{******************************************************************************} { } { LSA API interface Unit for Object Pascal } { } { Portions created by Microsoft are Copyright (C) 1995-2001 Microsoft } { Corporation. All Rights Reserved. } { } { The original file is: ntsecapi.h, released June 2000. The original Pascal } { code is: NtSecApi.pas, released December 2000. The initial developer of the } { Pascal code is Marcel van Brakel (brakelm att chello dott nl). } { } { Portions created by Marcel van Brakel are Copyright (C) 1999-2001 } { Marcel van Brakel. All Rights Reserved. } { } { Obtained through: Joint Endeavour of Delphi Innovators (Project JEDI) } { } { You may retrieve the latest version of this file at the Project JEDI } { APILIB home page, located at http://jedi-apilib.sourceforge.net } { } { The contents of this file are used with permission, subject to the Mozilla } { Public License Version 1.1 (the "License"); you may not use this file except } { in compliance with the License. You may obtain a copy of the License at } { http://www.mozilla.org/MPL/MPL-1.1.html } { } { Software distributed under the License is distributed on an "AS IS" basis, } { WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for } { the specific language governing rights and limitations under the License. } { } { Alternatively, the contents of this file may be used under the terms of the } { GNU Lesser General Public License (the "LGPL License"), in which case the } { provisions of the LGPL License are applicable instead of those above. } { If you wish to allow use of your version of this file only under the terms } { of the LGPL License and not to allow others to use your version of this file } { under the MPL, indicate your decision by deleting the provisions above and } { replace them with the notice and other provisions required by the LGPL } { License. If you do not delete the provisions above, a recipient may use } { your version of this file under either the MPL or the LGPL License. } { } { For more information about the LGPL: http://www.gnu.org/copyleft/lesser.html } { } {******************************************************************************} // $Id: JwaNtSecApi.pas,v 1.15 2007/09/05 11:58:51 dezipaitor Exp $ {$IFNDEF JWA_OMIT_SECTIONS} unit JwaNtSecApi; {$WEAKPACKAGEUNIT} {$ENDIF JWA_OMIT_SECTIONS} {$HPPEMIT ''} {$HPPEMIT '#include "ntsecapi.h"'} {$HPPEMIT ''} {$IFNDEF JWA_OMIT_SECTIONS} {$I jediapilib.inc} interface uses JwaWinType, JwaNtStatus, JwaWinNT; {$ENDIF JWA_OMIT_SECTIONS} {$IFNDEF JWA_IMPLEMENTATIONSECTION} // // Security operation mode of the system is held in a control // longword. // type LSA_OPERATIONAL_MODE = ULONG; {$EXTERNALSYM LSA_OPERATIONAL_MODE} PLSA_OPERATIONAL_MODE = ^LSA_OPERATIONAL_MODE; {$EXTERNALSYM PLSA_OPERATIONAL_MODE} // // The flags in the security operational mode are defined // as: // // PasswordProtected - Some level of authentication (such as // a password) must be provided by users before they are // allowed to use the system. Once set, this value will // not be cleared without re-booting the system. // // IndividualAccounts - Each user must identify an account to // logon to. This flag is only meaningful if the // PasswordProtected flag is also set. If this flag is // not set and the PasswordProtected flag is set, then all // users may logon to the same account. Once set, this value // will not be cleared without re-booting the system. // // MandatoryAccess - Indicates the system is running in a mandatory // access control mode (e.g., B-level as defined by the U.S.A's // Department of Defense's "Orange Book"). This is not utilized // in the current release of NT. This flag is only meaningful // if both the PasswordProtected and IndividualAccounts flags are // set. Once set, this value will not be cleared without // re-booting the system. // // LogFull - Indicates the system has been brought up in a mode in // which if must perform security auditing, but its audit log // is full. This may (should) restrict the operations that // can occur until the audit log is made not-full again. THIS // VALUE MAY BE CLEARED WHILE THE SYSTEM IS RUNNING (I.E., WITHOUT // REBOOTING). // // If the PasswordProtected flag is not set, then the system is running // without security, and user interface should be adjusted appropriately. // const LSA_MODE_PASSWORD_PROTECTED = $00000001; {$EXTERNALSYM LSA_MODE_PASSWORD_PROTECTED} LSA_MODE_INDIVIDUAL_ACCOUNTS = $00000002; {$EXTERNALSYM LSA_MODE_INDIVIDUAL_ACCOUNTS} LSA_MODE_MANDATORY_ACCESS = $00000004; {$EXTERNALSYM LSA_MODE_MANDATORY_ACCESS} LSA_MODE_LOG_FULL = $00000008; {$EXTERNALSYM LSA_MODE_LOG_FULL} // // Used by a logon process to indicate what type of logon is being // requested. // type _SECURITY_LOGON_TYPE = ( seltFiller0, seltFiller1, Interactive, // Interactively logged on (locally or remotely) Network, // Accessing system via network Batch, // Started via a batch queue Service, // Service started by service controller Proxy, // Proxy logon Unlock, // Unlock workstation NetworkCleartext, // Network logon with cleartext credentials NewCredentials, // Clone caller, new default credentials RemoteInteractive, // Remote, yet interactive. Terminal server CachedInteractive, // Try cached credentials without hitting the net. CachedRemoteInteractive, // Same as RemoteInteractive, this is used internally for auditing purpose CachedUnlock); // Cached Unlock workstation {$EXTERNALSYM _SECURITY_LOGON_TYPE} SECURITY_LOGON_TYPE = _SECURITY_LOGON_TYPE; {$EXTERNALSYM SECURITY_LOGON_TYPE} PSECURITY_LOGON_TYPE = ^SECURITY_LOGON_TYPE; {$EXTERNALSYM PSECURITY_LOGON_TYPE} TSecurityLogonType = SECURITY_LOGON_TYPE; PSecurityLogonType = PSECURITY_LOGON_TYPE; // // Audit Event Categories // // The following are the built-in types or Categories of audit event. // WARNING! This structure is subject to expansion. The user should not // compute the number of elements of this type directly, but instead // should obtain the count of elements by calling LsaQueryInformationPolicy() // for the PolicyAuditEventsInformation class and extracting the count from // the MaximumAuditEventCount field of the returned structure. // _POLICY_AUDIT_EVENT_TYPE = ( AuditCategorySystem, AuditCategoryLogon, AuditCategoryObjectAccess, AuditCategoryPrivilegeUse, AuditCategoryDetailedTracking, AuditCategoryPolicyChange, AuditCategoryAccountManagement, AuditCategoryDirectoryServiceAccess, AuditCategoryAccountLogon); {$EXTERNALSYM _POLICY_AUDIT_EVENT_TYPE} POLICY_AUDIT_EVENT_TYPE = _POLICY_AUDIT_EVENT_TYPE; {$EXTERNALSYM POLICY_AUDIT_EVENT_TYPE} PPOLICY_AUDIT_EVENT_TYPE = ^POLICY_AUDIT_EVENT_TYPE; {$EXTERNALSYM PPOLICY_AUDIT_EVENT_TYPE} TPolicyAuditEventType = POLICY_AUDIT_EVENT_TYPE; PPolicyAuditEventType = PPOLICY_AUDIT_EVENT_TYPE; // // The following defines describe the auditing options for each // event type // const // Leave options specified for this event unchanged POLICY_AUDIT_EVENT_UNCHANGED = $00000000; {$EXTERNALSYM POLICY_AUDIT_EVENT_UNCHANGED} // Audit successful occurrences of events of this type POLICY_AUDIT_EVENT_SUCCESS = $00000001; {$EXTERNALSYM POLICY_AUDIT_EVENT_SUCCESS} // Audit failed attempts to cause an event of this type to occur POLICY_AUDIT_EVENT_FAILURE = $00000002; {$EXTERNALSYM POLICY_AUDIT_EVENT_FAILURE} POLICY_AUDIT_EVENT_NONE = $00000004; {$EXTERNALSYM POLICY_AUDIT_EVENT_NONE} // Mask of valid event auditing options POLICY_AUDIT_EVENT_MASK = (POLICY_AUDIT_EVENT_SUCCESS or POLICY_AUDIT_EVENT_FAILURE or POLICY_AUDIT_EVENT_UNCHANGED or POLICY_AUDIT_EVENT_NONE); {$EXTERNALSYM POLICY_AUDIT_EVENT_MASK} TPolicyAuditEventMask = POLICY_AUDIT_EVENT_MASK; type PLSA_UNICODE_STRING = ^LSA_UNICODE_STRING; {$EXTERNALSYM PLSA_UNICODE_STRING} _LSA_UNICODE_STRING = record Length: USHORT; MaximumLength: USHORT; Buffer: PWSTR; end; {$EXTERNALSYM _LSA_UNICODE_STRING} LSA_UNICODE_STRING = _LSA_UNICODE_STRING; {$EXTERNALSYM LSA_UNICODE_STRING} TLsaUnicodeString = LSA_UNICODE_STRING; PLsaUnicodeString = PLSA_UNICODE_STRING; PLSA_STRING = ^LSA_STRING; {$EXTERNALSYM PLSA_STRING} _LSA_STRING = record Length: USHORT; MaximumLength: USHORT; Buffer: PCHAR; end; {$EXTERNALSYM _LSA_STRING} LSA_STRING = _LSA_STRING; {$EXTERNALSYM LSA_STRING} TLsaString = LSA_STRING; PLsaString = PLSA_STRING; PLSA_OBJECT_ATTRIBUTES = ^LSA_OBJECT_ATTRIBUTES; {$EXTERNALSYM PLSA_OBJECT_ATTRIBUTES} _LSA_OBJECT_ATTRIBUTES = record Length: ULONG; RootDirectory: HANDLE; ObjectName: PLSA_UNICODE_STRING; Attributes: ULONG; SecurityDescriptor: PVOID; // Points to type SECURITY_DESCRIPTOR SecurityQualityOfService: PVOID; // Points to type SECURITY_QUALITY_OF_SERVICE end; {$EXTERNALSYM _LSA_OBJECT_ATTRIBUTES} LSA_OBJECT_ATTRIBUTES = _LSA_OBJECT_ATTRIBUTES; {$EXTERNALSYM LSA_OBJECT_ATTRIBUTES} TLsaObjectAttributes = LSA_OBJECT_ATTRIBUTES; PLsaObjectAttributes = PLSA_OBJECT_ATTRIBUTES; // // Macro for determining whether an API succeeded. // function LSA_SUCCESS(Error: NTSTATUS): BOOL; {$EXTERNALSYM LSA_SUCCESS} function LsaRegisterLogonProcess(const LogonProcessName: LSA_STRING; var LsaHandle: HANDLE; SecurityMode: PLSA_OPERATIONAL_MODE): NTSTATUS; stdcall; {$EXTERNALSYM LsaRegisterLogonProcess} function LsaLogonUser(LsaHandle: HANDLE; const OriginName: LSA_STRING; LogonType: SECURITY_LOGON_TYPE; AuthenticationPackage: ULONG; AuthenticationInformation: PVOID; AuthenticationInformationLength: ULONG; LocalGroups: PTOKEN_GROUPS; SourceContext: PTOKEN_SOURCE; var ProfileBuffer: PVOID; var ProfileBufferLength: ULONG; var LogonId: LUID; var Token: HANDLE; var Quotas: QUOTA_LIMITS; var SubStatus: NTSTATUS): NTSTATUS; stdcall; {$EXTERNALSYM LsaLogonUser} function LsaLookupAuthenticationPackage(LsaHandle: HANDLE; const PackageName: LSA_STRING; var AuthenticationPackage: ULONG): NTSTATUS; stdcall; {$EXTERNALSYM LsaLookupAuthenticationPackage} function LsaFreeReturnBuffer(Buffer: PVOID): NTSTATUS; stdcall; {$EXTERNALSYM LsaFreeReturnBuffer} function LsaCallAuthenticationPackage(LsaHandle: HANDLE; AuthenticationPackage: ULONG; ProtocolSubmitBuffer: PVOID; SubmitBufferLength: ULONG; var ProtocolReturnBuffer: PVOID; var ReturnBufferLength: ULONG; var ProtocolStatus: NTSTATUS): NTSTATUS; stdcall; {$EXTERNALSYM LsaCallAuthenticationPackage} function LsaDeregisterLogonProcess(LsaHandle: HANDLE): NTSTATUS; stdcall; {$EXTERNALSYM LsaDeregisterLogonProcess} function LsaConnectUntrusted(var LsaHandle: HANDLE): NTSTATUS; stdcall; {$EXTERNALSYM LsaConnectUntrusted} //////////////////////////////////////////////////////////////////////////// // // // Local Security Policy Administration API datatypes and defines // // // //////////////////////////////////////////////////////////////////////////// // // Access types for the Policy object // const POLICY_VIEW_LOCAL_INFORMATION = $00000001; {$EXTERNALSYM POLICY_VIEW_LOCAL_INFORMATION} POLICY_VIEW_AUDIT_INFORMATION = $00000002; {$EXTERNALSYM POLICY_VIEW_AUDIT_INFORMATION} POLICY_GET_PRIVATE_INFORMATION = $00000004; {$EXTERNALSYM POLICY_GET_PRIVATE_INFORMATION} POLICY_TRUST_ADMIN = $00000008; {$EXTERNALSYM POLICY_TRUST_ADMIN} POLICY_CREATE_ACCOUNT = $00000010; {$EXTERNALSYM POLICY_CREATE_ACCOUNT} POLICY_CREATE_SECRET = $00000020; {$EXTERNALSYM POLICY_CREATE_SECRET} POLICY_CREATE_PRIVILEGE = $00000040; {$EXTERNALSYM POLICY_CREATE_PRIVILEGE} POLICY_SET_DEFAULT_QUOTA_LIMITS = $00000080; {$EXTERNALSYM POLICY_SET_DEFAULT_QUOTA_LIMITS} POLICY_SET_AUDIT_REQUIREMENTS = $00000100; {$EXTERNALSYM POLICY_SET_AUDIT_REQUIREMENTS} POLICY_AUDIT_LOG_ADMIN = $00000200; {$EXTERNALSYM POLICY_AUDIT_LOG_ADMIN} POLICY_SERVER_ADMIN = $00000400; {$EXTERNALSYM POLICY_SERVER_ADMIN} POLICY_LOOKUP_NAMES = $00000800; {$EXTERNALSYM POLICY_LOOKUP_NAMES} POLICY_NOTIFICATION = $00001000; {$EXTERNALSYM POLICY_NOTIFICATION} POLICY_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED or POLICY_VIEW_LOCAL_INFORMATION or POLICY_VIEW_AUDIT_INFORMATION or POLICY_GET_PRIVATE_INFORMATION or POLICY_TRUST_ADMIN or POLICY_CREATE_ACCOUNT or POLICY_CREATE_SECRET or POLICY_CREATE_PRIVILEGE or POLICY_SET_DEFAULT_QUOTA_LIMITS or POLICY_SET_AUDIT_REQUIREMENTS or POLICY_AUDIT_LOG_ADMIN or POLICY_SERVER_ADMIN or POLICY_LOOKUP_NAMES); {$EXTERNALSYM POLICY_ALL_ACCESS} POLICY_READ = (STANDARD_RIGHTS_READ or POLICY_VIEW_AUDIT_INFORMATION or POLICY_GET_PRIVATE_INFORMATION); {$EXTERNALSYM POLICY_READ} POLICY_WRITE = (STANDARD_RIGHTS_WRITE or POLICY_TRUST_ADMIN or POLICY_CREATE_ACCOUNT or POLICY_CREATE_SECRET or POLICY_CREATE_PRIVILEGE or POLICY_SET_DEFAULT_QUOTA_LIMITS or POLICY_SET_AUDIT_REQUIREMENTS or POLICY_AUDIT_LOG_ADMIN or POLICY_SERVER_ADMIN); {$EXTERNALSYM POLICY_WRITE} POLICY_EXECUTE = (STANDARD_RIGHTS_EXECUTE or POLICY_VIEW_LOCAL_INFORMATION or POLICY_LOOKUP_NAMES); {$EXTERNALSYM POLICY_EXECUTE} // // Policy object specific data types. // // // The following data type is used to identify a domain // type PLSA_TRUST_INFORMATION = ^LSA_TRUST_INFORMATION; {$EXTERNALSYM PLSA_TRUST_INFORMATION} _LSA_TRUST_INFORMATION = record Name: LSA_UNICODE_STRING; Sid: PSID; end; {$EXTERNALSYM _LSA_TRUST_INFORMATION} LSA_TRUST_INFORMATION = _LSA_TRUST_INFORMATION; {$EXTERNALSYM LSA_TRUST_INFORMATION} TLsaTrustInformation = LSA_TRUST_INFORMATION; PLsaTrustInformation = PLSA_TRUST_INFORMATION; // where members have the following usage: // // Name - The name of the domain. // // Sid - A pointer to the Sid of the Domain // // // The following data type is used in name and SID lookup services to // describe the domains referenced in the lookup operation. // PLSA_REFERENCED_DOMAIN_LIST = ^LSA_REFERENCED_DOMAIN_LIST; {$EXTERNALSYM PLSA_REFERENCED_DOMAIN_LIST} _LSA_REFERENCED_DOMAIN_LIST = record Entries: ULONG; Domains: PLSA_TRUST_INFORMATION; end; {$EXTERNALSYM _LSA_REFERENCED_DOMAIN_LIST} LSA_REFERENCED_DOMAIN_LIST = _LSA_REFERENCED_DOMAIN_LIST; {$EXTERNALSYM LSA_REFERENCED_DOMAIN_LIST} TLsaReferencedDomainList = LSA_REFERENCED_DOMAIN_LIST; PLsaReferencedDomainList = PLSA_REFERENCED_DOMAIN_LIST; // where members have the following usage: // // Entries - Is a count of the number of domains described in the // Domains array. // // Domains - Is a pointer to an array of Entries LSA_TRUST_INFORMATION data // structures. // // // The following data type is used in name to SID lookup services to describe // the domains referenced in the lookup operation. // PLSA_TRANSLATED_SID = ^LSA_TRANSLATED_SID; {$EXTERNALSYM PLSA_TRANSLATED_SID} _LSA_TRANSLATED_SID = record Use: SID_NAME_USE; RelativeId: ULONG; DomainIndex: LONG; end; {$EXTERNALSYM _LSA_TRANSLATED_SID} LSA_TRANSLATED_SID = _LSA_TRANSLATED_SID; {$EXTERNALSYM LSA_TRANSLATED_SID} TLsaTranslatedSid = LSA_TRANSLATED_SID; PLsaTranslatedSid = PLSA_TRANSLATED_SID; // where members have the following usage: // // Use - identifies the use of the SID. If this value is SidUnknown or // SidInvalid, then the remainder of the record is not set and // should be ignored. // // RelativeId - Contains the relative ID of the translated SID. The // remainder of the SID (the prefix) is obtained using the // DomainIndex field. // // DomainIndex - Is the index of an entry in a related // LSA_REFERENCED_DOMAIN_LIST data structure describing the // domain in which the account was found. // // If there is no corresponding reference domain for an entry, then // this field will contain a negative value. // _LSA_TRANSLATED_SID2 = record Use: SID_NAME_USE; Sid: PSID; DomainIndex: LONG; Flags: ULONG; end; {$EXTERNALSYM _LSA_TRANSLATED_SID2} LSA_TRANSLATED_SID2 = _LSA_TRANSLATED_SID2; {$EXTERNALSYM LSA_TRANSLATED_SID2} PLSA_TRANSLATED_SID2 = ^LSA_TRANSLATED_SID2; {$EXTERNALSYM PLSA_TRANSLATED_SID2} TLsaTranslatedSid2 = LSA_TRANSLATED_SID2; PLsaTranslatedSid2 = PLSA_TRANSLATED_SID2; // where members have the following usage: // // Use - identifies the use of the SID. If this value is SidUnknown or // SidInvalid, then the remainder of the record is not set and // should be ignored. // // Sid - Contains the complete Sid of the tranlated SID // // DomainIndex - Is the index of an entry in a related // LSA_REFERENCED_DOMAIN_LIST data structure describing the // domain in which the account was found. // // If there is no corresponding reference domain for an entry, then // this field will contain a negative value. // // // The following data type is used in SID to name lookup services to // describe the domains referenced in the lookup operation. // PLSA_TRANSLATED_NAME = ^LSA_TRANSLATED_NAME; {$EXTERNALSYM PLSA_TRANSLATED_NAME} _LSA_TRANSLATED_NAME = record Use: SID_NAME_USE; Name: LSA_UNICODE_STRING; DomainIndex: LONG; end; {$EXTERNALSYM _LSA_TRANSLATED_NAME} LSA_TRANSLATED_NAME = _LSA_TRANSLATED_NAME; {$EXTERNALSYM LSA_TRANSLATED_NAME} TLsaTranslatedName = LSA_TRANSLATED_NAME; PLsaTranslatedName = PLSA_TRANSLATED_NAME; // where the members have the following usage: // // Use - Identifies the use of the name. If this value is SidUnknown // or SidInvalid, then the remainder of the record is not set and // should be ignored. If this value is SidWellKnownGroup then the // Name field is invalid, but the DomainIndex field is not. // // Name - Contains the isolated name of the translated SID. // // DomainIndex - Is the index of an entry in a related // LSA_REFERENCED_DOMAIN_LIST data structure describing the domain // in which the account was found. // // If there is no corresponding reference domain for an entry, then // this field will contain a negative value. // // // The following data type is used to represent the role of the LSA // server (primary or backup). // _POLICY_LSA_SERVER_ROLE = (plsrFiller0, plsrFiller1, PolicyServerRoleBackup, PolicyServerRolePrimary); {$EXTERNALSYM _POLICY_LSA_SERVER_ROLE} POLICY_LSA_SERVER_ROLE = _POLICY_LSA_SERVER_ROLE; {$EXTERNALSYM POLICY_LSA_SERVER_ROLE} PPOLICY_LSA_SERVER_ROLE = ^POLICY_LSA_SERVER_ROLE; {$EXTERNALSYM PPOLICY_LSA_SERVER_ROLE} TPolicyLsaServerRole = POLICY_LSA_SERVER_ROLE; PPolicyLsaServerRole = PPOLICY_LSA_SERVER_ROLE; // // The following data type is used to specify the auditing options for // an Audit Event Type. // POLICY_AUDIT_EVENT_OPTIONS = ULONG; {$EXTERNALSYM POLICY_AUDIT_EVENT_OPTIONS} PPOLICY_AUDIT_EVENT_OPTIONS = ^POLICY_AUDIT_EVENT_OPTIONS; {$EXTERNALSYM PPOLICY_AUDIT_EVENT_OPTIONS} // where the following flags can be set: // // POLICY_AUDIT_EVENT_UNCHANGED - Leave existing auditing options // unchanged for events of this type. This flag is only used for // set operations. If this flag is set, then all other flags // are ignored. // // POLICY_AUDIT_EVENT_NONE - Cancel all auditing options for events // of this type. If this flag is set, the success/failure flags // are ignored. // // POLICY_AUDIT_EVENT_SUCCESS - When auditing is enabled, audit all // successful occurrences of events of the given type. // // POLICY_AUDIT_EVENT_FAILURE - When auditing is enabled, audit all // unsuccessful occurrences of events of the given type. // // // The following data type defines the classes of Policy Information // that may be queried/set. // type _POLICY_INFORMATION_CLASS = ( picFiller0, PolicyAuditLogInformation, PolicyAuditEventsInformation, PolicyPrimaryDomainInformation, PolicyPdAccountInformation, PolicyAccountDomainInformation, PolicyLsaServerRoleInformation, PolicyReplicaSourceInformation, PolicyDefaultQuotaInformation, PolicyModificationInformation, PolicyAuditFullSetInformation, PolicyAuditFullQueryInformation, PolicyDnsDomainInformation, PolicyDnsDomainInformationInt); {$EXTERNALSYM _POLICY_INFORMATION_CLASS} POLICY_INFORMATION_CLASS = _POLICY_INFORMATION_CLASS; {$EXTERNALSYM POLICY_INFORMATION_CLASS} PPOLICY_INFORMATION_CLASS = ^POLICY_INFORMATION_CLASS; {$EXTERNALSYM PPOLICY_INFORMATION_CLASS} TPolicyInformationClass = POLICY_INFORMATION_CLASS; PPolicyInformationClass = PPOLICY_INFORMATION_CLASS; // // The following data type corresponds to the PolicyAuditLogInformation // information class. It is used to represent information relating to // the Audit Log. // // This structure may be used in both query and set operations. However, // when used in set operations, some fields are ignored. // PPOLICY_AUDIT_LOG_INFO = ^POLICY_AUDIT_LOG_INFO; {$EXTERNALSYM PPOLICY_AUDIT_LOG_INFO} _POLICY_AUDIT_LOG_INFO = record AuditLogPercentFull: ULONG; MaximumLogSize: ULONG; AuditRetentionPeriod: LARGE_INTEGER; AuditLogFullShutdownInProgress: ByteBool; TimeToShutdown: LARGE_INTEGER; NextAuditRecordId: ULONG; end; {$EXTERNALSYM _POLICY_AUDIT_LOG_INFO} POLICY_AUDIT_LOG_INFO = _POLICY_AUDIT_LOG_INFO; {$EXTERNALSYM POLICY_AUDIT_LOG_INFO} TPolicyAuditLogInfo = POLICY_AUDIT_LOG_INFO; PPolicyAuditLogInfo = PPOLICY_AUDIT_LOG_INFO; // where the members have the following usage: // // AuditLogPercentFull - Indicates the percentage of the Audit Log // currently being used. // // MaximumLogSize - Specifies the maximum size of the Audit Log in // kilobytes. // // AuditRetentionPeriod - Indicates the length of time that Audit // Records are to be retained. Audit Records are discardable // if their timestamp predates the current time minus the // retention period. // // AuditLogFullShutdownInProgress - Indicates whether or not a system // shutdown is being initiated due to the security Audit Log becoming // full. This condition will only occur if the system is configured // to shutdown when the log becomes full. // // TRUE indicates that a shutdown is in progress // FALSE indicates that a shutdown is not in progress. // // Once a shutdown has been initiated, this flag will be set to // TRUE. If an administrator is able to currect the situation // before the shutdown becomes irreversible, then this flag will // be reset to false. // // This field is ignored for set operations. // // TimeToShutdown - If the AuditLogFullShutdownInProgress flag is set, // then this field contains the time left before the shutdown // becomes irreversible. // // This field is ignored for set operations. // // // The following data type corresponds to the PolicyAuditEventsInformation // information class. It is used to represent information relating to // the audit requirements. // PPOLICY_AUDIT_EVENTS_INFO = ^POLICY_AUDIT_EVENTS_INFO; {$EXTERNALSYM PPOLICY_AUDIT_EVENTS_INFO} _POLICY_AUDIT_EVENTS_INFO = record AuditingMode: ByteBool; EventAuditingOptions: PPOLICY_AUDIT_EVENT_OPTIONS; MaximumAuditEventCount: ULONG; end; {$EXTERNALSYM _POLICY_AUDIT_EVENTS_INFO} POLICY_AUDIT_EVENTS_INFO = _POLICY_AUDIT_EVENTS_INFO; {$EXTERNALSYM POLICY_AUDIT_EVENTS_INFO} TPolicyAuditEventsInfo = POLICY_AUDIT_EVENTS_INFO; PPolicyAuditEventsInfo = PPOLICY_AUDIT_EVENTS_INFO; // where the members have the following usage: // // AuditingMode - A Boolean variable specifying the Auditing Mode value. // This value is interpreted as follows: // // TRUE - Auditing is to be enabled (set operations) or is enabled // (query operations). Audit Records will be generated according // to the Event Auditing Options in effect (see the // EventAuditingOptions field. // // FALSE - Auditing is to be disabled (set operations) or is // disabled (query operations). No Audit Records will be // generated. Note that for set operations the Event Auditing // Options in effect will still be updated as specified by the // EventAuditingOptions field whether Auditing is enabled or // disabled. // // EventAuditingOptions - Pointer to an array of Auditing Options // indexed by Audit Event Type. // // MaximumAuditEventCount - Specifiesa count of the number of Audit // Event Types specified by the EventAuditingOptions parameter. If // this count is less than the number of Audit Event Types supported // by the system, the Auditing Options for Event Types with IDs // higher than (MaximumAuditEventCount + 1) are left unchanged. // // // The following structure corresponds to the PolicyAccountDomainInformation // information class. // PPOLICY_ACCOUNT_DOMAIN_INFO = ^POLICY_ACCOUNT_DOMAIN_INFO; {$EXTERNALSYM PPOLICY_ACCOUNT_DOMAIN_INFO} _POLICY_ACCOUNT_DOMAIN_INFO = record DomainName: LSA_UNICODE_STRING; DomainSid: PSID; end; {$EXTERNALSYM _POLICY_ACCOUNT_DOMAIN_INFO} POLICY_ACCOUNT_DOMAIN_INFO = _POLICY_ACCOUNT_DOMAIN_INFO; {$EXTERNALSYM POLICY_ACCOUNT_DOMAIN_INFO} TPolicyAccountDomainInfo = POLICY_ACCOUNT_DOMAIN_INFO; PPolicyAccountDomainInfo = PPOLICY_ACCOUNT_DOMAIN_INFO; // where the members have the following usage: // // DomainName - Is the name of the domain // // DomainSid - Is the Sid of the domain // // // The following structure corresponds to the PolicyPrimaryDomainInformation // information class. // PPOLICY_PRIMARY_DOMAIN_INFO = ^POLICY_PRIMARY_DOMAIN_INFO; {$EXTERNALSYM PPOLICY_PRIMARY_DOMAIN_INFO} _POLICY_PRIMARY_DOMAIN_INFO = record Name: LSA_UNICODE_STRING; Sid: PSID; end; {$EXTERNALSYM _POLICY_PRIMARY_DOMAIN_INFO} POLICY_PRIMARY_DOMAIN_INFO = _POLICY_PRIMARY_DOMAIN_INFO; {$EXTERNALSYM POLICY_PRIMARY_DOMAIN_INFO} TPolicyPrimaryDomainInfo = POLICY_PRIMARY_DOMAIN_INFO; PPolicyPrimaryDomainInfo = PPOLICY_PRIMARY_DOMAIN_INFO; // where the members have the following usage: // // Name - Is the name of the domain // // Sid - Is the Sid of the domain // // // The following structure corresponds to the PolicyDnsDomainInformation // information class // PPOLICY_DNS_DOMAIN_INFO = ^POLICY_DNS_DOMAIN_INFO; {$EXTERNALSYM PPOLICY_DNS_DOMAIN_INFO} _POLICY_DNS_DOMAIN_INFO = record Name: LSA_UNICODE_STRING; DnsDomainName: LSA_UNICODE_STRING; DnsForestName: LSA_UNICODE_STRING; DomainGuid: GUID; Sid: PSID; end; {$EXTERNALSYM _POLICY_DNS_DOMAIN_INFO} POLICY_DNS_DOMAIN_INFO = _POLICY_DNS_DOMAIN_INFO; {$EXTERNALSYM POLICY_DNS_DOMAIN_INFO} TPolicyDnsDomainInfo = POLICY_DNS_DOMAIN_INFO; PPolicyDnsDomainInfo = PPOLICY_DNS_DOMAIN_INFO; // where the members have the following usage: // // Name - Is the name of the Domain // // DnsDomainName - Is the DNS name of the domain // // DnsForestName - Is the DNS forest name of the domain // // DomainGuid - Is the GUID of the domain // // Sid - Is the Sid of the domain // // The following structure corresponds to the PolicyPdAccountInformation // information class. This structure may be used in Query operations // only. // PPOLICY_PD_ACCOUNT_INFO = ^POLICY_PD_ACCOUNT_INFO; {$EXTERNALSYM PPOLICY_PD_ACCOUNT_INFO} _POLICY_PD_ACCOUNT_INFO = record Name: LSA_UNICODE_STRING; end; {$EXTERNALSYM _POLICY_PD_ACCOUNT_INFO} POLICY_PD_ACCOUNT_INFO = _POLICY_PD_ACCOUNT_INFO; {$EXTERNALSYM POLICY_PD_ACCOUNT_INFO} TPolicyPdAccountInfo = POLICY_PD_ACCOUNT_INFO; PPolicyPdAccountInfo = PPOLICY_PD_ACCOUNT_INFO; // where the members have the following usage: // // Name - Is the name of an account in the domain that should be used // for authentication and name/ID lookup requests. // // // The following structure corresponds to the PolicyLsaServerRoleInformation // information class. // PPOLICY_LSA_SERVER_ROLE_INFO = ^POLICY_LSA_SERVER_ROLE_INFO; {$EXTERNALSYM PPOLICY_LSA_SERVER_ROLE_INFO} _POLICY_LSA_SERVER_ROLE_INFO = record LsaServerRole: POLICY_LSA_SERVER_ROLE; end; {$EXTERNALSYM _POLICY_LSA_SERVER_ROLE_INFO} POLICY_LSA_SERVER_ROLE_INFO = _POLICY_LSA_SERVER_ROLE_INFO; {$EXTERNALSYM POLICY_LSA_SERVER_ROLE_INFO} TPolicyLsaServerRoleInfo = POLICY_LSA_SERVER_ROLE_INFO; PPolicyLsaServerRoleInfo = PPOLICY_LSA_SERVER_ROLE_INFO; // where the fields have the following usage: // // TBS // // // The following structure corresponds to the PolicyReplicaSourceInformation // information class. // PPOLICY_REPLICA_SOURCE_INFO = ^POLICY_REPLICA_SOURCE_INFO; {$EXTERNALSYM PPOLICY_REPLICA_SOURCE_INFO} _POLICY_REPLICA_SOURCE_INFO = record ReplicaSource: LSA_UNICODE_STRING; ReplicaAccountName: LSA_UNICODE_STRING; end; {$EXTERNALSYM _POLICY_REPLICA_SOURCE_INFO} POLICY_REPLICA_SOURCE_INFO = _POLICY_REPLICA_SOURCE_INFO; {$EXTERNALSYM POLICY_REPLICA_SOURCE_INFO} TPolicyReplicaSourceInfo = POLICY_REPLICA_SOURCE_INFO; PPolicyReplicaSourceInfo = PPOLICY_REPLICA_SOURCE_INFO; // // The following structure corresponds to the PolicyDefaultQuotaInformation // information class. // PPOLICY_DEFAULT_QUOTA_INFO = ^POLICY_DEFAULT_QUOTA_INFO; {$EXTERNALSYM PPOLICY_DEFAULT_QUOTA_INFO} _POLICY_DEFAULT_QUOTA_INFO = record QuotaLimits: QUOTA_LIMITS; end; {$EXTERNALSYM _POLICY_DEFAULT_QUOTA_INFO} POLICY_DEFAULT_QUOTA_INFO = _POLICY_DEFAULT_QUOTA_INFO; {$EXTERNALSYM POLICY_DEFAULT_QUOTA_INFO} TPolicyDefaultQuotaInfo = POLICY_DEFAULT_QUOTA_INFO; PPolicyDefaultQuotaInfo = PPOLICY_DEFAULT_QUOTA_INFO; // // The following structure corresponds to the PolicyModificationInformation // information class. // PPOLICY_MODIFICATION_INFO = ^POLICY_MODIFICATION_INFO; {$EXTERNALSYM PPOLICY_MODIFICATION_INFO} _POLICY_MODIFICATION_INFO = record ModifiedId: LARGE_INTEGER; DatabaseCreationTime: LARGE_INTEGER; end; {$EXTERNALSYM _POLICY_MODIFICATION_INFO} POLICY_MODIFICATION_INFO = _POLICY_MODIFICATION_INFO; {$EXTERNALSYM POLICY_MODIFICATION_INFO} TPolicyModificationInfo = POLICY_MODIFICATION_INFO; PPolicyModificationInfo = PPOLICY_MODIFICATION_INFO; // where the members have the following usage: // // ModifiedId - Is a 64-bit unsigned integer that is incremented each // time anything in the LSA database is modified. This value is // only modified on Primary Domain Controllers. // // DatabaseCreationTime - Is the date/time that the LSA Database was // created. On Backup Domain Controllers, this value is replicated // from the