string user, string domain, string password, SecurityLogonType type, Logon32Provider provider)
+        {
+            if (!SecurityNativeMethods.LogonUser(user, domain, password, type, provider, out SafeKernelObjectHandle handle))
             {
                 throw new SafeWin32Exception();
             }
@@ -132,9 +146,10 @@ public static NtToken Logon(string user, string domain, string password, Securit
         /// <param name="domain">The user's domain.</param>
         /// <param name="password">The user's password.</param>
         /// <param name="type">The type of logon token.</param>
+        /// <param name="provider">The Logon provider.</param>
         /// <param name="groups">Additional groups to add. Needs SeTcbPrivilege.</param>
         /// <returns>The logged on token.</returns>
-        public static NtToken Logon(string user, string domain, string password, SecurityLogonType type, IEnumerable<UserGroup> groups)
+        public static NtToken Logon(string user, string domain, string password, SecurityLogonType type, Logon32Provider provider, IEnumerable<UserGroup> groups)
         {
             TokenGroupsBuilder builder = new TokenGroupsBuilder();
             foreach (var group in groups)
@@ -144,7 +159,7 @@ public static NtToken Logon(string user, string domain, string password, Securit
 
             using (var group_buffer = builder.ToBuffer())
             {
-                if (!SecurityNativeMethods.LogonUserExExW(user, domain, password, type, 0, group_buffer, 
+                if (!SecurityNativeMethods.LogonUserExExW(user, domain, password, type, provider, group_buffer,
                     out SafeKernelObjectHandle token, null, null, null, null))
                 {
                     throw new SafeWin32Exception();
@@ -153,6 +168,20 @@ public static NtToken Logon(string user, string domain, string password, Securit
             }
         }
 
+        /// <summary>
+        /// Logon a user with a username and password.
+        /// </summary>
+        /// <param name="user">The username.</param>
+        /// <param name="domain">The user's domain.</param>
+        /// <param name="password">The user's password.</param>
+        /// <param name="type">The type of logon token.</param>
+        /// <param name="groups">Additional groups to add. Needs SeTcbPrivilege.</param>
+        /// <returns>The logged on token.</returns>
+        public static NtToken Logon(string user, string domain, string password, SecurityLogonType type, IEnumerable<UserGroup> groups)
+        {
+            return Logon(user, domain, password, type, Logon32Provider.Default, groups);
+        }
+
         /// <summary>
         /// Logon user using Kerberos Ticket.
         /// </summary>
diff --git a/NtApiDotNet/Win32/Security/Native/SecurityNativeMethods.cs b/NtApiDotNet/Win32/Security/Native/SecurityNativeMethods.cs
@@ -36,6 +36,33 @@ internal delegate bool AuthzAccessCheckCallback(
         IntPtr pArgs,
         [MarshalAs(UnmanagedType.Bool)] out bool pbAceApplicable);
 
+    /// <summary>
+    /// Logon32 provider
+    /// </summary>
+    public enum Logon32Provider
+    {
+        /// <summary>
+        /// Default.
+        /// </summary>
+        Default = 0,
+        /// <summary>
+        /// Windows NT 3.5.
+        /// </summary>
+        WinNT35 = 1,
+        /// <summary>
+        /// Windows NT 4.0.
+        /// </summary>
+        WinNT40 = 2,
+        /// <summary>
+        /// Windows NT 5.0.
+        /// </summary>
+        WinNT50 = 3,
+        /// <summary>
+        /// Virtual provider.
+        /// </summary>
+        Virtual = 4
+    }
+
     internal static class SecurityNativeMethods
     {
         [DllImport("Secur32.dll", CharSet = CharSet.Unicode)]
@@ -522,15 +549,15 @@ out NtStatus SubStatus
 
         [DllImport("Advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
         internal static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, SecurityLogonType dwLogonType,
-            int dwLogonProvider, out SafeKernelObjectHandle phToken);
+            Logon32Provider dwLogonProvider, out SafeKernelObjectHandle phToken);
 
