Kerberos LsaCallAuthenticationPackage Invalid Parameter | Rust Programming Language Community | Page 1

leaden epoch Nov 13, 2023, 6:58 PM

#

Can you provide code that compiles/repros the issue? (i.e. one that has lsa_handle, auth_package_id, etc. defined)

#

Hm if it's a lot of work to get those populated, then nm will scan through it and see if anything pops out

#

"never mind"

#

Be aware, your sz_target string is not null terminated

let sz_target: Vec<u16> = OsString::from(spn).encode_wide().collect();

#

might be okay in this case since it's getting stuffed into a UNICODE_STRING

#

let me try writing up a minimal sample

leaden epoch Nov 13, 2023, 7:57 PM

#

Here's the beginnings of a self-contained repro. https://gist.github.com/riverar/eaeffb2c5f4f1f7e3fe3d7fde0351f47

Does that help any?

#

I can fill it out a bit more but I have to figure out valid value for the ticket request

leaden epoch Nov 13, 2023, 8:49 PM

#

package_name.Buffer = PWSTR(spn.as_ptr() as _); won't be correct; PWSTR is expecting *u16 while you're passing in *u8

#

if you want a quick fix, you can use let x = HSTRING::from(spn).as_wide()

#

actually think my example is wrong sec lol

#

you can cheat and do something like this

let spn = "HOST/Foo".to_string();
PWSTR::from_raw(HSTRING::from(spn).as_ptr() as _);

#

but we have to be super careful the API doesn't actually try to write to that since we're changing a *const to *mut; this struct seems to make annoying use of PWSTR instead of PCWSTR

#

updated the sample to pass in a real SPN https://gist.github.com/riverar/eaeffb2c5f4f1f7e3fe3d7fde0351f47 but the result is still OK / empty response struct hmm

#

probably need to enable logging to diagnose further https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging#enable-kerberos-event-logging-on-a-specific-computer

Enable Kerberos event logging - Windows Server

This article provides a solution on how to enable Kerberos event logging on a particular machine.

leaden epoch Nov 13, 2023, 10:09 PM

#

yeah the response is confusing, but it's not clear if that's expected because i'm not trusted/etc., will have to see logs

#

ah ok helps if we provide a protocol status (last param)

#

getting STATUS_INVALID_PARAMETER / ERROR_INVALID_DATA from that as per your original issue 😅

leaden epoch Nov 13, 2023, 10:57 PM

#

seems this is permanently disabled in win10+? https://mskb.pkisolutions.com/kb/308339

#

im not familiar with kerberos/lsa enough to evaluate this but the code looks okay now; just the security package responding with errors

leaden epoch Nov 13, 2023, 11:31 PM

#

im guessing the sample needs to be a logon application, probably via call to LsaRegisterLogonProcess

#

which requires a bunch of extra privileges, etc.

#

implementing minimum needed in the sample to verify we did something right here

leaden epoch Nov 14, 2023, 1:10 AM

#

oh I just realized

#

we probably need to include the string with the struct too

leaden epoch Nov 14, 2023, 6:09 AM

#

rewriting the sample a bit, forgot to account for RPC marshaling here; you're making me rehydrate brain cells that dried up long ago 😂

#Kerberos LsaCallAuthenticationPackage Invalid Parameter