Primary Domain Controller. // // // The following structure type corresponds to the PolicyAuditFullSetInformation // Information Class. // PPOLICY_AUDIT_FULL_SET_INFO = ^POLICY_AUDIT_FULL_SET_INFO; {$EXTERNALSYM PPOLICY_AUDIT_FULL_SET_INFO} _POLICY_AUDIT_FULL_SET_INFO = record ShutDownOnFull: ByteBool; end; {$EXTERNALSYM _POLICY_AUDIT_FULL_SET_INFO} POLICY_AUDIT_FULL_SET_INFO = _POLICY_AUDIT_FULL_SET_INFO; {$EXTERNALSYM POLICY_AUDIT_FULL_SET_INFO} TPolicyAuditFullSetInfo = POLICY_AUDIT_FULL_SET_INFO; PPolicyAuditFullSetInfo = PPOLICY_AUDIT_FULL_SET_INFO; // // The following structure type corresponds to the PolicyAuditFullQueryInformation // Information Class. // PPOLICY_AUDIT_FULL_QUERY_INFO = ^POLICY_AUDIT_FULL_QUERY_INFO; {$EXTERNALSYM PPOLICY_AUDIT_FULL_QUERY_INFO} _POLICY_AUDIT_FULL_QUERY_INFO = record ShutDownOnFull: ByteBool; LogIsFull: ByteBool; end; {$EXTERNALSYM _POLICY_AUDIT_FULL_QUERY_INFO} POLICY_AUDIT_FULL_QUERY_INFO = _POLICY_AUDIT_FULL_QUERY_INFO; {$EXTERNALSYM POLICY_AUDIT_FULL_QUERY_INFO} TPolicyAuditFullQueryInfo = POLICY_AUDIT_FULL_QUERY_INFO; PPolicyAuditFullQueryInfo = PPOLICY_AUDIT_FULL_QUERY_INFO; // // The following data type defines the classes of Policy Information // that may be queried/set that has domain wide effect. // _POLICY_DOMAIN_INFORMATION_CLASS = ( pdicFiller0, PolicyDomainQualityOfServiceInformation, // value was used in W2K; no longer supported PolicyDomainEfsInformation, PolicyDomainKerberosTicketInformation); {$EXTERNALSYM _POLICY_DOMAIN_INFORMATION_CLASS} POLICY_DOMAIN_INFORMATION_CLASS = _POLICY_DOMAIN_INFORMATION_CLASS; {$EXTERNALSYM POLICY_DOMAIN_INFORMATION_CLASS} PPOLICY_DOMAIN_INFORMATION_CLASS = ^POLICY_DOMAIN_INFORMATION_CLASS; {$EXTERNALSYM PPOLICY_DOMAIN_INFORMATION_CLASS} TPolicyDomainInformationClass = POLICY_DOMAIN_INFORMATION_CLASS; PPolicyDomainInformationClass = PPOLICY_DOMAIN_INFORMATION_CLASS; type // mvb has dissapeared in november 2002 release! PPOLICY_DOMAIN_QUALITY_OF_SERVICE_INFO = ^POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO; {$EXTERNALSYM PPOLICY_DOMAIN_QUALITY_OF_SERVICE_INFO} _POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO = record QualityOfService: ULONG; end; {$EXTERNALSYM _POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO} POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO = _POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO; {$EXTERNALSYM POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO} TPolicyDomainQualityOfServiceInfo = POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO; PPolicyDomainQualityOfServiceInfo = PPOLICY_DOMAIN_QUALITY_OF_SERVICE_INFO; // // where the members have the following usage: // // QualityOfService - Determines what specific QOS actions a machine should take // // // The following structure corresponds to the PolicyEfsInformation // information class // PPOLICY_DOMAIN_EFS_INFO = ^POLICY_DOMAIN_EFS_INFO; {$EXTERNALSYM PPOLICY_DOMAIN_EFS_INFO} _POLICY_DOMAIN_EFS_INFO = record InfoLength: ULONG; EfsBlob: PUCHAR; end; {$EXTERNALSYM _POLICY_DOMAIN_EFS_INFO} POLICY_DOMAIN_EFS_INFO = _POLICY_DOMAIN_EFS_INFO; {$EXTERNALSYM POLICY_DOMAIN_EFS_INFO} TPolicyDomainEfsInfo = POLICY_DOMAIN_EFS_INFO; PPolicyDomainEfsInfo = PPOLICY_DOMAIN_EFS_INFO; // where the members have the following usage: // // InfoLength - Length of the EFS Information blob // // EfsBlob - Efs blob data // // // The following structure corresponds to the PolicyDomainKerberosTicketInformation // information class const POLICY_KERBEROS_VALIDATE_CLIENT = $00000080; {$EXTERNALSYM POLICY_KERBEROS_VALIDATE_CLIENT} type PPOLICY_DOMAIN_KERBEROS_TICKET_INFO = ^POLICY_DOMAIN_KERBEROS_TICKET_INFO; {$EXTERNALSYM PPOLICY_DOMAIN_KERBEROS_TICKET_INFO} _POLICY_DOMAIN_KERBEROS_TICKET_INFO = record AuthenticationOptions: ULONG; MaxServiceTicketAge: LARGE_INTEGER; MaxTicketAge: LARGE_INTEGER; MaxRenewAge: LARGE_INTEGER; MaxClockSkew: LARGE_INTEGER; Reserved: LARGE_INTEGER; end; {$EXTERNALSYM _POLICY_DOMAIN_KERBEROS_TICKET_INFO} POLICY_DOMAIN_KERBEROS_TICKET_INFO = _POLICY_DOMAIN_KERBEROS_TICKET_INFO; {$EXTERNALSYM POLICY_DOMAIN_KERBEROS_TICKET_INFO} TPolicyDomainKerberosTicketInfo = POLICY_DOMAIN_KERBEROS_TICKET_INFO; PPolicyDomainKerberosTicketInfo = PPOLICY_DOMAIN_KERBEROS_TICKET_INFO; // // where the members have the following usage // // AuthenticationOptions -- allowed ticket options (POLICY_KERBEROS_* flags ) // // MaxServiceTicketAge -- Maximum lifetime for a service ticket // // MaxTicketAge -- Maximum lifetime for the initial ticket // // MaxRenewAge -- Maximum cumulative age a renewable ticket can be with // requring authentication // // MaxClockSkew -- Maximum tolerance for synchronization of computer clocks // // Reserved -- Reserved // // The following data type defines the classes of Policy Information / Policy Domain Information // that may be used to request notification // _POLICY_NOTIFICATION_INFORMATION_CLASS = ( pnicFiller0, PolicyNotifyAuditEventsInformation, PolicyNotifyAccountDomainInformation, PolicyNotifyServerRoleInformation, PolicyNotifyDnsDomainInformation, PolicyNotifyDomainEfsInformation, PolicyNotifyDomainKerberosTicketInformation, PolicyNotifyMachineAccountPasswordInformation); {$EXTERNALSYM _POLICY_NOTIFICATION_INFORMATION_CLASS} POLICY_NOTIFICATION_INFORMATION_CLASS = _POLICY_NOTIFICATION_INFORMATION_CLASS; {$EXTERNALSYM POLICY_NOTIFICATION_INFORMATION_CLASS} PPOLICY_NOTIFICATION_INFORMATION_CLASS = ^POLICY_NOTIFICATION_INFORMATION_CLASS; {$EXTERNALSYM PPOLICY_NOTIFICATION_INFORMATION_CLASS} TPolicyNotificationInformationClass = POLICY_NOTIFICATION_INFORMATION_CLASS; PPolicyNotificationInformationClass = PPOLICY_NOTIFICATION_INFORMATION_CLASS; // // LSA RPC Context Handle (Opaque form). Note that a Context Handle is // always a pointer type unlike regular handles. // LSA_HANDLE = PVOID; {$EXTERNALSYM LSA_HANDLE} PLSA_HANDLE = ^LSA_HANDLE; {$EXTERNALSYM PLSA_HANDLE} TLsaHandle = LSA_HANDLE; // // Trusted Domain Object specific data types // // // This data type defines the following information classes that may be // queried or set. // _TRUSTED_INFORMATION_CLASS = ( ticFiller0, TrustedDomainNameInformation, TrustedControllersInformation, TrustedPosixOffsetInformation, TrustedPasswordInformation, TrustedDomainInformationBasic, TrustedDomainInformationEx, TrustedDomainAuthInformation, TrustedDomainFullInformation, TrustedDomainAuthInformationInternal, TrustedDomainFullInformationInternal, TrustedDomainInformationEx2Internal, TrustedDomainFullInformation2Internal); {$EXTERNALSYM _TRUSTED_INFORMATION_CLASS} TRUSTED_INFORMATION_CLASS = _TRUSTED_INFORMATION_CLASS; {$EXTERNALSYM TRUSTED_INFORMATION_CLASS} PTRUSTED_INFORMATION_CLASS = ^TRUSTED_INFORMATION_CLASS; {$EXTERNALSYM PTRUSTED_INFORMATION_CLASS} TTrustedInfomationClass = TRUSTED_INFORMATION_CLASS; PTrustedInfomationClass = PTRUSTED_INFORMATION_CLASS; // // The following data type corresponds to the TrustedDomainNameInformation // information class. // PTRUSTED_DOMAIN_NAME_INFO = ^TRUSTED_DOMAIN_NAME_INFO; {$EXTERNALSYM PTRUSTED_DOMAIN_NAME_INFO} _TRUSTED_DOMAIN_NAME_INFO = record Name: LSA_UNICODE_STRING; end; {$EXTERNALSYM _TRUSTED_DOMAIN_NAME_INFO} TRUSTED_DOMAIN_NAME_INFO = _TRUSTED_DOMAIN_NAME_INFO; {$EXTERNALSYM TRUSTED_DOMAIN_NAME_INFO} TTrustedDomainNameInfo = TRUSTED_DOMAIN_NAME_INFO; PTrustedDomainNameInfo = PTRUSTED_DOMAIN_NAME_INFO; // where members have the following meaning: // // Name - The name of the Trusted Domain. // // // The following data type corresponds to the TrustedControllersInformation // information class. // PTRUSTED_CONTROLLERS_INFO = ^TRUSTED_CONTROLLERS_INFO; {$EXTERNALSYM PTRUSTED_CONTROLLERS_INFO} _TRUSTED_CONTROLLERS_INFO = record Entries: ULONG; Names: PLSA_UNICODE_STRING; end; {$EXTERNALSYM _TRUSTED_CONTROLLERS_INFO} TRUSTED_CONTROLLERS_INFO = _TRUSTED_CONTROLLERS_INFO; {$EXTERNALSYM TRUSTED_CONTROLLERS_INFO} TTrustedControllersInfo = TRUSTED_CONTROLLERS_INFO; PTrustedControllersInfo = PTRUSTED_CONTROLLERS_INFO; // where members have the following meaning: // // Entries - Indicate how mamy entries there are in the Names array. // // Names - Pointer to an array of LSA_UNICODE_STRING structures containing the // names of domain controllers of the domain. This information may not // be accurate and should be used only as a hint. The order of this // list is considered significant and will be maintained. // // By convention, the first name in this list is assumed to be the // Primary Domain Controller of the domain. If the Primary Domain // Controller is not known, the first name should be set to the NULL // string. // // // The following data type corresponds to the TrustedPosixOffsetInformation // information class. // PTRUSTED_POSIX_OFFSET_INFO = ^TRUSTED_POSIX_OFFSET_INFO; {$EXTERNALSYM PTRUSTED_POSIX_OFFSET_INFO} _TRUSTED_POSIX_OFFSET_INFO = record Offset: ULONG; end; {$EXTERNALSYM _TRUSTED_POSIX_OFFSET_INFO} TRUSTED_POSIX_OFFSET_INFO = _TRUSTED_POSIX_OFFSET_INFO; {$EXTERNALSYM TRUSTED_POSIX_OFFSET_INFO} TTrustedPosixOffsetInfo = TRUSTED_POSIX_OFFSET_INFO; PTrustedPosixOffsetInfo = PTRUSTED_POSIX_OFFSET_INFO; // where members have the following meaning: // // Offset - Is an offset to use for the generation of Posix user and group // IDs from SIDs. The Posix ID corresponding to any particular SID is // generated by adding the RID of that SID to the Offset of the SID's // corresponding TrustedDomain object. // // // The following data type corresponds to the TrustedPasswordInformation // information class. // PTRUSTED_PASSWORD_INFO = ^TRUSTED_PASSWORD_INFO; {$EXTERNALSYM PTRUSTED_PASSWORD_INFO} _TRUSTED_PASSWORD_INFO = record Password: LSA_UNICODE_STRING; OldPassword: LSA_UNICODE_STRING; end; {$EXTERNALSYM _TRUSTED_PASSWORD_INFO} TRUSTED_PASSWORD_INFO = _TRUSTED_PASSWORD_INFO; {$EXTERNALSYM TRUSTED_PASSWORD_INFO} TTrustedPasswordInfo = TRUSTED_PASSWORD_INFO; PTrustedPasswordInfo = PTRUSTED_PASSWORD_INFO; TRUSTED_DOMAIN_INFORMATION_BASIC = LSA_TRUST_INFORMATION; {$EXTERNALSYM TRUSTED_DOMAIN_INFORMATION_BASIC} PTRUSTED_DOMAIN_INFORMATION_BASIC = PLSA_TRUST_INFORMATION; {$EXTERNALSYM PTRUSTED_DOMAIN_INFORMATION_BASIC} TTrustedDomainInformationBasic = TRUSTED_DOMAIN_INFORMATION_BASIC; PTrustedDomainInformationBasic = PTRUSTED_DOMAIN_INFORMATION_BASIC; // // Direction of the trust // const TRUST_DIRECTION_DISABLED = $00000000; {$EXTERNALSYM TRUST_DIRECTION_DISABLED} TRUST_DIRECTION_INBOUND = $00000001; {$EXTERNALSYM TRUST_DIRECTION_INBOUND} TRUST_DIRECTION_OUTBOUND = $00000002; {$EXTERNALSYM TRUST_DIRECTION_OUTBOUND} TRUST_DIRECTION_BIDIRECTIONAL = TRUST_DIRECTION_INBOUND or TRUST_DIRECTION_OUTBOUND; {$EXTERNALSYM TRUST_DIRECTION_BIDIRECTIONAL} TRUST_TYPE_DOWNLEVEL = $00000001; // NT4 and before {$EXTERNALSYM TRUST_TYPE_DOWNLEVEL} TRUST_TYPE_UPLEVEL = $00000002; // NT5 {$EXTERNALSYM TRUST_TYPE_UPLEVEL} TRUST_TYPE_MIT = $00000003; // Trust with a MIT Kerberos realm {$EXTERNALSYM TRUST_TYPE_MIT} // TRUST_TYPE_DCE = $00000004; // Trust with a DCE realm // {$EXTERNALSYM TRUST_TYPE_DCE} // Levels 0x5 - 0x000FFFFF reserved for future use // Provider specific trust levels are from 0x00100000 to 0xFFF00000 TRUST_ATTRIBUTE_NON_TRANSITIVE = $00000001; // Disallow transitivity {$EXTERNALSYM TRUST_ATTRIBUTE_NON_TRANSITIVE} TRUST_ATTRIBUTE_UPLEVEL_ONLY = $00000002; // Trust link only valid for uplevel client {$EXTERNALSYM TRUST_ATTRIBUTE_UPLEVEL_ONLY} TRUST_ATTRIBUTE_QUARANTINED_DOMAIN = $00000004; // Used to quarantine domains {$EXTERNALSYM TRUST_ATTRIBUTE_QUARANTINED_DOMAIN} TRUST_ATTRIBUTE_FOREST_TRANSITIVE = $00000008; // This link may contain forest trust information {$EXTERNALSYM TRUST_ATTRIBUTE_FOREST_TRANSITIVE} TRUST_ATTRIBUTE_CROSS_ORGANIZATION = $00000010; // This trust is to a domain/forest which is not part of this enterprise {$EXTERNALSYM TRUST_ATTRIBUTE_CROSS_ORGANIZATION} TRUST_ATTRIBUTE_WITHIN_FOREST = $00000020; // Trust is internal to this forest {$EXTERNALSYM TRUST_ATTRIBUTE_WITHIN_FOREST} TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = $00000040; // Trust is to be treated as external for trust boundary purposes {$EXTERNALSYM TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL} // Trust attributes 0x00000040 through 0x00200000 are reserved for future use // Trust attributes 0x00400000 through 0x00800000 were used previously (up to W2K) and should not be re-used // Trust attributes 0x01000000 through 0x80000000 are reserved for user TRUST_ATTRIBUTES_VALID = DWORD($FF03FFFF); {$EXTERNALSYM TRUST_ATTRIBUTES_VALID} TRUST_ATTRIBUTES_USER = DWORD($FF000000); {$EXTERNALSYM TRUST_ATTRIBUTES_USER} type PTRUSTED_DOMAIN_INFORMATION_EX = ^TRUSTED_DOMAIN_INFORMATION_EX; {$EXTERNALSYM PTRUSTED_DOMAIN_INFORMATION_EX} _TRUSTED_DOMAIN_INFORMATION_EX = record Name: LSA_UNICODE_STRING; FlatName: LSA_UNICODE_STRING; Sid: PSID; TrustDirection: ULONG; TrustType: ULONG; TrustAttributes: ULONG; end; {$EXTERNALSYM _TRUSTED_DOMAIN_INFORMATION_EX} TRUSTED_DOMAIN_INFORMATION_EX = _TRUSTED_DOMAIN_INFORMATION_EX; {$EXTERNALSYM TRUSTED_DOMAIN_INFORMATION_EX} TTrustedDomainInformationEx = TRUSTED_DOMAIN_INFORMATION_EX; PTrustedDomainInformationEx = PTRUSTED_DOMAIN_INFORMATION_EX; _TRUSTED_DOMAIN_INFORMATION_EX2 = record Name: LSA_UNICODE_STRING; FlatName: LSA_UNICODE_STRING; Sid: PSID; TrustDirection: ULONG; TrustType: ULONG; TrustAttributes: ULONG; ForestTrustLength: ULONG; ForestTrustInfo: PUCHAR; end; {$EXTERNALSYM _TRUSTED_DOMAIN_INFORMATION_EX2} TRUSTED_DOMAIN_INFORMATION_EX2 = _TRUSTED_DOMAIN_INFORMATION_EX2; {$EXTERNALSYM TRUSTED_DOMAIN_INFORMATION_EX2} PTRUSTED_DOMAIN_INFORMATION_EX2 = ^TRUSTED_DOMAIN_INFORMATION_EX2; {$EXTERNALSYM PTRUSTED_DOMAIN_INFORMATION_EX2} TTrustedDomainInformationEx2 = TRUSTED_DOMAIN_INFORMATION_EX2; PTrustedDomainInformationEx2 = PTRUSTED_DOMAIN_INFORMATION_EX2; // // Type of authentication information // const TRUST_AUTH_TYPE_NONE = 0; // Ignore this entry {$EXTERNALSYM TRUST_AUTH_TYPE_NONE} TRUST_AUTH_TYPE_NT4OWF = 1; // NT4 OWF password {$EXTERNALSYM TRUST_AUTH_TYPE_NT4OWF} TRUST_AUTH_TYPE_CLEAR = 2; // Cleartext password {$EXTERNALSYM TRUST_AUTH_TYPE_CLEAR} TRUST_AUTH_TYPE_VERSION = 3; // Cleartext password version number {$EXTERNALSYM TRUST_AUTH_TYPE_VERSION} type PLSA_AUTH_INFORMATION = ^LSA_AUTH_INFORMATION; {$EXTERNALSYM PLSA_AUTH_INFORMATION} _LSA_AUTH_INFORMATION = record LastUpdateTime: LARGE_INTEGER; AuthType: ULONG; AuthInfoLength: ULONG; AuthInfo: PUCHAR; end; {$EXTERNALSYM _LSA_AUTH_INFORMATION} LSA_AUTH_INFORMATION = _LSA_AUTH_INFORMATION; {$EXTERNALSYM LSA_AUTH_INFORMATION} TLsaAuthInformation = LSA_AUTH_INFORMATION; PLsaAuthInformation = PLSA_AUTH_INFORMATION; PTRUSTED_DOMAIN_AUTH_INFORMATION = ^TRUSTED_DOMAIN_AUTH_INFORMATION; {$EXTERNALSYM PTRUSTED_DOMAIN_AUTH_INFORMATION} _TRUSTED_DOMAIN_AUTH_INFORMATION = record IncomingAuthInfos: ULONG; IncomingAuthenticationInformation: PLSA_AUTH_INFORMATION; IncomingPreviousAuthenticationInformation: PLSA_AUTH_INFORMATION; OutgoingAuthInfos: ULONG; OutgoingAuthenticationInformation: PLSA_AUTH_INFORMATION; OutgoingPreviousAuthenticationInformation: PLSA_AUTH_INFORMATION; end; {$EXTERNALSYM _TRUSTED_DOMAIN_AUTH_INFORMATION} TRUSTED_DOMAIN_AUTH_INFORMATION = _TRUSTED_DOMAIN_AUTH_INFORMATION; {$EXTERNALSYM TRUSTED_DOMAIN_AUTH_INFORMATION} TTrustedDomainAuthInformation = TRUSTED_DOMAIN_AUTH_INFORMATION; PTrustedDomainAuthInformation = PTRUSTED_DOMAIN_AUTH_INFORMATION; PTRUSTED_DOMAIN_FULL_INFORMATION = ^TRUSTED_DOMAIN_FULL_INFORMATION; {$EXTERNALSYM PTRUSTED_DOMAIN_FULL_INFORMATION} _TRUSTED_DOMAIN_FULL_INFORMATION = record Information: TRUSTED_DOMAIN_INFORMATION_EX; PosixOffset: TRUSTED_POSIX_OFFSET_INFO; AuthInformation: TRUSTED_DOMAIN_AUTH_INFORMATION; end; {$EXTERNALSYM _TRUSTED_DOMAIN_FULL_INFORMATION} TRUSTED_DOMAIN_FULL_INFORMATION = _TRUSTED_DOMAIN_FULL_INFORMATION; {$EXTERNALSYM TRUSTED_DOMAIN_FULL_INFORMATION} TTrustedDomainFullInformation = TRUSTED_DOMAIN_FULL_INFORMATION; PTrustedDomainFullInformation = PTRUSTED_DOMAIN_FULL_INFORMATION; PTRUSTED_DOMAIN_FULL_INFORMATION2 = ^TRUSTED_DOMAIN_FULL_INFORMATION2; {$EXTERNALSYM PTRUSTED_DOMAIN_FULL_INFORMATION2} _TRUSTED_DOMAIN_FULL_INFORMATION2 = record Information: TRUSTED_DOMAIN_INFORMATION_EX2; PosixOffset: TRUSTED_POSIX_OFFSET_INFO; AuthInformation: TRUSTED_DOMAIN_AUTH_INFORMATION; end; {$EXTERNALSYM _TRUSTED_DOMAIN_FULL_INFORMATION2} TRUSTED_DOMAIN_FULL_INFORMATION2 = _TRUSTED_DOMAIN_FULL_INFORMATION2; {$EXTERNALSYM TRUSTED_DOMAIN_FULL_INFORMATION2} TTrustedDomainFullInformation2 = TRUSTED_DOMAIN_FULL_INFORMATION2; PTrustedDomainFullInformation2 = PTRUSTED_DOMAIN_FULL_INFORMATION2; LSA_FOREST_TRUST_RECORD_TYPE = ( ForestTrustTopLevelName, ForestTrustTopLevelNameEx, ForestTrustDomainInfo); {$EXTERNALSYM LSA_FOREST_TRUST_RECORD_TYPE} TLsaForestTrustRecordType = LSA_FOREST_TRUST_RECORD_TYPE; const ForestTrustRecordTypeLast = ForestTrustDomainInfo; {$EXTERNALSYM ForestTrustRecordTypeLast} // // Bottom 16 bits of the flags are reserved for disablement reasons // LSA_FTRECORD_DISABLED_REASONS = $0000FFFF; {$EXTERNALSYM LSA_FTRECORD_DISABLED_REASONS} // // Reasons for a top-level name forest trust record to be disabled // LSA_TLN_DISABLED_NEW = $00000001; {$EXTERNALSYM LSA_TLN_DISABLED_NEW} LSA_TLN_DISABLED_ADMIN = $00000002; {$EXTERNALSYM LSA_TLN_DISABLED_ADMIN} LSA_TLN_DISABLED_CONFLICT = $00000004; {$EXTERNALSYM LSA_TLN_DISABLED_CONFLICT} // // Reasons for a domain information forest trust record to be disabled // LSA_SID_DISABLED_ADMIN = $00000001; {$EXTERNALSYM LSA_SID_DISABLED_ADMIN} LSA_SID_DISABLED_CONFLICT = $00000002; {$EXTERNALSYM LSA_SID_DISABLED_CONFLICT} LSA_NB_DISABLED_ADMIN = $00000004; {$EXTERNALSYM LSA_NB_DISABLED_ADMIN} LSA_NB_DISABLED_CONFLICT = $00000008; {$EXTERNALSYM LSA_NB_DISABLED_CONFLICT} type PLSA_FOREST_TRUST_DOMAIN_INFO = ^LSA_FOREST_TRUST_DOMAIN_INFO; {$EXTERNALSYM PLSA_FOREST_TRUST_DOMAIN_INFO} _LSA_FOREST_TRUST_DOMAIN_INFO = record Sid: PSID; DnsName: LSA_UNICODE_STRING; NetbiosName: LSA_UNICODE_STRING; end; {$EXTERNALSYM _LSA_FOREST_TRUST_DOMAIN_INFO} LSA_FOREST_TRUST_DOMAIN_INFO = _LSA_FOREST_TRUST_DOMAIN_INFO; {$EXTERNALSYM LSA_FOREST_TRUST_DOMAIN_INFO} TLsaForestTrustDomainInfo = LSA_FOREST_TRUST_DOMAIN_INFO; PLsaForestTrustDomainInfo = PLSA_FOREST_TRUST_DOMAIN_INFO; // // To prevent huge data to be passed in, we should put a limit on LSA_FOREST_TRUST_BINARY_DATA. // 128K is large enough that can't be reached in the near future, and small enough not to // cause memory problems. const MAX_FOREST_TRUST_BINARY_DATA_SIZE = 128 * 1024; {$EXTERNALSYM MAX_FOREST_TRUST_BINARY_DATA_SIZE} type PLSA_FOREST_TRUST_BINARY_DATA = ^LSA_FOREST_TRUST_BINARY_DATA; {$EXTERNALSYM PLSA_FOREST_TRUST_BINARY_DATA} _LSA_FOREST_TRUST_BINARY_DATA = record Length: ULONG; Buffer: PUCHAR; end; {$EXTERNALSYM _LSA_FOREST_TRUST_BINARY_DATA} LSA_FOREST_TRUST_BINARY_DATA = _LSA_FOREST_TRUST_BINARY_DATA; {$EXTERNALSYM LSA_FOREST_TRUST_BINARY_DATA} TLsaForestTrustBinaryData = LSA_FOREST_TRUST_BINARY_DATA; PLsaForestTrustBinaryData = PLSA_FOREST_TRUST_BINARY_DATA; PLSA_FOREST_TRUST_RECORD = ^LSA_FOREST_TRUST_RECORD; {$EXTERNALSYM PLSA_FOREST_TRUST_RECORD} _LSA_FOREST_TRUST_RECORD = record Flags: ULONG; ForestTrustType: LSA_FOREST_TRUST_RECORD_TYPE; // type of record Time: LARGE_INTEGER; case Integer of // actual data 0: (TopLevelName: LSA_UNICODE_STRING); 1: (DomainInfo: LSA_FOREST_TRUST_DOMAIN_INFO); 2: (Data: LSA_FOREST_TRUST_BINARY_DATA); // used for unrecognized types // } ForestTrustData; end; {$EXTERNALSYM _LSA_FOREST_TRUST_RECORD} LSA_FOREST_TRUST_RECORD = _LSA_FOREST_TRUST_RECORD; {$EXTERNALSYM LSA_FOREST_TRUST_RECORD} TLsaForestTrustRecord = LSA_FOREST_TRUST_RECORD; PLsaForestTrustRecord = PLSA_FOREST_TRUST_RECORD; // // To prevent forest trust blobs of large size, number of records must be // smaller than MAX_RECORDS_IN_FOREST_TRUST_INFO // const MAX_RECORDS_IN_FOREST_TRUST_INFO = 4000; {$EXTERNALSYM MAX_RECORDS_IN_FOREST_TRUST_INFO} type PLSA_FOREST_TRUST_INFORMATION = ^LSA_FOREST_TRUST_INFORMATION; {$EXTERNALSYM PLSA_FOREST_TRUST_INFORMATION} _LSA_FOREST_TRUST_INFORMATION = record RecordCount: ULONG; Entries: ^PLSA_FOREST_TRUST_RECORD; end; {$EXTERNALSYM _LSA_FOREST_TRUST_INFORMATION} LSA_FOREST_TRUST_INFORMATION = _LSA_FOREST_TRUST_INFORMATION; {$EXTERNALSYM LSA_FOREST_TRUST_INFORMATION} TLsaForestTrustInformation = LSA_FOREST_TRUST_INFORMATION; PLsaForestTrustInformation = PLSA_FOREST_TRUST_INFORMATION; LSA_FOREST_TRUST_COLLISION_RECORD_TYPE = ( CollisionTdo, CollisionXref, CollisionOther); {$EXTERNALSYM LSA_FOREST_TRUST_COLLISION_RECORD_TYPE} TLsaForestTrustCollisionRecordType = LSA_FOREST_TRUST_COLLISION_RECORD_TYPE; PLSA_FOREST_TRUST_COLLISION_RECORD = ^LSA_FOREST_TRUST_COLLISION_RECORD; {$EXTERNALSYM PLSA_FOREST_TRUST_COLLISION_RECORD} _LSA_FOREST_TRUST_COLLISION_RECORD = record Index: ULONG; Type_: LSA_FOREST_TRUST_COLLISION_RECORD_TYPE; Flags: ULONG; Name: LSA_UNICODE_STRING; end; {$EXTERNALSYM _LSA_FOREST_TRUST_COLLISION_RECORD} LSA_FOREST_TRUST_COLLISION_RECORD = _LSA_FOREST_TRUST_COLLISION_RECORD; {$EXTERNALSYM LSA_FOREST_TRUST_COLLISION_RECORD} TLsaForestTrustCollisionRecord = LSA_FOREST_TRUST_COLLISION_RECORD; PLsaForestTrustCollisionRecord = PLSA_FOREST_TRUST_COLLISION_RECORD; PLSA_FOREST_TRUST_COLLISION_INFORMATION = ^LSA_FOREST_TRUST_COLLISION_INFORMATION; {$EXTERNALSYM PLSA_FOREST_TRUST_COLLISION_INFORMATION} _LSA_FOREST_TRUST_COLLISION_INFORMATION = record RecordCount: ULONG; Entries: ^PLSA_FOREST_TRUST_COLLISION_RECORD; end; {$EXTERNALSYM _LSA_FOREST_TRUST_COLLISION_INFORMATION} LSA_FOREST_TRUST_COLLISION_INFORMATION = _LSA_FOREST_TRUST_COLLISION_INFORMATION; {$EXTERNALSYM LSA_FOREST_TRUST_COLLISION_INFORMATION} TLsaForestTrustCollisionInformation = LSA_FOREST_TRUST_COLLISION_INFORMATION; PLsaForestTrustCollisionInformation = PLSA_FOREST_TRUST_COLLISION_INFORMATION; // // LSA Enumeration Context // LSA_ENUMERATION_HANDLE = ULONG; {$EXTERNALSYM LSA_ENUMERATION_HANDLE} PLSA_ENUMERATION_HANDLE = LSA_ENUMERATION_HANDLE; {$EXTERNALSYM PLSA_ENUMERATION_HANDLE} // // LSA Enumeration Information // PLSA_ENUMERATION_INFORMATION = ^LSA_ENUMERATION_INFORMATION; {$EXTERNALSYM PLSA_ENUMERATION_INFORMATION} _LSA_ENUMERATION_INFORMATION = record Sid: PSID; end; {$EXTERNALSYM _LSA_ENUMERATION_INFORMATION} LSA_ENUMERATION_INFORMATION = _LSA_ENUMERATION_INFORMATION; {$EXTERNALSYM LSA_ENUMERATION_INFORMATION} TLsaEnumerationInformation = LSA_ENUMERATION_INFORMATION; PLsaEnumerationInformation = PLSA_ENUMERATION_INFORMATION; //////////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Miscellaneous API function prototypes // // // //////////////////////////////////////////////////////////////////////////// function LsaFreeMemory(Buffer: PVOID): NTSTATUS; stdcall; {$EXTERNALSYM LsaFreeMemory} function LsaClose(ObjectHandle: LSA_HANDLE): NTSTATUS; stdcall; {$EXTERNALSYM LsaClose} type _SECURITY_LOGON_SESSION_DATA = record Size: ULONG; LogonId: LUID; UserName: LSA_UNICODE_STRING; LogonDomain: LSA_UNICODE_STRING; AuthenticationPackage: LSA_UNICODE_STRING; LogonType: SECURITY_LOGON_TYPE; Session: ULONG; Sid: PSID; LogonTime: LARGE_INTEGER; // // new for whistler: // LogonServer: LSA_UNICODE_STRING; DnsDomainName: LSA_UNICODE_STRING; Upn: LSA_UNICODE_STRING; end; {$EXTERNALSYM _SECURITY_LOGON_SESSION_DATA} SECURITY_LOGON_SESSION_DATA = _SECURITY_LOGON_SESSION_DATA; {$EXTERNALSYM SECURITY_LOGON_SESSION_DATA} PSECURITY_LOGON_SESSION_DATA = ^SECURITY_LOGON_SESSION_DATA; {$EXTERNALSYM PSECURITY_LOGON_SESSION_DATA} TSecurityLogonSessionData = SECURITY_LOGON_SESSION_DATA; PSecurityLogonSessionData = PSECURITY_LOGON_SESSION_DATA; function LsaEnumerateLogonSessions(LogonSessionCount: PULONG; var LogonSessionList: PLUID): NTSTATUS; stdcall; {$EXTERNALSYM LsaEnumerateLogonSessions} function LsaGetLogonSessionData(LogonId: PLUID; var ppLogonSessionData: PSECURITY_LOGON_SESSION_DATA): NTSTATUS; stdcall; {$EXTERNALSYM LsaGetLogonSessionData} function LsaOpenPolicy(SystemName: PLSA_UNICODE_STRING; var ObjectAttributes: LSA_OBJECT_ATTRIBUTES; DesiredAccess: ACCESS_MASK; var PolicyHandle: LSA_HANDLE): NTSTATUS; stdcall; {$EXTERNALSYM LsaOpenPolicy} function LsaQueryInformationPolicy(PolicyHandle: LSA_HANDLE; InformationClass: POLICY_INFORMATION_CLASS; var Buffer: PVOID): NTSTATUS; stdcall; {$EXTERNALSYM LsaQueryInformationPolicy} function LsaSetInformationPolicy(PolicyHandle: LSA_HANDLE; InformationClass: POLICY_INFORMATION_CLASS; Buffer: PVOID): NTSTATUS; stdcall; {$EXTERNALSYM LsaSetInformationPolicy} function LsaQueryDomainInformationPolicy(PolicyHandle: LSA_HANDLE; InformationClass: POLICY_DOMAIN_INFORMATION_CLASS; Buffer: PPVOID): NTSTATUS; stdcall; {$EXTERNALSYM LsaQueryDomainInformationPolicy} function LsaSetDomainInformationPolicy(PolicyHandle: LSA_HANDLE; InformationClass: POLICY_DOMAIN_INFORMATION_CLASS; Buffer: PVOID): NTSTATUS; stdcall; {$EXTERNALSYM LsaSetDomainInformationPolicy} function LsaRegisterPolicyChangeNotification(InformationClass: POLICY_NOTIFICATION_INFORMATION_CLASS; NotificationEventHandle: HANDLE): NTSTATUS; stdcall; {$EXTERNALSYM LsaRegisterPolicyChangeNotification} function LsaUnregisterPolicyChangeNotification(InformationClass: POLICY_NOTIFICATION_INFORMATION_CLASS; NotificationEventHandle: HANDLE): NTSTATUS; stdcall; {$EXTERNALSYM LsaUnregisterPolicyChangeNotification} function LsaEnumerateTrustedDomains(PolicyHandle: LSA_HANDLE; var EnumerationContext: LSA_ENUMERATION_HANDLE; Buffer: PPVOID; PreferedMaximumLength: ULONG; var CountReturned: ULONG): NTSTATUS; stdcall; {$EXTERNALSYM LsaEnumerateTrustedDomains} function LsaLookupNames(PolicyHandle: LSA_HANDLE; Count: ULONG; Names: PLSA_UNICODE_STRING; var ReferencedDomains: PLSA_REFERENCED_DOMAIN_LIST; var Sids: PLSA_TRANSLATED_SID): NTSTATUS; stdcall; {$EXTERNALSYM LsaLookupNames} function LsaLookupNames2(PolicyHandle: LSA_HANDLE; Flags, Count: ULONG; Names: PLSA_UNICODE_STRING; var ReferencedDomains: PLSA_REFERENCED_DOMAIN_LIST; var Sids: PLSA_TRANSLATED_SID2): NTSTATUS; stdcall; {$EXTERNALSYM LsaLookupNames2} function LsaLookupSids(PolicyHandle: LSA_HANDLE; Count: ULONG; Sids: PPSID; var ReferencedDomains: PLSA_REFERENCED_DOMAIN_LIST; var Names: PLSA_TRANSLATED_NAME): NTSTATUS; stdcall; {$EXTERNALSYM LsaLookupSids} const SE_INTERACTIVE_LOGON_NAME = 'SeInteractiveLogonRight'; {$EXTERNALSYM SE_INTERACTIVE_LOGON_NAME} SE_NETWORK_LOGON_NAME = 'SeNetworkLogonRight'; {$EXTERNALSYM SE_NETWORK_LOGON_NAME} SE_BATCH_LOGON_NAME = 'SeBatchLogonRight'; {$EXTERNALSYM SE_BATCH_LOGON_NAME} SE_SERVICE_LOGON_NAME = 'SeServiceLogonRight'; {$EXTERNALSYM SE_SERVICE_LOGON_NAME} SE_DENY_INTERACTIVE_LOGON_NAME = 'SeDenyInteractiveLogonRight'; {$EXTERNALSYM SE_DENY_INTERACTIVE_LOGON_NAME} SE_DENY_NETWORK_LOGON_NAME = 'SeDenyNetworkLogonRight'; {$EXTERNALSYM SE_DENY_NETWORK_LOGON_NAME} SE_DENY_BATCH_LOGON_NAME = 'SeDenyBatchLogonRight'; {$EXTERNALSYM SE_DENY_BATCH_LOGON_NAME} SE_DENY_SERVICE_LOGON_NAME = 'SeDenyServiceLogonRight'; {$EXTERNALSYM SE_DENY_SERVICE_LOGON_NAME} SE_REMOTE_INTERACTIVE_LOGON_NAME = 'SeRemoteInteractiveLogonRight'; {$EXTERNALSYM SE_REMOTE_INTERACTIVE_LOGON_NAME} SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME = 'SeDenyRemoteInteractiveLogonRight'; {$EXTERNALSYM SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME} // // This new API returns all the accounts with a certain privilege // function LsaEnumerateAccountsWithUserRight(PolicyHandle: LSA_HANDLE; UserRights: PLSA_UNICODE_STRING; var EnumerationBuffer: PLSA_ENUMERATION_INFORMATION; var CountReturned: ULONG): NTSTATUS; stdcall; {$EXTERNALSYM LsaEnumerateAccountsWithUserRight} // // These new APIs differ by taking a SID instead of requiring the caller // to open the account first and passing in an account handle // function LsaEnumerateAccountRights(PolicyHandle: LSA_HANDLE; AccountSid: PSID; var UserRights: PLSA_UNICODE_STRING; var CountOfRights: ULONG): NTSTATUS; stdcall; {$EXTERNALSYM LsaEnumerateAccountRights} function LsaAddAccountRights(PolicyHandle: LSA_HANDLE; AccountSid: PSID; UserRights: PLSA_UNICODE_STRING; CountOfRights: ULONG): NTSTATUS; stdcall; {$EXTERNALSYM LsaAddAccountRights} function LsaRemoveAccountRights(PolicyHandle: LSA_HANDLE; AccountSid: PSID; AllRights: ByteBool; UserRights: PLSA_UNICODE_STRING; CountOfRights: ULONG): NTSTATUS; stdcall; {$EXTERNALSYM LsaRemoveAccountRights} /////////////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Trusted Domain Object API function prototypes // // // /////////////////////////////////////////////////////////////////////////////// function LsaOpenTrustedDomainByName(PolicyHandle: LSA_HANDLE; const TrustedDomainName: LSA_UNICODE_STRING; DesiredAccess: ACCESS_MASK; var TrustedDomainHandle: LSA_HANDLE): NTSTATUS; stdcall; {$EXTERNALSYM LsaOpenTrustedDomainByName} function LsaQueryTrustedDomainInfo(PolicyHandle: LSA_HANDLE; TrustedDomainSid: PSID; InformationClass: TRUSTED_INFORMATION_CLASS; Buffer: PPVOID): NTSTATUS; stdcall; {$EXTERNALSYM LsaQueryTrustedDomainInfo} function LsaSetTrustedDomainInformation(PolicyHandle: LSA_HANDLE; TrustedDomainSid: PSID; InformationClass: TRUSTED_INFORMATION_CLASS; Buffer: PVOID): NTSTATUS; stdcall; {$EXTERNALSYM LsaSetTrustedDomainInformation} function LsaDeleteTrustedDomain(PolicyHandle: LSA_HANDLE; TrustedDomainSid: PSID): NTSTATUS; stdcall; {$EXTERNALSYM LsaDeleteTrustedDomain} function LsaQueryTrustedDomainInfoByName(PolicyHandle: LSA_HANDLE; const TrustedDomainName: LSA_UNICODE_STRING; InformationClass: TRUSTED_INFORMATION_CLASS; Buffer: PPVOID): NTSTATUS; stdcall; {$EXTERNALSYM LsaQueryTrustedDomainInfoByName} function LsaSetTrustedDomainInfoByName(PolicyHandle: LSA_HANDLE; const TrustedDomainName: LSA_UNICODE_STRING; InformationClass: TRUSTED_INFORMATION_CLASS; Buffer: PVOID): NTSTATUS; stdcall; {$EXTERNALSYM LsaSetTrustedDomainInfoByName} function LsaEnumerateTrustedDomainsEx(PolicyHandle: LSA_HANDLE; var EnumerationContext: LSA_ENUMERATION_HANDLE; Buffer: PPVOID; PreferedMaximumLength: ULONG; var CountReturned: ULONG): NTSTATUS; stdcall; {$EXTERNALSYM LsaEnumerateTrustedDomainsEx} function LsaCreateTrustedDomainEx(PolicyHandle: LSA_HANDLE; const TrustedDomainInformation: TRUSTED_DOMAIN_INFORMATION_EX; const AuthenticationInformation: TRUSTED_DOMAIN_AUTH_INFORMATION; DesiredAccess: ACCESS_MASK; var TrustedDomainHandle: LSA_HANDLE): NTSTATUS; stdcall; {$EXTERNALSYM LsaCreateTrustedDomainEx} function LsaQueryForestTrustInformation(PolicyHandle: LSA_HANDLE; TrustedDomainName: PLSA_UNICODE_STRING; var ForestTrustInfo: PLSA_FOREST_TRUST_INFORMATION): NTSTATUS; stdcall; {$EXTERNALSYM LsaQueryForestTrustInformation} function LsaSetForestTrustInformation(PolicyHandle: LSA_HANDLE; TrustedDomainName: PLSA_UNICODE_STRING; ForestTrustInfo: PLSA_FOREST_TRUST_INFORMATION; CheckOnly: BOOLEAN; var CollisionInfo: PLSA_FOREST_TRUST_COLLISION_INFORMATION): NTSTATUS; stdcall; {$EXTERNALSYM LsaSetForestTrustInformation} {.DEFINE TESTING_MATCHING_ROUTINE} {$IFDEF TESTING_MATCHING_ROUTINE} function LsaForestTrustFindMatch(PolicyHandle: LSA_HANDLE; Type_: ULONG; Name: PLSA_UNICODE_STRING; var Match: PLSA_UNICODE_STRING): NTSTATUS; stdcall; {$EXTERNALSYM LsaForestTrustFindMatch} {$ENDIF TESTING_MATCHING_ROUTINE} // // This API sets the workstation password (equivalent of setting/getting // the SSI_SECRET_NAME secret) // function LsaStorePrivateData(PolicyHandle: LSA_HANDLE; const KeyName: LSA_UNICODE_STRING; PrivateData: PLSA_UNICODE_STRING): NTSTATUS; stdcall; {$EXTERNALSYM LsaStorePrivateData} function LsaRetrievePrivateData(PolicyHandle: LSA_HANDLE; const KeyName: LSA_UNICODE_STRING; var PrivateData: PLSA_UNICODE_STRING): NTSTATUS; stdcall; {$EXTERNALSYM LsaRetrievePrivateData} function LsaNtStatusToWinError(Status: NTSTATUS): ULONG; stdcall; {$EXTERNALSYM LsaNtStatusToWinError} (*#if 0 NTSTATUS NTAPI LsaLookupNamesEx( IN LSA_HANDLE PolicyHandle, IN ULONG Count, IN PLSA_NAME_LOOKUP_EX Names, OUT PLSA_TRANSLATED_SID_EX *TranslatedSids, IN ULONG LookupOptions, IN OUT PULONG MappedCount ); NTSTATUS NTAPI LsaLookupSidsEx( IN LSA_HANDLE PolicyHandle, IN ULONG Count, IN PLSA_SID_LOOKUP_EX Sids, OUT PLSA_TRANSLATED_NAME_EX *TranslatedNames, IN ULONG LookupOptions, IN OUT PULONG MappedCount ); #endif*) // // SPNEGO package stuff // type NEGOTIATE_MESSAGES = (NegEnumPackagePrefixes, NegGetCallerName, NegCallPackageMax); {$EXTERNALSYM NEGOTIATE_MESSAGES} const NEGOTIATE_MAX_PREFIX = 32; {$EXTERNALSYM NEGOTIATE_MAX_PREFIX} type PNEGOTIATE_PACKAGE_PREFIX = ^NEGOTIATE_PACKAGE_PREFIX; {$EXTERNALSYM PNEGOTIATE_PACKAGE_PREFIX} _NEGOTIATE_PACKAGE_PREFIX = record PackageId: ULONG_PTR; PackageDataA: PVOID; PackageDataW: PVOID; PrefixLen: ULONG_PTR; Prefix: array [0..NEGOTIATE_MAX_PREFIX - 1] of UCHAR; end; {$EXTERNALSYM _NEGOTIATE_PACKAGE_PREFIX} NEGOTIATE_PACKAGE_PREFIX = _NEGOTIATE_PACKAGE_PREFIX; {$EXTERNALSYM NEGOTIATE_PACKAGE_PREFIX} TNegotiatePackagePrefix = NEGOTIATE_PACKAGE_PREFIX; PNegotiatePackagePrefix = PNEGOTIATE_PACKAGE_PREFIX; PNEGOTIATE_PACKAGE_PREFIXES = ^NEGOTIATE_PACKAGE_PREFIXES; {$EXTERNALSYM PNEGOTIATE_PACKAGE_PREFIXES} _NEGOTIATE_PACKAGE_PREFIXES = record MessageType: ULONG; PrefixCount: ULONG; Offset: ULONG; // Offset to array of _PREFIX above Pad: ULONG; // Align structure for 64-bit end; {$EXTERNALSYM _NEGOTIATE_PACKAGE_PREFIXES} NEGOTIATE_PACKAGE_PREFIXES = _NEGOTIATE_PACKAGE_PREFIXES; {$EXTERNALSYM NEGOTIATE_PACKAGE_PREFIXES} TNegotiatePackagePrefixes = NEGOTIATE_PACKAGE_PREFIXES; PNegotiatePackagePrefixes = PNEGOTIATE_PACKAGE_PREFIXES; PNEGOTIATE_CALLER_NAME_REQUEST = ^NEGOTIATE_CALLER_NAME_REQUEST; {$EXTERNALSYM PNEGOTIATE_CALLER_NAME_REQUEST} _NEGOTIATE_CALLER_NAME_REQUEST = record MessageType: ULONG; LogonId: LUID; end; {$EXTERNALSYM _NEGOTIATE_CALLER_NAME_REQUEST} NEGOTIATE_CALLER_NAME_REQUEST = _NEGOTIATE_CALLER_NAME_REQUEST; {$EXTERNALSYM NEGOTIATE_CALLER_NAME_REQUEST} TNegotiateCallerNameRequest = NEGOTIATE_CALLER_NAME_REQUEST; PNegotiateCallerNameRequest = PNEGOTIATE_CALLER_NAME_REQUEST; PNEGOTIATE_CALLER_NAME_RESPONSE = ^NEGOTIATE_CALLER_NAME_RESPONSE; {$EXTERNALSYM PNEGOTIATE_CALLER_NAME_RESPONSE} _NEGOTIATE_CALLER_NAME_RESPONSE = record MessageType: ULONG; CallerName: PWSTR; end; {$EXTERNALSYM _NEGOTIATE_CALLER_NAME_RESPONSE} NEGOTIATE_CALLER_NAME_RESPONSE = _NEGOTIATE_CALLER_NAME_RESPONSE; {$EXTERNALSYM NEGOTIATE_CALLER_NAME_RESPONSE} TNegotiateCallerNameResponse = NEGOTIATE_CALLER_NAME_RESPONSE; PNegotiateCallerNameResponse = PNEGOTIATE_CALLER_NAME_RESPONSE; type PDOMAIN_PASSWORD_INFORMATION = ^DOMAIN_PASSWORD_INFORMATION; {$EXTERNALSYM PDOMAIN_PASSWORD_INFORMATION} _DOMAIN_PASSWORD_INFORMATION = record MinPasswordLength: USHORT; PasswordHistoryLength: USHORT; PasswordProperties: ULONG; MaxPasswordAge: LARGE_INTEGER; MinPasswordAge: LARGE_INTEGER; end; {$EXTERNALSYM _DOMAIN_PASSWORD_INFORMATION} DOMAIN_PASSWORD_INFORMATION = _DOMAIN_PASSWORD_INFORMATION; {$EXTERNALSYM DOMAIN_PASSWORD_INFORMATION} TDomainPasswordInformation = DOMAIN_PASSWORD_INFORMATION; PDomainPasswordInformation = PDOMAIN_PASSWORD_INFORMATION; // // PasswordProperties flags // const DOMAIN_PASSWORD_COMPLEX = $00000001; {$EXTERNALSYM DOMAIN_PASSWORD_COMPLEX} DOMAIN_PASSWORD_NO_ANON_CHANGE = $00000002; {$EXTERNALSYM DOMAIN_PASSWORD_NO_ANON_CHANGE} DOMAIN_PASSWORD_NO_CLEAR_CHANGE = $00000004; {$EXTERNALSYM DOMAIN_PASSWORD_NO_CLEAR_CHANGE} DOMAIN_LOCKOUT_ADMINS = $00000008; {$EXTERNALSYM DOMAIN_LOCKOUT_ADMINS} DOMAIN_PASSWORD_STORE_CLEARTEXT = $00000010; {$EXTERNALSYM DOMAIN_PASSWORD_STORE_CLEARTEXT} DOMAIN_REFUSE_PASSWORD_CHANGE = $00000020; {$EXTERNALSYM DOMAIN_REFUSE_PASSWORD_CHANGE} type PSAM_PASSWORD_NOTIFICATION_ROUTINE = function(UserName: PUNICODE_STRING; RelativeId: ULONG; NewPassword: PUNICODE_STRING): NTSTATUS; stdcall; {$EXTERNALSYM PSAM_PASSWORD_NOTIFICATION_ROUTINE} TSamPasswordNotificationRoutine = PSAM_PASSWORD_NOTIFICATION_ROUTINE; const SAM_PASSWORD_CHANGE_NOTIFY_ROUTINE = 'PasswordChangeNotify'; {$EXTERNALSYM SAM_PASSWORD_CHANGE_NOTIFY_ROUTINE} type PSAM_INIT_NOTIFICATION_ROUTINE = function : ByteBool; stdcall; {$EXTERNALSYM PSAM_INIT_NOTIFICATION_ROUTINE} TSamInitNotificationRoutine = PSAM_INIT_NOTIFICATION_ROUTINE; const SAM_INIT_NOTIFICATION_ROUTINE = 'InitializeChangeNotify'; {$EXTERNALSYM SAM_INIT_NOTIFICATION_ROUTINE} SAM_PASSWORD_FILTER_ROUTINE = 'PasswordFilter'; {$EXTERNALSYM SAM_PASSWORD_FILTER_ROUTINE} type PSAM_PASSWORD_FILTER_ROUTINE = function(AccountName, FullName, Password: PUNICODE_STRING; SetOperation: ByteBool): ByteBool; stdcall; {$EXTERNALSYM PSAM_PASSWORD_FILTER_ROUTINE} TSamPasswordFilterRoutine = PSAM_PASSWORD_FILTER_ROUTINE; ///////////////////////////////////////////////////////////////////////// // // // Name of the MSV1_0 authentication package // // // ///////////////////////////////////////////////////////////////////////// const MSV1_0_PACKAGE_NAME = 'MICROSOFT_AUTHENTICATION_PACKAGE_V1_0'; {$EXTERNALSYM MSV1_0_PACKAGE_NAME} MSV1_0_PACKAGE_NAMEW = WideString('MICROSOFT_AUTHENTICATION_PACKAGE_V1_0'); {$EXTERNALSYM MSV1_0_PACKAGE_NAMEW} MSV1_0_PACKAGE_NAMEW_LENGTH = SizeOf(MSV1_0_PACKAGE_NAMEW) - SizeOf(WCHAR); {$EXTERNALSYM MSV1_0_PACKAGE_NAMEW_LENGTH} // // Location of MSV authentication package data // MSV1_0_SUBAUTHENTICATION_KEY = 'SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0'; {$EXTERNALSYM MSV1_0_SUBAUTHENTICATION_KEY} MSV1_0_SUBAUTHENTICATION_VALUE = 'Auth'; {$EXTERNALSYM MSV1_0_SUBAUTHENTICATION_VALUE} ///////////////////////////////////////////////////////////////////////// // // // Widely used MSV1_0 data types // // // ///////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////// // // // LOGON Related Data Structures // // // /////////////////////////////////////////////////////////////////////////////// // // When a LsaLogonUser() call is dispatched to the MsV1_0 authentication // package, the beginning of the AuthenticationInformation buffer is // cast to a MSV1_0_LOGON_SUBMIT_TYPE to determine the type of logon // being requested. Similarly, upon return, the type of profile buffer // can be determined by typecasting it to a MSV_1_0_PROFILE_BUFFER_TYPE. // // // MSV1.0 LsaLogonUser() submission message types. // type _MSV1_0_LOGON_SUBMIT_TYPE = ( mlstFiller0, mlstFiller1, MsV1_0InteractiveLogon, MsV1_0Lm20Logon, MsV1_0NetworkLogon, MsV1_0SubAuthLogon, mlstFiller6, MsV1_0WorkstationUnlockLogon); {$EXTERNALSYM _MSV1_0_LOGON_SUBMIT_TYPE} MSV1_0_LOGON_SUBMIT_TYPE = _MSV1_0_LOGON_SUBMIT_TYPE; {$EXTERNALSYM MSV1_0_LOGON_SUBMIT_TYPE} PMSV1_0_LOGON_SUBMIT_TYPE = ^MSV1_0_LOGON_SUBMIT_TYPE; {$EXTERNALSYM PMSV1_0_LOGON_SUBMIT_TYPE} TMsv1_0LogonSubmitType = MSV1_0_LOGON_SUBMIT_TYPE; PMsv1_0LogonSubmitType = PMSV1_0_LOGON_SUBMIT_TYPE; // // MSV1.0 LsaLogonUser() profile buffer types. // _MSV1_0_PROFILE_BUFFER_TYPE = ( mpbtFiller0, mpbtFiller1, MsV1_0InteractiveProfile, MsV1_0Lm20LogonProfile, MsV1_0SmartCardProfile); {$EXTERNALSYM _MSV1_0_PROFILE_BUFFER_TYPE} MSV1_0_PROFILE_BUFFER_TYPE = _MSV1_0_PROFILE_BUFFER_TYPE; {$EXTERNALSYM MSV1_0_PROFILE_BUFFER_TYPE} PMSV1_0_PROFILE_BUFFER_TYPE = ^MSV1_0_PROFILE_BUFFER_TYPE; {$EXTERNALSYM PMSV1_0_PROFILE_BUFFER_TYPE} TMsv1_0ProfileBufferType = MSV1_0_PROFILE_BUFFER_TYPE; PMsv1_0ProfileBufferType = PMSV1_0_PROFILE_BUFFER_TYPE; // // MsV1_0InteractiveLogon // // The AuthenticationInformation buffer of an LsaLogonUser() call to // perform an interactive logon contains the following data structure: // PMSV1_0_INTERACTIVE_LOGON = ^MSV1_0_INTERACTIVE_LOGON; {$EXTERNALSYM PMSV1_0_INTERACTIVE_LOGON} _MSV1_0_INTERACTIVE_LOGON = record MessageType: MSV1_0_LOGON_SUBMIT_TYPE; LogonDomainName: UNICODE_STRING; UserName: UNICODE_STRING; Password: UNICODE_STRING; end; {$EXTERNALSYM _MSV1_0_INTERACTIVE_LOGON} MSV1_0_INTERACTIVE_LOGON = _MSV1_0_INTERACTIVE_LOGON; {$EXTERNALSYM MSV1_0_INTERACTIVE_LOGON} TMsv10InteractiveLogon = MSV1_0_INTERACTIVE_LOGON; PMsv10InteractiveLogon = PMSV1_0_INTERACTIVE_LOGON; // // Where: // // MessageType - Contains the type of logon being requested. This // field must be set to MsV1_0InteractiveLogon. // // UserName - Is a string representing the user's account name. The // name may be up to 255 characters long. The name is treated case // insensitive. // // Password - Is a string containing the user's cleartext password. // The password may be up to 255 characters long and contain any // UNICODE value. // // // // The ProfileBuffer returned upon a successful logon of this type // contains the following data structure: // PMSV1_0_INTERACTIVE_PROFILE = ^MSV1_0_INTERACTIVE_PROFILE; {$EXTERNALSYM PMSV1_0_INTERACTIVE_PROFILE} _MSV1_0_INTERACTIVE_PROFILE = record MessageType: MSV1_0_PROFILE_BUFFER_TYPE; LogonCount: USHORT; BadPasswordCount: USHORT; LogonTime: LARGE_INTEGER; LogoffTime: LARGE_INTEGER; KickOffTime: LARGE_INTEGER; PasswordLastSet: LARGE_INTEGER; PasswordCanChange: LARGE_INTEGER; PasswordMustChange: LARGE_INTEGER; LogonScript: UNICODE_STRING; HomeDirectory: UNICODE_STRING; FullName: UNICODE_STRING; ProfilePath: UNICODE_STRING; HomeDirectoryDrive: UNICODE_STRING; LogonServer: UNICODE_STRING; UserFlags: ULONG; end; {$EXTERNALSYM _MSV1_0_INTERACTIVE_PROFILE} MSV1_0_INTERACTIVE_PROFILE = _MSV1_0_INTERACTIVE_PROFILE; {$EXTERNALSYM MSV1_0_INTERACTIVE_PROFILE} TMsv10InteractiveProfile = MSV1_0_INTERACTIVE_PROFILE; PMsv10InteractiveProfile = PMSV1_0_INTERACTIVE_PROFILE; // // where: // // MessageType - Identifies the type of profile data being returned. // Contains the type of logon being requested. This field must // be set to MsV1_0InteractiveProfile. // // LogonCount - Number of times the user is currently logged on. // // BadPasswordCount - Number of times a bad password was applied to // the account since last successful logon. // // LogonTime - Time when user last logged on. This is an absolute // format NT standard time value. // // LogoffTime - Time when user should log off. This is an absolute // format NT standard time value. // // KickOffTime - Time when system should force user logoff. This is // an absolute format NT standard time value. // // PasswordLastChanged - Time and date the password was last // changed. This is an absolute format NT standard time // value. // // PasswordCanChange - Time and date when the user can change the // password. This is an absolute format NT time value. To // prevent a password from ever changing, set this field to a // date very far into the future. // // PasswordMustChange - Time and date when the user must change the // password. If the user can never change the password, this // field is undefined. This is an absolute format NT time // value. // // LogonScript - The (relative) path to the account's logon // script. // // HomeDirectory - The home directory for the user. // // // MsV1_0Lm20Logon and MsV1_0NetworkLogon // // The AuthenticationInformation buffer of an LsaLogonUser() call to // perform an network logon contains the following data structure: // // MsV1_0NetworkLogon logon differs from MsV1_0Lm20Logon in that the // ParameterControl field exists. // const MSV1_0_CHALLENGE_LENGTH = 8; {$EXTERNALSYM MSV1_0_CHALLENGE_LENGTH} MSV1_0_USER_SESSION_KEY_LENGTH = 16; {$EXTERNALSYM MSV1_0_USER_SESSION_KEY_LENGTH} MSV1_0_LANMAN_SESSION_KEY_LENGTH = 8; {$EXTERNALSYM MSV1_0_LANMAN_SESSION_KEY_LENGTH} // // Values for ParameterControl. // MSV1_0_CLEARTEXT_PASSWORD_ALLOWED = $02; {$EXTERNALSYM MSV1_0_CLEARTEXT_PASSWORD_ALLOWED} MSV1_0_UPDATE_LOGON_STATISTICS = $04; {$EXTERNALSYM MSV1_0_UPDATE_LOGON_STATISTICS} MSV1_0_RETURN_USER_PARAMETERS = $08; {$EXTERNALSYM MSV1_0_RETURN_USER_PARAMETERS} MSV1_0_DONT_TRY_GUEST_ACCOUNT = $10; {$EXTERNALSYM MSV1_0_DONT_TRY_GUEST_ACCOUNT} MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT = $20; {$EXTERNALSYM MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT} MSV1_0_RETURN_PASSWORD_EXPIRY = $40; {$EXTERNALSYM MSV1_0_RETURN_PASSWORD_EXPIRY} // this next flag says that CaseInsensitiveChallengeResponse // (aka LmResponse) contains a