         [DllImport("Advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
         internal static extern bool LogonUserExExW(
               string lpszUsername,
               string lpszDomain,
               string lpszPassword,
               SecurityLogonType dwLogonType,
-              int dwLogonProvider,
+              Logon32Provider dwLogonProvider,
               SafeTokenGroupsBuffer pTokenGroups,
               out SafeKernelObjectHandle phToken,
               [Out] OptionalPointer ppLogonSid,
diff --git a/NtApiDotNet/Win32/TokenUtils.cs b/NtApiDotNet/Win32/TokenUtils.cs
@@ -12,6 +12,7 @@
 //  See the License for the specific language governing permissions and
 //  limitations under the License.
 
+using NtApiDotNet.Win32.Security.Native;
 using System;
 using System.Collections.Generic;
 using System.Runtime.InteropServices;
@@ -100,6 +101,22 @@ public static NtToken GetAnonymousToken()
         /// <param name="groups">Optional list of additonal groups to add.</param>
         /// <returns>The logged on token.</returns>
         public static NtToken GetLogonUserToken(string username, string domain, string password, SecurityLogonType logon_type, IEnumerable<UserGroup> groups)
+        {
+            return GetLogonUserToken(username, domain, password, logon_type, Logon32Provider.Default, groups);
+        }
+
+        /// <summary>
+        /// Logon a user.
+        /// </summary>
+        /// <param name="username">The username.</param>
+        /// <param name="domain">The user's domain.</param>
+        /// <param name="password">The user's password.</param>
+        /// <param name="logon_type">The logon token's type.</param>
+        /// <param name="groups">Optional list of additonal groups to add.</param>
+        /// <param name="provider">The Logon provider.</param>
+        /// <returns>The logged on token.</returns>
+        public static NtToken GetLogonUserToken(string username, string domain, string password, SecurityLogonType logon_type, 
+            Logon32Provider provider, IEnumerable<UserGroup> groups)
         {
             switch (logon_type)
             {
@@ -116,11 +133,11 @@ public static NtToken GetLogonUserToken(string username, string domain, string p
 
             if (groups != null)
             {
-                return LogonUtils.Logon(username, domain, password, logon_type, groups);
+                return LogonUtils.Logon(username, domain, password, logon_type, provider, groups);
             }
             else
             {
-                return LogonUtils.Logon(username, domain, password, logon_type);
+                return LogonUtils.Logon(username, domain, password, logon_type, provider);
             }
         }
 
diff --git a/NtObjectManager/Cmdlets/Object/GetNtTokenCmdlet.cs b/NtObjectManager/Cmdlets/Object/GetNtTokenCmdlet.cs
@@ -22,6 +22,7 @@
 using System.Runtime.InteropServices;
 using NtApiDotNet.Win32.Security.Authentication;
 using NtApiDotNet.Win32.Security.Authentication.Kerberos;
+using NtApiDotNet.Win32.Security.Native;
 
 namespace NtObjectManager.Cmdlets.Object
 {
@@ -267,6 +268,12 @@ public sealed class GetNtTokenCmdlet : PSCmdlet
         [Parameter(Mandatory = true, ParameterSetName = "Logon")]
         public SwitchParameter Logon { get; set; }
 
+        /// <summary>
+        /// <para type="description">Specify logon provider.</para>
+        /// </summary>
+        [Parameter(ParameterSetName = "Logon")]
+        public Logon32Provider LogonProvider { get; set; }
+
         /// <summary>
         /// <para type="description">Get an Services for User (S4U) logon token.</para>
         /// </summary>
@@ -579,7 +586,7 @@ private NtToken GetLogonToken(TokenAccessRights desired_access, string user,
                 groups = AdditionalGroups.Select(s => new UserGroup(s,
                     GetAttributes(s)));
             }
-            using (NtToken token = TokenUtils.GetLogonUserToken(user, domain, password, logon_type, groups))
+            using (NtToken token = TokenUtils.GetLogonUserToken(user, domain, password, logon_type, LogonProvider, groups))
             {
                 if (desired_access == TokenAccessRights.MaximumAllowed)
                 {