client challenge in the first 8 bytes MSV1_0_USE_CLIENT_CHALLENGE = $80; {$EXTERNALSYM MSV1_0_USE_CLIENT_CHALLENGE} MSV1_0_TRY_GUEST_ACCOUNT_ONLY = $100; {$EXTERNALSYM MSV1_0_TRY_GUEST_ACCOUNT_ONLY} MSV1_0_RETURN_PROFILE_PATH = $200; {$EXTERNALSYM MSV1_0_RETURN_PROFILE_PATH} MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY = $400; {$EXTERNALSYM MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY} MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT = $800; {$EXTERNALSYM MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT} MSV1_0_DISABLE_PERSONAL_FALLBACK = $00001000; {$EXTERNALSYM MSV1_0_DISABLE_PERSONAL_FALLBACK} MSV1_0_ALLOW_FORCE_GUEST = $00002000; {$EXTERNALSYM MSV1_0_ALLOW_FORCE_GUEST} MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED = $00004000; {$EXTERNALSYM MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED} MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY = $00008000; {$EXTERNALSYM MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY} MSV1_0_SUBAUTHENTICATION_DLL_EX = $00100000; {$EXTERNALSYM MSV1_0_SUBAUTHENTICATION_DLL_EX} // // The high order byte is a value indicating the SubAuthentication DLL. // Zero indicates no SubAuthentication DLL. // MSV1_0_SUBAUTHENTICATION_DLL = DWORD($FF000000); {$EXTERNALSYM MSV1_0_SUBAUTHENTICATION_DLL} MSV1_0_SUBAUTHENTICATION_DLL_SHIFT = 24; {$EXTERNALSYM MSV1_0_SUBAUTHENTICATION_DLL_SHIFT} MSV1_0_MNS_LOGON = $01000000; {$EXTERNALSYM MSV1_0_MNS_LOGON} // // This is the list of subauthentication dlls used in MS // MSV1_0_SUBAUTHENTICATION_DLL_RAS = 2; {$EXTERNALSYM MSV1_0_SUBAUTHENTICATION_DLL_RAS} MSV1_0_SUBAUTHENTICATION_DLL_IIS = 132; {$EXTERNALSYM MSV1_0_SUBAUTHENTICATION_DLL_IIS} type PMSV1_0_LM20_LOGON = ^MSV1_0_LM20_LOGON; {$EXTERNALSYM PMSV1_0_LM20_LOGON} _MSV1_0_LM20_LOGON = record MessageType: MSV1_0_LOGON_SUBMIT_TYPE; LogonDomainName: UNICODE_STRING; UserName: UNICODE_STRING; Workstation: UNICODE_STRING; ChallengeToClient: array [0..MSV1_0_CHALLENGE_LENGTH - 1] of UCHAR; CaseSensitiveChallengeResponse: STRING; CaseInsensitiveChallengeResponse: STRING; ParameterControl: ULONG; end; {$EXTERNALSYM _MSV1_0_LM20_LOGON} MSV1_0_LM20_LOGON = _MSV1_0_LM20_LOGON; {$EXTERNALSYM MSV1_0_LM20_LOGON} TMsv10Lm20Logon = MSV1_0_LM20_LOGON; PMsv10Lm20Logon = PMSV1_0_LM20_LOGON; // // NT 5.0 SubAuth dlls can use this struct // PMSV1_0_SUBAUTH_LOGON = ^MSV1_0_SUBAUTH_LOGON; {$EXTERNALSYM PMSV1_0_SUBAUTH_LOGON} _MSV1_0_SUBAUTH_LOGON = record MessageType: MSV1_0_LOGON_SUBMIT_TYPE; LogonDomainName: UNICODE_STRING; UserName: UNICODE_STRING; Workstation: UNICODE_STRING; ChallengeToClient: array [0..MSV1_0_CHALLENGE_LENGTH - 1] of UCHAR; AuthenticationInfo1: STRING; AuthenticationInfo2: STRING; ParameterControl: ULONG; SubAuthPackageId: ULONG; end; {$EXTERNALSYM _MSV1_0_SUBAUTH_LOGON} MSV1_0_SUBAUTH_LOGON = _MSV1_0_SUBAUTH_LOGON; {$EXTERNALSYM MSV1_0_SUBAUTH_LOGON} TMsv10SubauthLogon = MSV1_0_SUBAUTH_LOGON; PMsv10SubauthLogon = PMSV1_0_SUBAUTH_LOGON; // // Values for UserFlags. // const LOGON_GUEST = $01; {$EXTERNALSYM LOGON_GUEST} LOGON_NOENCRYPTION = $02; {$EXTERNALSYM LOGON_NOENCRYPTION} LOGON_CACHED_ACCOUNT = $04; {$EXTERNALSYM LOGON_CACHED_ACCOUNT} LOGON_USED_LM_PASSWORD = $08; {$EXTERNALSYM LOGON_USED_LM_PASSWORD} LOGON_EXTRA_SIDS = $20; {$EXTERNALSYM LOGON_EXTRA_SIDS} LOGON_SUBAUTH_SESSION_KEY = $40; {$EXTERNALSYM LOGON_SUBAUTH_SESSION_KEY} LOGON_SERVER_TRUST_ACCOUNT = $80; {$EXTERNALSYM LOGON_SERVER_TRUST_ACCOUNT} LOGON_NTLMV2_ENABLED = $100; // says DC understands NTLMv2 {$EXTERNALSYM LOGON_NTLMV2_ENABLED} LOGON_RESOURCE_GROUPS = $200; {$EXTERNALSYM LOGON_RESOURCE_GROUPS} LOGON_PROFILE_PATH_RETURNED = $400; {$EXTERNALSYM LOGON_PROFILE_PATH_RETURNED} // // The high order byte is reserved for return by SubAuthentication DLLs. // MSV1_0_SUBAUTHENTICATION_FLAGS = DWORD($FF000000); {$EXTERNALSYM MSV1_0_SUBAUTHENTICATION_FLAGS} // Values returned by the MSV1_0_MNS_LOGON SubAuthentication DLL LOGON_GRACE_LOGON = $01000000; {$EXTERNALSYM LOGON_GRACE_LOGON} type PMSV1_0_LM20_LOGON_PROFILE = ^MSV1_0_LM20_LOGON_PROFILE; {$EXTERNALSYM PMSV1_0_LM20_LOGON_PROFILE} _MSV1_0_LM20_LOGON_PROFILE = record MessageType: MSV1_0_PROFILE_BUFFER_TYPE; KickOffTime: LARGE_INTEGER; LogoffTime: LARGE_INTEGER; UserFlags: ULONG; UserSessionKey: array [0..MSV1_0_USER_SESSION_KEY_LENGTH - 1] of UCHAR; LogonDomainName: UNICODE_STRING; LanmanSessionKey: array [0..MSV1_0_LANMAN_SESSION_KEY_LENGTH - 1] of UCHAR; LogonServer: UNICODE_STRING; UserParameters: UNICODE_STRING; end; {$EXTERNALSYM _MSV1_0_LM20_LOGON_PROFILE} MSV1_0_LM20_LOGON_PROFILE = _MSV1_0_LM20_LOGON_PROFILE; {$EXTERNALSYM MSV1_0_LM20_LOGON_PROFILE} TMsv10Lm20LogonProfile = MSV1_0_LM20_LOGON_PROFILE; PMsv10Lm20LogonProfile = PMSV1_0_LM20_LOGON_PROFILE; // // Supplemental credentials structure used for passing credentials into // MSV1_0 from other packages // const MSV1_0_OWF_PASSWORD_LENGTH = 16; {$EXTERNALSYM MSV1_0_OWF_PASSWORD_LENGTH} MSV1_0_CRED_LM_PRESENT = $1; {$EXTERNALSYM MSV1_0_CRED_LM_PRESENT} MSV1_0_CRED_NT_PRESENT = $2; {$EXTERNALSYM MSV1_0_CRED_NT_PRESENT} MSV1_0_CRED_VERSION = 0; {$EXTERNALSYM MSV1_0_CRED_VERSION} type PMSV1_0_SUPPLEMENTAL_CREDENTIAL = ^MSV1_0_SUPPLEMENTAL_CREDENTIAL; {$EXTERNALSYM PMSV1_0_SUPPLEMENTAL_CREDENTIAL} _MSV1_0_SUPPLEMENTAL_CREDENTIAL = record Version: ULONG; Flags: ULONG; LmPassword: array [0..MSV1_0_OWF_PASSWORD_LENGTH - 1] of UCHAR; NtPassword: array [0..MSV1_0_OWF_PASSWORD_LENGTH - 1] of UCHAR; end; {$EXTERNALSYM _MSV1_0_SUPPLEMENTAL_CREDENTIAL} MSV1_0_SUPPLEMENTAL_CREDENTIAL = _MSV1_0_SUPPLEMENTAL_CREDENTIAL; {$EXTERNALSYM MSV1_0_SUPPLEMENTAL_CREDENTIAL} TMsv10SupplementalCredential = MSV1_0_SUPPLEMENTAL_CREDENTIAL; PMsv10SupplementalCredential = PMSV1_0_SUPPLEMENTAL_CREDENTIAL; // // NTLM3 definitions. // const MSV1_0_NTLM3_RESPONSE_LENGTH = 16; {$EXTERNALSYM MSV1_0_NTLM3_RESPONSE_LENGTH} MSV1_0_NTLM3_OWF_LENGTH = 16; {$EXTERNALSYM MSV1_0_NTLM3_OWF_LENGTH} // // this is the longest amount of time we'll allow challenge response // pairs to be used. Note that this also has to allow for worst case clock skew // MSV1_0_MAX_NTLM3_LIFE = 129600; // 36 hours (in seconds) {$EXTERNALSYM MSV1_0_MAX_NTLM3_LIFE} MSV1_0_MAX_AVL_SIZE = 64000; {$EXTERNALSYM MSV1_0_MAX_AVL_SIZE} // // MsvAvFlags bit values // MSV1_0_AV_FLAG_FORCE_GUEST = $00000001; {$EXTERNALSYM MSV1_0_AV_FLAG_FORCE_GUEST} // this is an MSV1_0 private data structure, defining the layout of an NTLM3 response, as sent by a // client in the NtChallengeResponse field of the NETLOGON_NETWORK_INFO structure. If can be differentiated // from an old style NT response by its length. This is crude, but it needs to pass through servers and // the servers' DCs that do not understand NTLM3 but that are willing to pass longer responses. type PMSV1_0_NTLM3_RESPONSE = ^MSV1_0_NTLM3_RESPONSE; {$EXTERNALSYM PMSV1_0_NTLM3_RESPONSE} _MSV1_0_NTLM3_RESPONSE = record Response: array [0..MSV1_0_NTLM3_RESPONSE_LENGTH - 1] of UCHAR; // hash of OWF of password with all the following fields RespType: UCHAR; // id number of response; current is 1 HiRespType: UCHAR; // highest id number understood by client Flags: USHORT; // reserved; must be sent as zero at this version MsgWord: ULONG; // 32 bit message from client to server (for use by auth protocol) TimeStamp: ULONGLONG; // time stamp when client generated response -- NT system time, quad part ChallengeFromClient: array [0..MSV1_0_CHALLENGE_LENGTH - 1] of UCHAR; AvPairsOff: ULONG; // offset to start of AvPairs (to allow future expansion) Buffer: array [0..0] of UCHAR; // start of buffer with AV pairs (or future stuff -- so use the offset) end; {$EXTERNALSYM _MSV1_0_NTLM3_RESPONSE} MSV1_0_NTLM3_RESPONSE = _MSV1_0_NTLM3_RESPONSE; {$EXTERNALSYM MSV1_0_NTLM3_RESPONSE} TMsv10Ntlm3Response = MSV1_0_NTLM3_RESPONSE; PMsv10Ntlm3Response = PMSV1_0_NTLM3_RESPONSE; const MSV1_0_NTLM3_INPUT_LENGTH = SizeOf(MSV1_0_NTLM3_RESPONSE) - MSV1_0_NTLM3_RESPONSE_LENGTH; {$EXTERNALSYM MSV1_0_NTLM3_INPUT_LENGTH} //todo MSV1_0_NTLM3_MIN_NT_RESPONSE_LENGTH = RTL_SIZEOF_THROUGH_FIELD(MSV1_0_NTLM3_RESPONSE, AvPairsOff) //{$EXTERNALSYM MSV1_0_NTLM3_MIN_NT_RESPONSE_LENGTH} type MSV1_0_AVID = ( MsvAvEOL, // end of list MsvAvNbComputerName, // server's computer name -- NetBIOS MsvAvNbDomainName, // server's domain name -- NetBIOS MsvAvDnsComputerName, // server's computer name -- DNS MsvAvDnsDomainName, // server's domain name -- DNS MsvAvDnsTreeName, // server's tree name -- DNS MsvAvFlags); // server's extended flags -- DWORD mask {$EXTERNALSYM MSV1_0_AVID} PMSV1_0_AV_PAIR = ^MSV1_0_AV_PAIR; {$EXTERNALSYM PMSV1_0_AV_PAIR} _MSV1_0_AV_PAIR = record AvId: USHORT; AvLen: USHORT; // Data is treated as byte array following structure end; {$EXTERNALSYM _MSV1_0_AV_PAIR} MSV1_0_AV_PAIR = _MSV1_0_AV_PAIR; {$EXTERNALSYM MSV1_0_AV_PAIR} TMsv10AvPair = MSV1_0_AV_PAIR; PMsv10AvPair = PMSV1_0_AV_PAIR; /////////////////////////////////////////////////////////////////////////////// // // // CALL PACKAGE Related Data Structures // // // /////////////////////////////////////////////////////////////////////////////// // // MSV1.0 LsaCallAuthenticationPackage() submission and response // message types. // _MSV1_0_PROTOCOL_MESSAGE_TYPE = ( MsV1_0Lm20ChallengeRequest, // Both submission and response MsV1_0Lm20GetChallengeResponse, // Both submission and response MsV1_0EnumerateUsers, // Both submission and response MsV1_0GetUserInfo, // Both submission and response MsV1_0ReLogonUsers, // Submission only MsV1_0ChangePassword, // Both submission and response MsV1_0ChangeCachedPassword, // Both submission and response MsV1_0GenericPassthrough, // Both submission and response MsV1_0CacheLogon, // Submission only, no response MsV1_0SubAuth, // Both submission and response MsV1_0DeriveCredential, // Both submission and response MsV1_0CacheLookup, // Both submission and response MsV1_0SetProcessOption); // Submission only, no response {$EXTERNALSYM _MSV1_0_PROTOCOL_MESSAGE_TYPE} MSV1_0_PROTOCOL_MESSAGE_TYPE = _MSV1_0_PROTOCOL_MESSAGE_TYPE; {$EXTERNALSYM MSV1_0_PROTOCOL_MESSAGE_TYPE} PMSV1_0_PROTOCOL_MESSAGE_TYPE = ^MSV1_0_PROTOCOL_MESSAGE_TYPE; {$EXTERNALSYM PMSV1_0_PROTOCOL_MESSAGE_TYPE} TMsv1_0ProtocolMessageType = MSV1_0_PROTOCOL_MESSAGE_TYPE; PMsv1_0ProtocolMessageType = PMSV1_0_PROTOCOL_MESSAGE_TYPE; PMSV1_0_CHANGEPASSWORD_REQUEST = ^MSV1_0_CHANGEPASSWORD_REQUEST; {$EXTERNALSYM PMSV1_0_CHANGEPASSWORD_REQUEST} _MSV1_0_CHANGEPASSWORD_REQUEST = record MessageType: MSV1_0_PROTOCOL_MESSAGE_TYPE; DomainName: UNICODE_STRING; AccountName: UNICODE_STRING; OldPassword: UNICODE_STRING; NewPassword: UNICODE_STRING; Impersonating: ByteBool; end; {$EXTERNALSYM _MSV1_0_CHANGEPASSWORD_REQUEST} MSV1_0_CHANGEPASSWORD_REQUEST = _MSV1_0_CHANGEPASSWORD_REQUEST; {$EXTERNALSYM MSV1_0_CHANGEPASSWORD_REQUEST} TMsv10ChangepasswordRequest = MSV1_0_CHANGEPASSWORD_REQUEST; PMsv10ChangepasswordRequest = PMSV1_0_CHANGEPASSWORD_REQUEST; PMSV1_0_CHANGEPASSWORD_RESPONSE = ^MSV1_0_CHANGEPASSWORD_RESPONSE; {$EXTERNALSYM PMSV1_0_CHANGEPASSWORD_RESPONSE} _MSV1_0_CHANGEPASSWORD_RESPONSE = record MessageType: MSV1_0_PROTOCOL_MESSAGE_TYPE; PasswordInfoValid: ByteBool; DomainPasswordInfo: DOMAIN_PASSWORD_INFORMATION; end; {$EXTERNALSYM _MSV1_0_CHANGEPASSWORD_RESPONSE} MSV1_0_CHANGEPASSWORD_RESPONSE = _MSV1_0_CHANGEPASSWORD_RESPONSE; {$EXTERNALSYM MSV1_0_CHANGEPASSWORD_RESPONSE} TMsv10ChangepasswordResponse = MSV1_0_CHANGEPASSWORD_RESPONSE; PMsv10ChangepasswordResponse = PMSV1_0_CHANGEPASSWORD_RESPONSE; // // MsV1_0GenericPassthrough - for remoting a CallPackage to // a domain controller on the specified domain // _MSV1_0_PASSTHROUGH_REQUEST = record MessageType: MSV1_0_PROTOCOL_MESSAGE_TYPE; DomainName: UNICODE_STRING; PackageName: UNICODE_STRING; DataLength: ULONG; LogonData: PUCHAR; Pad: ULONG; end; {$EXTERNALSYM _MSV1_0_PASSTHROUGH_REQUEST} MSV1_0_PASSTHROUGH_REQUEST = _MSV1_0_PASSTHROUGH_REQUEST; {$EXTERNALSYM MSV1_0_PASSTHROUGH_REQUEST} PMSV1_0_PASSTHROUGH_REQUEST = ^MSV1_0_PASSTHROUGH_REQUEST; {$EXTERNALSYM PMSV1_0_PASSTHROUGH_REQUEST} TMsv10PassThroughRequest = MSV1_0_PASSTHROUGH_REQUEST; PMsv10PassThroughRequest = PMSV1_0_PASSTHROUGH_REQUEST; _MSV1_0_PASSTHROUGH_RESPONSE = record MessageType: MSV1_0_PROTOCOL_MESSAGE_TYPE; Pad: ULONG; DataLength: ULONG; ValidationData: PUCHAR; end; {$EXTERNALSYM _MSV1_0_PASSTHROUGH_RESPONSE} MSV1_0_PASSTHROUGH_RESPONSE = _MSV1_0_PASSTHROUGH_RESPONSE; {$EXTERNALSYM MSV1_0_PASSTHROUGH_RESPONSE} PMSV1_0_PASSTHROUGH_RESPONSE = ^MSV1_0_PASSTHROUGH_RESPONSE; {$EXTERNALSYM PMSV1_0_PASSTHROUGH_RESPONSE} TMsv10PassThroughResponse = MSV1_0_PASSTHROUGH_RESPONSE; PMsv10PassThroughResponse = PMSV1_0_PASSTHROUGH_RESPONSE; // // MsV1_0SubAuthInfo submit buffer and response - for submitting a buffer to a // specified Subauthentication Package during an LsaCallAuthenticationPackage(). // If this Subauthentication is to be done locally, then package this message // in LsaCallAuthenticationPackage(). If this SubAuthentication needs to be done // on the domain controller, then call LsaCallauthenticationPackage with the // message type being MsV1_0GenericPassThrough and the LogonData in this struct // should be a PMSV1_0_SUBAUTH_REQUEST // PMSV1_0_SUBAUTH_REQUEST = ^MSV1_0_SUBAUTH_REQUEST; {$EXTERNALSYM PMSV1_0_SUBAUTH_REQUEST} _MSV1_0_SUBAUTH_REQUEST = record MessageType: MSV1_0_PROTOCOL_MESSAGE_TYPE; SubAuthPackageId: ULONG; SubAuthInfoLength: ULONG; SubAuthSubmitBuffer: PUCHAR; end; {$EXTERNALSYM _MSV1_0_SUBAUTH_REQUEST} MSV1_0_SUBAUTH_REQUEST = _MSV1_0_SUBAUTH_REQUEST; {$EXTERNALSYM MSV1_0_SUBAUTH_REQUEST} TMsv10SubauthRequest = MSV1_0_SUBAUTH_REQUEST; PMsv10SubauthRequest = PMSV1_0_SUBAUTH_REQUEST; PMSV1_0_SUBAUTH_RESPONSE = ^MSV1_0_SUBAUTH_RESPONSE; {$EXTERNALSYM PMSV1_0_SUBAUTH_RESPONSE} _MSV1_0_SUBAUTH_RESPONSE = record MessageType: MSV1_0_PROTOCOL_MESSAGE_TYPE; SubAuthInfoLength: ULONG; SubAuthReturnBuffer: PUCHAR; end; {$EXTERNALSYM _MSV1_0_SUBAUTH_RESPONSE} MSV1_0_SUBAUTH_RESPONSE = _MSV1_0_SUBAUTH_RESPONSE; {$EXTERNALSYM MSV1_0_SUBAUTH_RESPONSE} TMsv10SubauthResponse = MSV1_0_SUBAUTH_RESPONSE; PMsv10SubauthResponse = PMSV1_0_SUBAUTH_RESPONSE; // // Credential Derivation types for MsV1_0DeriveCredential Submit DeriveCredType // // // Derive Credential using SHA-1 and Request buffer DeriveCredSubmitBuffer of // length DeriveCredInfoLength mixing bytes. // Response buffer DeriveCredReturnBuffer will contain SHA-1 hash of size // A_SHA_DIGEST_LEN (20) // const MSV1_0_DERIVECRED_TYPE_SHA1 = 0; {$EXTERNALSYM MSV1_0_DERIVECRED_TYPE_SHA1} // // MsV1_0DeriveCredential submit buffer and response - for submitting a buffer // an call to LsaCallAuthenticationPackage(). // type PMSV1_0_DERIVECRED_REQUEST = ^MSV1_0_DERIVECRED_REQUEST; {$EXTERNALSYM PMSV1_0_DERIVECRED_REQUEST} _MSV1_0_DERIVECRED_REQUEST = record MessageType: MSV1_0_PROTOCOL_MESSAGE_TYPE; LogonId: LUID; DeriveCredType: ULONG; DeriveCredInfoLength: ULONG; DeriveCredSubmitBuffer: array [0..0] of UCHAR; // in-place array of length DeriveCredInfoLength end; {$EXTERNALSYM _MSV1_0_DERIVECRED_REQUEST} MSV1_0_DERIVECRED_REQUEST = _MSV1_0_DERIVECRED_REQUEST; {$EXTERNALSYM MSV1_0_DERIVECRED_REQUEST} TMsv10DeriveCredRequest = MSV1_0_DERIVECRED_REQUEST; PMsv10DeriveCredRequest = PMSV1_0_DERIVECRED_REQUEST; PMSV1_0_DERIVECRED_RESPONSE = ^MSV1_0_DERIVECRED_RESPONSE; {$EXTERNALSYM PMSV1_0_DERIVECRED_RESPONSE} _MSV1_0_DERIVECRED_RESPONSE = record MessageType: MSV1_0_PROTOCOL_MESSAGE_TYPE; DeriveCredInfoLength: ULONG; DeriveCredReturnBuffer: array [0..0] of UCHAR; // in-place array of length DeriveCredInfoLength end; {$EXTERNALSYM _MSV1_0_DERIVECRED_RESPONSE} MSV1_0_DERIVECRED_RESPONSE = _MSV1_0_DERIVECRED_RESPONSE; {$EXTERNALSYM MSV1_0_DERIVECRED_RESPONSE} TMsv10DeriveCredResponse = MSV1_0_DERIVECRED_RESPONSE; PMsv10DeriveCredResponse = PMSV1_0_DERIVECRED_RESPONSE; // Revision of the Kerberos Protocol. MS uses Version 5, Revision 6 const KERBEROS_VERSION = 5; {$EXTERNALSYM KERBEROS_VERSION} KERBEROS_REVISION = 6; {$EXTERNALSYM KERBEROS_REVISION} // Encryption Types: // These encryption types are supported by the default MS KERBSUPP DLL // as crypto systems. Values over 127 are local values, and may be changed // without notice. KERB_ETYPE_NULL = 0; {$EXTERNALSYM KERB_ETYPE_NULL} KERB_ETYPE_DES_CBC_CRC = 1; {$EXTERNALSYM KERB_ETYPE_DES_CBC_CRC} KERB_ETYPE_DES_CBC_MD4 = 2; {$EXTERNALSYM KERB_ETYPE_DES_CBC_MD4} KERB_ETYPE_DES_CBC_MD5 = 3; {$EXTERNALSYM KERB_ETYPE_DES_CBC_MD5} KERB_ETYPE_RC4_MD4 = -128; {$EXTERNALSYM KERB_ETYPE_RC4_MD4} KERB_ETYPE_RC4_PLAIN2 = -129; {$EXTERNALSYM KERB_ETYPE_RC4_PLAIN2} KERB_ETYPE_RC4_LM = -130; {$EXTERNALSYM KERB_ETYPE_RC4_LM} KERB_ETYPE_RC4_SHA = -131; {$EXTERNALSYM KERB_ETYPE_RC4_SHA} KERB_ETYPE_DES_PLAIN = -132; {$EXTERNALSYM KERB_ETYPE_DES_PLAIN} KERB_ETYPE_RC4_HMAC_OLD = -133; {$EXTERNALSYM KERB_ETYPE_RC4_HMAC_OLD} KERB_ETYPE_RC4_PLAIN_OLD = -134; {$EXTERNALSYM KERB_ETYPE_RC4_PLAIN_OLD} KERB_ETYPE_RC4_HMAC_OLD_EXP = -135; {$EXTERNALSYM KERB_ETYPE_RC4_HMAC_OLD_EXP} KERB_ETYPE_RC4_PLAIN_OLD_EXP = -136; {$EXTERNALSYM KERB_ETYPE_RC4_PLAIN_OLD_EXP} KERB_ETYPE_RC4_PLAIN = -140; {$EXTERNALSYM KERB_ETYPE_RC4_PLAIN} KERB_ETYPE_RC4_PLAIN_EXP = -141; {$EXTERNALSYM KERB_ETYPE_RC4_PLAIN_EXP} // // Pkinit encryption types // KERB_ETYPE_DSA_SHA1_CMS = 9; {$EXTERNALSYM KERB_ETYPE_DSA_SHA1_CMS} KERB_ETYPE_RSA_MD5_CMS = 10; {$EXTERNALSYM KERB_ETYPE_RSA_MD5_CMS} KERB_ETYPE_RSA_SHA1_CMS = 11; {$EXTERNALSYM KERB_ETYPE_RSA_SHA1_CMS} KERB_ETYPE_RC2_CBC_ENV = 12; {$EXTERNALSYM KERB_ETYPE_RC2_CBC_ENV} KERB_ETYPE_RSA_ENV = 13; {$EXTERNALSYM KERB_ETYPE_RSA_ENV} KERB_ETYPE_RSA_ES_OEAP_ENV = 14; {$EXTERNALSYM KERB_ETYPE_RSA_ES_OEAP_ENV} KERB_ETYPE_DES_EDE3_CBC_ENV = 15; {$EXTERNALSYM KERB_ETYPE_DES_EDE3_CBC_ENV} // // Deprecated // KERB_ETYPE_DSA_SIGN = 8; {$EXTERNALSYM KERB_ETYPE_DSA_SIGN} KERB_ETYPE_RSA_PRIV = 9; {$EXTERNALSYM KERB_ETYPE_RSA_PRIV} KERB_ETYPE_RSA_PUB = 10; {$EXTERNALSYM KERB_ETYPE_RSA_PUB} KERB_ETYPE_RSA_PUB_MD5 = 11; {$EXTERNALSYM KERB_ETYPE_RSA_PUB_MD5} KERB_ETYPE_RSA_PUB_SHA1 = 12; {$EXTERNALSYM KERB_ETYPE_RSA_PUB_SHA1} KERB_ETYPE_PKCS7_PUB = 13; {$EXTERNALSYM KERB_ETYPE_PKCS7_PUB} // // Unsupported but defined types // KERB_ETYPE_DES3_CBC_MD5 = 5; {$EXTERNALSYM KERB_ETYPE_DES3_CBC_MD5} KERB_ETYPE_DES3_CBC_SHA1 = 7; {$EXTERNALSYM KERB_ETYPE_DES3_CBC_SHA1} KERB_ETYPE_DES3_CBC_SHA1_KD = 16; {$EXTERNALSYM KERB_ETYPE_DES3_CBC_SHA1_KD} // // In use types // KERB_ETYPE_DES_CBC_MD5_NT = 20; {$EXTERNALSYM KERB_ETYPE_DES_CBC_MD5_NT} KERB_ETYPE_RC4_HMAC_NT = 23; {$EXTERNALSYM KERB_ETYPE_RC4_HMAC_NT} KERB_ETYPE_RC4_HMAC_NT_EXP = 24; {$EXTERNALSYM KERB_ETYPE_RC4_HMAC_NT_EXP} // Checksum algorithms. // These algorithms are keyed internally for our use. KERB_CHECKSUM_NONE = 0; {$EXTERNALSYM KERB_CHECKSUM_NONE} KERB_CHECKSUM_CRC32 = 1; {$EXTERNALSYM KERB_CHECKSUM_CRC32} KERB_CHECKSUM_MD4 = 2; {$EXTERNALSYM KERB_CHECKSUM_MD4} KERB_CHECKSUM_KRB_DES_MAC = 4; {$EXTERNALSYM KERB_CHECKSUM_KRB_DES_MAC} KERB_CHECKSUM_KRB_DES_MAC_K = 5; {$EXTERNALSYM KERB_CHECKSUM_KRB_DES_MAC_K} KERB_CHECKSUM_MD5 = 7; {$EXTERNALSYM KERB_CHECKSUM_MD5} KERB_CHECKSUM_MD5_DES = 8; {$EXTERNALSYM KERB_CHECKSUM_MD5_DES} KERB_CHECKSUM_LM = -130; {$EXTERNALSYM KERB_CHECKSUM_LM} KERB_CHECKSUM_SHA1 = -131; {$EXTERNALSYM KERB_CHECKSUM_SHA1} KERB_CHECKSUM_REAL_CRC32 = -132; {$EXTERNALSYM KERB_CHECKSUM_REAL_CRC32} KERB_CHECKSUM_DES_MAC = -133; {$EXTERNALSYM KERB_CHECKSUM_DES_MAC} KERB_CHECKSUM_DES_MAC_MD5 = -134; {$EXTERNALSYM KERB_CHECKSUM_DES_MAC_MD5} KERB_CHECKSUM_MD25 = -135; {$EXTERNALSYM KERB_CHECKSUM_MD25} KERB_CHECKSUM_RC4_MD5 = -136; {$EXTERNALSYM KERB_CHECKSUM_RC4_MD5} KERB_CHECKSUM_MD5_HMAC = -137; // used by netlogon {$EXTERNALSYM KERB_CHECKSUM_MD5_HMAC} KERB_CHECKSUM_HMAC_MD5 = -138; // used by Kerberos {$EXTERNALSYM KERB_CHECKSUM_HMAC_MD5} AUTH_REQ_ALLOW_FORWARDABLE = $00000001; {$EXTERNALSYM AUTH_REQ_ALLOW_FORWARDABLE} AUTH_REQ_ALLOW_PROXIABLE = $00000002; {$EXTERNALSYM AUTH_REQ_ALLOW_PROXIABLE} AUTH_REQ_ALLOW_POSTDATE = $00000004; {$EXTERNALSYM AUTH_REQ_ALLOW_POSTDATE} AUTH_REQ_ALLOW_RENEWABLE = $00000008; {$EXTERNALSYM AUTH_REQ_ALLOW_RENEWABLE} AUTH_REQ_ALLOW_NOADDRESS = $00000010; {$EXTERNALSYM AUTH_REQ_ALLOW_NOADDRESS} AUTH_REQ_ALLOW_ENC_TKT_IN_SKEY = $00000020; {$EXTERNALSYM AUTH_REQ_ALLOW_ENC_TKT_IN_SKEY} AUTH_REQ_ALLOW_VALIDATE = $00000040; {$EXTERNALSYM AUTH_REQ_ALLOW_VALIDATE} AUTH_REQ_VALIDATE_CLIENT = $00000080; {$EXTERNALSYM AUTH_REQ_VALIDATE_CLIENT} AUTH_REQ_OK_AS_DELEGATE = $00000100; {$EXTERNALSYM AUTH_REQ_OK_AS_DELEGATE} AUTH_REQ_PREAUTH_REQUIRED = $00000200; {$EXTERNALSYM AUTH_REQ_PREAUTH_REQUIRED} AUTH_REQ_TRANSITIVE_TRUST = $00000400; {$EXTERNALSYM AUTH_REQ_TRANSITIVE_TRUST} AUTH_REQ_ALLOW_S4U_DELEGATE = $00000800; {$EXTERNALSYM AUTH_REQ_ALLOW_S4U_DELEGATE} AUTH_REQ_PER_USER_FLAGS = (AUTH_REQ_ALLOW_FORWARDABLE or AUTH_REQ_ALLOW_PROXIABLE or AUTH_REQ_ALLOW_POSTDATE or AUTH_REQ_ALLOW_RENEWABLE or AUTH_REQ_ALLOW_VALIDATE); {$EXTERNALSYM AUTH_REQ_PER_USER_FLAGS} // // Ticket Flags: // KERB_TICKET_FLAGS_reserved = DWORD($80000000); {$EXTERNALSYM KERB_TICKET_FLAGS_reserved} KERB_TICKET_FLAGS_forwardable = $40000000; {$EXTERNALSYM KERB_TICKET_FLAGS_forwardable} KERB_TICKET_FLAGS_forwarded = $20000000; {$EXTERNALSYM KERB_TICKET_FLAGS_forwarded} KERB_TICKET_FLAGS_proxiable = $10000000; {$EXTERNALSYM KERB_TICKET_FLAGS_proxiable} KERB_TICKET_FLAGS_proxy = $08000000; {$EXTERNALSYM KERB_TICKET_FLAGS_proxy} KERB_TICKET_FLAGS_may_postdate = $04000000; {$EXTERNALSYM KERB_TICKET_FLAGS_may_postdate} KERB_TICKET_FLAGS_postdated = $02000000; {$EXTERNALSYM KERB_TICKET_FLAGS_postdated} KERB_TICKET_FLAGS_invalid = $01000000; {$EXTERNALSYM KERB_TICKET_FLAGS_invalid} KERB_TICKET_FLAGS_renewable = $00800000; {$EXTERNALSYM KERB_TICKET_FLAGS_renewable} KERB_TICKET_FLAGS_initial = $00400000; {$EXTERNALSYM KERB_TICKET_FLAGS_initial} KERB_TICKET_FLAGS_pre_authent = $00200000; {$EXTERNALSYM KERB_TICKET_FLAGS_pre_authent} KERB_TICKET_FLAGS_hw_authent = $00100000; {$EXTERNALSYM KERB_TICKET_FLAGS_hw_authent} KERB_TICKET_FLAGS_ok_as_delegate = $00040000; {$EXTERNALSYM KERB_TICKET_FLAGS_ok_as_delegate} KERB_TICKET_FLAGS_name_canonicalize = $00010000; {$EXTERNALSYM KERB_TICKET_FLAGS_name_canonicalize} KERB_TICKET_FLAGS_reserved1 = $00000001; {$EXTERNALSYM KERB_TICKET_FLAGS_reserved1} // // Name types // KRB_NT_UNKNOWN = 0; // Name type not known {$EXTERNALSYM KRB_NT_UNKNOWN} KRB_NT_PRINCIPAL = 1; // Just the name of the principal as in DCE, or for users {$EXTERNALSYM KRB_NT_PRINCIPAL} KRB_NT_PRINCIPAL_AND_ID = -131; // Name of the principal and its SID. {$EXTERNALSYM KRB_NT_PRINCIPAL_AND_ID} KRB_NT_SRV_INST = 2; // Service and other unique instance (krbtgt) {$EXTERNALSYM KRB_NT_SRV_INST} KRB_NT_SRV_INST_AND_ID = -132; // SPN and SID {$EXTERNALSYM KRB_NT_SRV_INST_AND_ID} KRB_NT_SRV_HST = 3; // Service with host name as instance (telnet, rcommands) {$EXTERNALSYM KRB_NT_SRV_HST} KRB_NT_SRV_XHST = 4; // Service with host as remaining components {$EXTERNALSYM KRB_NT_SRV_XHST} KRB_NT_UID = 5; // Unique ID {$EXTERNALSYM KRB_NT_UID} KRB_NT_ENTERPRISE_PRINCIPAL = 10; // UPN or SPN {$EXTERNALSYM KRB_NT_ENTERPRISE_PRINCIPAL} KRB_NT_ENT_PRINCIPAL_AND_ID = -130; // UPN and SID {$EXTERNALSYM KRB_NT_ENT_PRINCIPAL_AND_ID} // // MS extensions, negative according to the RFC // KRB_NT_MS_PRINCIPAL = -128; // NT4 style name {$EXTERNALSYM KRB_NT_MS_PRINCIPAL} KRB_NT_MS_PRINCIPAL_AND_ID = -129; // nt4 style name with sid {$EXTERNALSYM KRB_NT_MS_PRINCIPAL_AND_ID} MICROSOFT_KERBEROS_NAME_A = 'Kerberos'; {$EXTERNALSYM MICROSOFT_KERBEROS_NAME_A} MICROSOFT_KERBEROS_NAME_W = WideString('Kerberos'); {$EXTERNALSYM MICROSOFT_KERBEROS_NAME_W} {$IFDEF UNICODE} MICROSOFT_KERBEROS_NAME = MICROSOFT_KERBEROS_NAME_W; {$EXTERNALSYM MICROSOFT_KERBEROS_NAME} {$ELSE} MICROSOFT_KERBEROS_NAME = MICROSOFT_KERBEROS_NAME_A; {$EXTERNALSYM MICROSOFT_KERBEROS_NAME} {$ENDIF UNICODE} function KERB_IS_MS_PRINCIPAL(X: Integer): BOOL; ///////////////////////////////////////////////////////////////////////// // // Quality of protection parameters for MakeSignature / EncryptMessage // ///////////////////////////////////////////////////////////////////////// // // This flag indicates to EncryptMessage that the message is not to actually // be encrypted, but a header/trailer are to be produced. // const KERB_WRAP_NO_ENCRYPT = DWORD($80000001); {$EXTERNALSYM KERB_WRAP_NO_ENCRYPT} ///////////////////////////////////////////////////////////////////////// // // LsaLogonUser parameters // ///////////////////////////////////////////////////////////////////////// const KerbInteractiveLogon = 2; KerbSmartCardLogon = 6; KerbWorkstationUnlockLogon = 7; KerbSmartCardUnlockLogon = 8; KerbProxyLogon = 9; KerbTicketLogon = 10; KerbTicketUnlockLogon = 11; KerbS4ULogon = 12; type KERB_LOGON_SUBMIT_TYPE = DWORD; {$EXTERNALSYM KERB_LOGON_SUBMIT_TYPE} PKERB_LOGON_SUBMIT_TYPE = ^KERB_LOGON_SUBMIT_TYPE; {$EXTERNALSYM PKERB_LOGON_SUBMIT_TYPE} PKERB_INTERACTIVE_LOGON = ^KERB_INTERACTIVE_LOGON; {$EXTERNALSYM PKERB_INTERACTIVE_LOGON} _KERB_INTERACTIVE_LOGON = record MessageType: KERB_LOGON_SUBMIT_TYPE; LogonDomainName: UNICODE_STRING; UserName: UNICODE_STRING; Password: UNICODE_STRING; end; {$EXTERNALSYM _KERB_INTERACTIVE_LOGON} KERB_INTERACTIVE_LOGON = _KERB_INTERACTIVE_LOGON; {$EXTERNALSYM KERB_INTERACTIVE_LOGON} TKerbInteractiveLogon = KERB_INTERACTIVE_LOGON; PKerbInteractiveLogon = PKERB_INTERACTIVE_LOGON; PKERB_INTERACTIVE_UNLOCK_LOGON = ^KERB_INTERACTIVE_UNLOCK_LOGON; {$EXTERNALSYM PKERB_INTERACTIVE_UNLOCK_LOGON} _KERB_INTERACTIVE_UNLOCK_LOGON = record Logon: KERB_INTERACTIVE_LOGON; LogonId: LUID; end; {$EXTERNALSYM _KERB_INTERACTIVE_UNLOCK_LOGON} KERB_INTERACTIVE_UNLOCK_LOGON = _KERB_INTERACTIVE_UNLOCK_LOGON; {$EXTERNALSYM KERB_INTERACTIVE_UNLOCK_LOGON} TKerbInteractiveUnlockLogon = KERB_INTERACTIVE_UNLOCK_LOGON; PKerbInteractiveUnlockLogon = PKERB_INTERACTIVE_UNLOCK_LOGON; PKERB_SMART_CARD_LOGON = ^KERB_SMART_CARD_LOGON; {$EXTERNALSYM PKERB_SMART_CARD_LOGON} _KERB_SMART_CARD_LOGON = record MessageType: KERB_LOGON_SUBMIT_TYPE; Pin: UNICODE_STRING; CspDataLength: ULONG; CspData: PUCHAR; end; {$EXTERNALSYM _KERB_SMART_CARD_LOGON} KERB_SMART_CARD_LOGON = _KERB_SMART_CARD_LOGON; {$EXTERNALSYM KERB_SMART_CARD_LOGON} TKerbSmartCardLogon = KERB_SMART_CARD_LOGON; PKerbSmartCardLogon = PKERB_SMART_CARD_LOGON; PKERB_SMART_CARD_UNLOCK_LOGON = ^KERB_SMART_CARD_UNLOCK_LOGON; {$EXTERNALSYM PKERB_SMART_CARD_UNLOCK_LOGON} _KERB_SMART_CARD_UNLOCK_LOGON = record Logon: KERB_SMART_CARD_LOGON; LogonId: LUID; end; {$EXTERNALSYM _KERB_SMART_CARD_UNLOCK_LOGON} KERB_SMART_CARD_UNLOCK_LOGON = _KERB_SMART_CARD_UNLOCK_LOGON; {$EXTERNALSYM KERB_SMART_CARD_UNLOCK_LOGON} TKerbSmartCardUnlockLogon = KERB_SMART_CARD_UNLOCK_LOGON; PKerbSmartCardUnlockLogon = PKERB_SMART_CARD_UNLOCK_LOGON; // // Structure used for a ticket-only logon // PKERB_TICKET_LOGON = ^KERB_TICKET_LOGON; {$EXTERNALSYM PKERB_TICKET_LOGON} _KERB_TICKET_LOGON = record MessageType: KERB_LOGON_SUBMIT_TYPE; Flags: ULONG; ServiceTicketLength: ULONG; TicketGrantingTicketLength: ULONG; ServiceTicket: PUCHAR; // REQUIRED: Service ticket "host" TicketGrantingTicket: PUCHAR; // OPTIONAL: User's encdoded in a KERB_CRED message, encrypted with session key from service ticket end; {$EXTERNALSYM _KERB_TICKET_LOGON} KERB_TICKET_LOGON = _KERB_TICKET_LOGON; {$EXTERNALSYM KERB_TICKET_LOGON} TKerbTicketLogon = KERB_TICKET_LOGON; PKerbTicketLogon = PKERB_TICKET_LOGON; // // Flags for the ticket logon flags field // const KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET = $1; {$EXTERNALSYM KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET} type PKERB_TICKET_UNLOCK_LOGON = ^KERB_TICKET_UNLOCK_LOGON; {$EXTERNALSYM PKERB_TICKET_UNLOCK_LOGON} _KERB_TICKET_UNLOCK_LOGON = record Logon: KERB_TICKET_LOGON; LogonId: LUID; end; {$EXTERNALSYM _KERB_TICKET_UNLOCK_LOGON} KERB_TICKET_UNLOCK_LOGON = _KERB_TICKET_UNLOCK_LOGON; {$EXTERNALSYM KERB_TICKET_UNLOCK_LOGON} TKerbTicketUnlockLogon = KERB_TICKET_UNLOCK_LOGON; PKerbTicketUnlockLogon = PKERB_TICKET_UNLOCK_LOGON; // // Used for S4U Client requests // // _KERB_S4U_LOGON = record MessageType: KERB_LOGON_SUBMIT_TYPE; Flags: ULONG; ClientUpn: UNICODE_STRING; // REQUIRED: UPN for client ClientRealm: UNICODE_STRING; // Optional: Client Realm, if known end; {$EXTERNALSYM _KERB_S4U_LOGON} KERB_S4U_LOGON = _KERB_S4U_LOGON; {$EXTERNALSYM KERB_S4U_LOGON} PKERB_S4U_LOGON = ^KERB_S4U_LOGON; {$EXTERNALSYM PKERB_S4U_LOGON} TKerbS4ULogon = KERB_S4U_LOGON; PKerbS4ULogon = PKERB_S4U_LOGON; // // Use the same profile structure as MSV1_0 // type _KERB_PROFILE_BUFFER_TYPE = ( kpbtFiller0, kpbtFiller1, KerbInteractiveProfile, kpbtFiller3, KerbSmartCardProfile, kpbtFiller5, KerbTicketProfile); {$EXTERNALSYM _KERB_PROFILE_BUFFER_TYPE} KERB_PROFILE_BUFFER_TYPE = _KERB_PROFILE_BUFFER_TYPE; {$EXTERNALSYM KERB_PROFILE_BUFFER_TYPE} PKERB_PROFILE_BUFFER_TYPE = ^KERB_PROFILE_BUFFER_TYPE; {$EXTERNALSYM PKERB_PROFILE_BUFFER_TYPE} TKerbProfileBufferType = KERB_PROFILE_BUFFER_TYPE; PKerbProfileBufferType = PKERB_PROFILE_BUFFER_TYPE; PKERB_INTERACTIVE_PROFILE = ^KERB_INTERACTIVE_PROFILE; {$EXTERNALSYM PKERB_INTERACTIVE_PROFILE} _KERB_INTERACTIVE_PROFILE = record MessageType: KERB_PROFILE_BUFFER_TYPE; LogonCount: USHORT; BadPasswordCount: USHORT; LogonTime: LARGE_INTEGER; LogoffTime: LARGE_INTEGER; KickOffTime: LARGE_INTEGER; PasswordLastSet: LARGE_INTEGER; PasswordCanChange: LARGE_INTEGER; PasswordMustChange: LARGE_INTEGER; LogonScript: UNICODE_STRING; HomeDirectory: UNICODE_STRING; FullName: UNICODE_STRING; ProfilePath: UNICODE_STRING; HomeDirectoryDrive: UNICODE_STRING; LogonServer: UNICODE_STRING; UserFlags: ULONG; end; {$EXTERNALSYM _KERB_INTERACTIVE_PROFILE} KERB_INTERACTIVE_PROFILE = _KERB_INTERACTIVE_PROFILE; {$EXTERNALSYM KERB_INTERACTIVE_PROFILE} TKerbInteractiveProfile = KERB_INTERACTIVE_PROFILE; PKerbInteractiveProfile = PKERB_INTERACTIVE_PROFILE; // // For smart card, we return a smart card profile, which is an interactive // profile plus a certificate // PKERB_SMART_CARD_PROFILE = ^KERB_SMART_CARD_PROFILE; {$EXTERNALSYM PKERB_SMART_CARD_PROFILE} _KERB_SMART_CARD_PROFILE = record Profile: KERB_INTERACTIVE_PROFILE; CertificateSize: ULONG; CertificateData: PUCHAR; end; {$EXTERNALSYM _KERB_SMART_CARD_PROFILE} KERB_SMART_CARD_PROFILE = _KERB_SMART_CARD_PROFILE; {$EXTERNALSYM KERB_SMART_CARD_PROFILE} TKerbSmartCardProfile = KERB_SMART_CARD_PROFILE; PKerbSmartCardProfile = PKERB_SMART_CARD_PROFILE; // // For a ticket logon profile, we return the session key from the ticket // PKERB_CRYPTO_KEY = ^KERB_CRYPTO_KEY; {$EXTERNALSYM PKERB_CRYPTO_KEY} KERB_CRYPTO_KEY = record KeyType: LONG; Length: ULONG; Value: PUCHAR; end; {$EXTERNALSYM KERB_CRYPTO_KEY} TKerbCryptoKey = KERB_CRYPTO_KEY; PKerbCryptoKey = PKERB_CRYPTO_KEY; PKERB_TICKET_PROFILE = ^KERB_TICKET_PROFILE; {$EXTERNALSYM PKERB_TICKET_PROFILE} _KERB_TICKET_PROFILE = record Profile: KERB_INTERACTIVE_PROFILE; SessionKey: KERB_CRYPTO_KEY; end; {$EXTERNALSYM _KERB_TICKET_PROFILE} KERB_TICKET_PROFILE = _KERB_TICKET_PROFILE; {$EXTERNALSYM KERB_TICKET_PROFILE} TKerbTicketProfile = KERB_TICKET_PROFILE; PKerbTicketProfile = PKERB_TICKET_PROFILE; _KERB_PROTOCOL_MESSAGE_TYPE = ( KerbDebugRequestMessage, KerbQueryTicketCacheMessage, KerbChangeMachinePasswordMessage, KerbVerifyPacMessage, KerbRetrieveTicketMessage, KerbUpdateAddressesMessage, KerbPurgeTicketCacheMessage, KerbChangePasswordMessage, KerbRetrieveEncodedTicketMessage, KerbDecryptDataMessage, KerbAddBindingCacheEntryMessage, KerbSetPasswordMessage, KerbSetPasswordExMessage, KerbVerifyCredentialsMessage, KerbQueryTicketCacheExMessage, KerbPurgeTicketCacheExMessage, KerbRefreshSmartcardCredentialsMessage, KerbAddExtraCredentialsMessage, KerbQuerySupplementalCredentialsMessage); {$EXTERNALSYM _KERB_PROTOCOL_MESSAGE_TYPE} KERB_PROTOCOL_MESSAGE_TYPE = _KERB_PROTOCOL_MESSAGE_TYPE; {$EXTERNALSYM KERB_PROTOCOL_MESSAGE_TYPE} PKERB_PROTOCOL_MESSAGE_TYPE = ^KERB_PROTOCOL_MESSAGE_TYPE; {$EXTERNALSYM PKERB_PROTOCOL_MESSAGE_TYPE} TKerbProtocolMessageType = KERB_PROTOCOL_MESSAGE_TYPE; PKerbProtocolMessageType = PKERB_PROTOCOL_MESSAGE_TYPE; // // Used both for retrieving tickets and for querying ticket cache // PKERB_QUERY_TKT_CACHE_REQUEST = ^KERB_QUERY_TKT_CACHE_REQUEST; {$EXTERNALSYM PKERB_QUERY_TKT_CACHE_REQUEST} _KERB_QUERY_TKT_CACHE_REQUEST = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; LogonId: LUID; end; {$EXTERNALSYM _KERB_QUERY_TKT_CACHE_REQUEST} KERB_QUERY_TKT_CACHE_REQUEST = _KERB_QUERY_TKT_CACHE_REQUEST; {$EXTERNALSYM KERB_QUERY_TKT_CACHE_REQUEST} TKerbQueryTktCacheRequest = KERB_QUERY_TKT_CACHE_REQUEST; PKerbQueryTktCacheRequest = PKERB_QUERY_TKT_CACHE_REQUEST; PKERB_TICKET_CACHE_INFO = ^KERB_TICKET_CACHE_INFO; {$EXTERNALSYM PKERB_TICKET_CACHE_INFO} _KERB_TICKET_CACHE_INFO = record ServerName: UNICODE_STRING; RealmName: UNICODE_STRING; StartTime: LARGE_INTEGER; EndTime: LARGE_INTEGER; RenewTime: LARGE_INTEGER; EncryptionType: LONG; TicketFlags: ULONG; end; {$EXTERNALSYM _KERB_TICKET_CACHE_INFO} KERB_TICKET_CACHE_INFO = _KERB_TICKET_CACHE_INFO; {$EXTERNALSYM KERB_TICKET_CACHE_INFO} TKerbTicketCacheInfo = KERB_TICKET_CACHE_INFO; PKerbTicketCacheInfo = PKERB_TICKET_CACHE_INFO; _KERB_TICKET_CACHE_INFO_EX = record ClientName: UNICODE_STRING; ClientRealm: UNICODE_STRING; ServerName: UNICODE_STRING; ServerRealm: UNICODE_STRING; StartTime: LARGE_INTEGER; EndTime: LARGE_INTEGER; RenewTime: LARGE_INTEGER; EncryptionType: LONG; TicketFlags: ULONG; end; {$EXTERNALSYM _KERB_TICKET_CACHE_INFO_EX} KERB_TICKET_CACHE_INFO_EX = _KERB_TICKET_CACHE_INFO_EX; {$EXTERNALSYM KERB_TICKET_CACHE_INFO_EX} PKERB_TICKET_CACHE_INFO_EX = ^KERB_TICKET_CACHE_INFO_EX; {$EXTERNALSYM PKERB_TICKET_CACHE_INFO_EX} TKerbTicketCacheInfoEx = KERB_TICKET_CACHE_INFO_EX; PKerbTicketCacheInfoEx = PKERB_TICKET_CACHE_INFO_EX; PKERB_QUERY_TKT_CACHE_RESPONSE = ^KERB_QUERY_TKT_CACHE_RESPONSE; {$EXTERNALSYM PKERB_QUERY_TKT_CACHE_RESPONSE} _KERB_QUERY_TKT_CACHE_RESPONSE = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; CountOfTickets: ULONG; Tickets: array [0..ANYSIZE_ARRAY - 1] of KERB_TICKET_CACHE_INFO; end; {$EXTERNALSYM _KERB_QUERY_TKT_CACHE_RESPONSE} KERB_QUERY_TKT_CACHE_RESPONSE = _KERB_QUERY_TKT_CACHE_RESPONSE; {$EXTERNALSYM KERB_QUERY_TKT_CACHE_RESPONSE} TKerbQueryTktCacheResponse = KERB_QUERY_TKT_CACHE_RESPONSE; PKerbQueryTktCacheResponse = PKERB_QUERY_TKT_CACHE_RESPONSE; _KERB_QUERY_TKT_CACHE_EX_RESPONSE = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; CountOfTickets: ULONG; Tickets: array [0..ANYSIZE_ARRAY - 1] of KERB_TICKET_CACHE_INFO_EX; end; {$EXTERNALSYM _KERB_QUERY_TKT_CACHE_EX_RESPONSE} KERB_QUERY_TKT_CACHE_EX_RESPONSE = _KERB_QUERY_TKT_CACHE_EX_RESPONSE; {$EXTERNALSYM KERB_QUERY_TKT_CACHE_EX_RESPONSE} PKERB_QUERY_TKT_CACHE_EX_RESPONSE = ^KERB_QUERY_TKT_CACHE_EX_RESPONSE; {$EXTERNALSYM PKERB_QUERY_TKT_CACHE_EX_RESPONSE} TKerbQueryTktCacheExResponse = KERB_QUERY_TKT_CACHE_EX_RESPONSE; PKerbQueryTktCacheExResponse = PKERB_QUERY_TKT_CACHE_EX_RESPONSE; // // Types for retrieving encoded ticket from the cache // _SecHandle = record dwLower: ULONG_PTR; dwUpper: ULONG_PTR; end; {$EXTERNALSYM _SecHandle} SecHandle = _SecHandle; {$EXTERNALSYM SecHandle} PSecHandle = ^SecHandle; {$EXTERNALSYM PSecHandle} // Ticket Flags const KERB_USE_DEFAULT_TICKET_FLAGS = $0; {$EXTERNALSYM KERB_USE_DEFAULT_TICKET_FLAGS} // CacheOptions KERB_RETRIEVE_TICKET_DEFAULT = $0; {$EXTERNALSYM KERB_RETRIEVE_TICKET_DEFAULT} KERB_RETRIEVE_TICKET_DONT_USE_CACHE = $1; {$EXTERNALSYM KERB_RETRIEVE_TICKET_DONT_USE_CACHE} KERB_RETRIEVE_TICKET_USE_CACHE_ONLY = $2; {$EXTERNALSYM KERB_RETRIEVE_TICKET_USE_CACHE_ONLY} KERB_RETRIEVE_TICKET_USE_CREDHANDLE = $4; {$EXTERNALSYM KERB_RETRIEVE_TICKET_USE_CREDHANDLE} KERB_RETRIEVE_TICKET_AS_KERB_CRED = $8; {$EXTERNALSYM KERB_RETRIEVE_TICKET_AS_KERB_CRED} KERB_RETRIEVE_TICKET_WITH_SEC_CRED = $10; {$EXTERNALSYM KERB_RETRIEVE_TICKET_WITH_SEC_CRED} // Encryption Type options KERB_ETYPE_DEFAULT = $0; // don't specify etype in tkt req. {$EXTERNALSYM KERB_ETYPE_DEFAULT} type _KERB_AUTH_DATA = record Type_: ULONG; Length: ULONG; Data: PUCHAR; end; {$EXTERNALSYM _KERB_AUTH_DATA} KERB_AUTH_DATA = _KERB_AUTH_DATA; {$EXTERNALSYM KERB_AUTH_DATA} PKERB_AUTH_DATA = ^KERB_AUTH_DATA; {$EXTERNALSYM PKERB_AUTH_DATA} TKerbAuthData = KERB_AUTH_DATA; PKerbAuthData = PKERB_AUTH_DATA; _KERB_NET_ADDRESS = record Family: ULONG; Length: ULONG; Address: PCHAR; end; {$EXTERNALSYM _KERB_NET_ADDRESS} KERB_NET_ADDRESS = _KERB_NET_ADDRESS; {$EXTERNALSYM KERB_NET_ADDRESS} PKERB_NET_ADDRESS = ^KERB_NET_ADDRESS; {$EXTERNALSYM PKERB_NET_ADDRESS} TKerbNetAddress = KERB_NET_ADDRESS; PKerbNetAddress = PKERB_NET_ADDRESS; _KERB_NET_ADDRESSES = record Number: ULONG; Addresses: array [0..ANYSIZE_ARRAY - 1] of KERB_NET_ADDRESS; end; {$EXTERNALSYM _KERB_NET_ADDRESSES} KERB_NET_ADDRESSES = _KERB_NET_ADDRESSES; {$EXTERNALSYM KERB_NET_ADDRESSES} PKERB_NET_ADDRESSES = ^KERB_NET_ADDRESSES; {$EXTERNALSYM PKERB_NET_ADDRESSES} TKerbNetAddresses = KERB_NET_ADDRESSES; PKerbNetAddresses = PKERB_NET_ADDRESSES; // // Types for the information about a ticket // type PKERB_EXTERNAL_NAME = ^KERB_EXTERNAL_NAME; {$EXTERNALSYM PKERB_EXTERNAL_NAME} _KERB_EXTERNAL_NAME = record NameType: SHORT; NameCount: USHORT; Names: array [0..ANYSIZE_ARRAY - 1] of UNICODE_STRING; end; {$EXTERNALSYM _KERB_EXTERNAL_NAME} KERB_EXTERNAL_NAME = _KERB_EXTERNAL_NAME; {$EXTERNALSYM KERB_EXTERNAL_NAME} TKerbExternalName = KERB_EXTERNAL_NAME; PKerbExternalName = PKERB_EXTERNAL_NAME; PKERB_EXTERNAL_TICKET = ^KERB_EXTERNAL_TICKET; {$EXTERNALSYM PKERB_EXTERNAL_TICKET} _KERB_EXTERNAL_TICKET = record ServiceName: PKERB_EXTERNAL_NAME; TargetName: PKERB_EXTERNAL_NAME; ClientName: PKERB_EXTERNAL_NAME; DomainName: UNICODE_STRING; TargetDomainName: UNICODE_STRING; // contains ClientDomainName AltTargetDomainName: UNICODE_STRING; SessionKey: KERB_CRYPTO_KEY; TicketFlags: ULONG; Flags: ULONG; KeyExpirationTime: LARGE_INTEGER; StartTime: LARGE_INTEGER; EndTime: LARGE_INTEGER; RenewUntil: LARGE_INTEGER; TimeSkew: LARGE_INTEGER; EncodedTicketSize: ULONG; EncodedTicket: PUCHAR; end; {$EXTERNALSYM _KERB_EXTERNAL_TICKET} KERB_EXTERNAL_TICKET = _KERB_EXTERNAL_TICKET; {$EXTERNALSYM KERB_EXTERNAL_TICKET} TKerbExternalTicket = KERB_EXTERNAL_TICKET; PKerbExternalTicket = PKERB_EXTERNAL_TICKET; _KERB_RETRIEVE_TKT_REQUEST = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; LogonId: LUID; TargetName: UNICODE_STRING; TicketFlags: ULONG; CacheOptions: ULONG; EncryptionType: LONG; CredentialsHandle: SecHandle; end; {$EXTERNALSYM _KERB_RETRIEVE_TKT_REQUEST} KERB_RETRIEVE_TKT_REQUEST = _KERB_RETRIEVE_TKT_REQUEST; {$EXTERNALSYM KERB_RETRIEVE_TKT_REQUEST} PKERB_RETRIEVE_TKT_REQUEST = ^KERB_RETRIEVE_TKT_REQUEST; {$EXTERNALSYM PKERB_RETRIEVE_TKT_REQUEST} TKerbRetrieveTktRequest = KERB_RETRIEVE_TKT_REQUEST; PKerbRetrieveTktRequest = PKERB_RETRIEVE_TKT_REQUEST; PKERB_RETRIEVE_TKT_RESPONSE = ^KERB_RETRIEVE_TKT_RESPONSE; {$EXTERNALSYM PKERB_RETRIEVE_TKT_RESPONSE} _KERB_RETRIEVE_TKT_RESPONSE = record Ticket: KERB_EXTERNAL_TICKET; end; {$EXTERNALSYM _KERB_RETRIEVE_TKT_RESPONSE} KERB_RETRIEVE_TKT_RESPONSE = _KERB_RETRIEVE_TKT_RESPONSE; {$EXTERNALSYM KERB_RETRIEVE_TKT_RESPONSE} TKerbRetrieveTktResponse = KERB_RETRIEVE_TKT_RESPONSE; PKerbRetrieveTktResponse = PKERB_RETRIEVE_TKT_RESPONSE; // // Used to purge entries from the ticket cache // PKERB_PURGE_TKT_CACHE_REQUEST = ^KERB_PURGE_TKT_CACHE_REQUEST; {$EXTERNALSYM PKERB_PURGE_TKT_CACHE_REQUEST} _KERB_PURGE_TKT_CACHE_REQUEST = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; LogonId: LUID; ServerName: UNICODE_STRING; RealmName: UNICODE_STRING; end; {$EXTERNALSYM _KERB_PURGE_TKT_CACHE_REQUEST} KERB_PURGE_TKT_CACHE_REQUEST = _KERB_PURGE_TKT_CACHE_REQUEST; {$EXTERNALSYM KERB_PURGE_TKT_CACHE_REQUEST} TKerbPurgeTktCacheRequest = KERB_PURGE_TKT_CACHE_REQUEST; PKerbPurgeTktCacheRequest = PKERB_PURGE_TKT_CACHE_REQUEST; // // Flags for purge requests // const KERB_PURGE_ALL_TICKETS = 1; {$EXTERNALSYM KERB_PURGE_ALL_TICKETS} type _KERB_PURGE_TKT_CACHE_EX_REQUEST = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; LogonId: LUID; Flags: ULONG; TicketTemplate: KERB_TICKET_CACHE_INFO_EX; end; {$EXTERNALSYM _KERB_PURGE_TKT_CACHE_EX_REQUEST} KERB_PURGE_TKT_CACHE_EX_REQUEST = _KERB_PURGE_TKT_CACHE_EX_REQUEST; {$EXTERNALSYM KERB_PURGE_TKT_CACHE_EX_REQUEST} PKERB_PURGE_TKT_CACHE_EX_REQUEST = ^KERB_PURGE_TKT_CACHE_EX_REQUEST; {$EXTERNALSYM PKERB_PURGE_TKT_CACHE_EX_REQUEST} TKerbPurgeTktCacheExRequest = KERB_PURGE_TKT_CACHE_EX_REQUEST; PKerbPurgeTktCacheExRequest = PKERB_PURGE_TKT_CACHE_EX_REQUEST; // // KerbChangePassword // // KerbChangePassword changes the password on the KDC account plus // the password cache and logon credentials if applicable. // // PKERB_CHANGEPASSWORD_REQUEST = ^KERB_CHANGEPASSWORD_REQUEST; {$EXTERNALSYM PKERB_CHANGEPASSWORD_REQUEST} _KERB_CHANGEPASSWORD_REQUEST = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; DomainName: UNICODE_STRING; AccountName: UNICODE_STRING; OldPassword: UNICODE_STRING; NewPassword: UNICODE_STRING; Impersonating: ByteBool; end; {$EXTERNALSYM _KERB_CHANGEPASSWORD_REQUEST} KERB_CHANGEPASSWORD_REQUEST = _KERB_CHANGEPASSWORD_REQUEST; {$EXTERNALSYM KERB_CHANGEPASSWORD_REQUEST} TKerbChangepasswordRequest = KERB_CHANGEPASSWORD_REQUEST; PKerbChangepasswordRequest = PKERB_CHANGEPASSWORD_REQUEST; // // KerbSetPassword // // KerbSetPassword changes the password on the KDC account plus // the password cache and logon credentials if applicable. // // PKERB_SETPASSWORD_REQUEST = ^KERB_SETPASSWORD_REQUEST; {$EXTERNALSYM PKERB_SETPASSWORD_REQUEST} _KERB_SETPASSWORD_REQUEST = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; LogonId: LUID; CredentialsHandle: SecHandle; Flags: ULONG; DomainName: UNICODE_STRING; AccountName: UNICODE_STRING; Password: UNICODE_STRING; end; {$EXTERNALSYM _KERB_SETPASSWORD_REQUEST} KERB_SETPASSWORD_REQUEST = _KERB_SETPASSWORD_REQUEST; {$EXTERNALSYM KERB_SETPASSWORD_REQUEST} TKerbSetpasswordRequest = KERB_SETPASSWORD_REQUEST; PKerbSetpasswordRequest = PKERB_SETPASSWORD_REQUEST; _KERB_SETPASSWORD_EX_REQUEST = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; LogonId: LUID; CredentialsHandle: SecHandle; Flags: ULONG; AccountRealm: UNICODE_STRING; AccountName: UNICODE_STRING; Password: UNICODE_STRING; ClientRealm: UNICODE_STRING; ClientName: UNICODE_STRING; Impersonating: BOOLEAN; KdcAddress: UNICODE_STRING; KdcAddressType: ULONG; end; {$EXTERNALSYM _KERB_SETPASSWORD_EX_REQUEST} KERB_SETPASSWORD_EX_REQUEST = _KERB_SETPASSWORD_EX_REQUEST; {$EXTERNALSYM KERB_SETPASSWORD_EX_REQUEST} PKERB_SETPASSWORD_EX_REQUEST = ^KERB_SETPASSWORD_EX_REQUEST; {$EXTERNALSYM PKERB_SETPASSWORD_EX_REQUEST} TKerbSetPasswordExRequest = KERB_SETPASSWORD_EX_REQUEST; PKerbSetPasswordExRequest = PKERB_SETPASSWORD_EX_REQUEST; const DS_UNKNOWN_ADDRESS_TYPE = 0; // anything *but* IP {$EXTERNALSYM DS_UNKNOWN_ADDRESS_TYPE} KERB_SETPASS_USE_LOGONID = 1; {$EXTERNALSYM KERB_SETPASS_USE_LOGONID} KERB_SETPASS_USE_CREDHANDLE = 2; {$EXTERNALSYM KERB_SETPASS_USE_CREDHANDLE} type PKERB_DECRYPT_REQUEST = ^KERB_DECRYPT_REQUEST; {$EXTERNALSYM PKERB_DECRYPT_REQUEST} _KERB_DECRYPT_REQUEST = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; LogonId: LUID; Flags: ULONG; CryptoType: LONG; KeyUsage: LONG; Key: KERB_CRYPTO_KEY; // optional EncryptedDataSize: ULONG; InitialVectorSize: ULONG; InitialVector: PUCHAR; EncryptedData: PUCHAR; end; {$EXTERNALSYM _KERB_DECRYPT_REQUEST} KERB_DECRYPT_REQUEST = _KERB_DECRYPT_REQUEST; {$EXTERNALSYM KERB_DECRYPT_REQUEST} TKerbDecryptRequest = KERB_DECRYPT_REQUEST; PKerbDecryptRequest = PKERB_DECRYPT_REQUEST; // // If set, use the primary key from the current logon session of the one provided in the LogonId field. // Otherwise, use the Key in the KERB_DECRYPT_MESSAGE. const KERB_DECRYPT_FLAG_DEFAULT_KEY = $00000001; {$EXTERNALSYM KERB_DECRYPT_FLAG_DEFAULT_KEY} type PKERB_DECRYPT_RESPONSE = ^KERB_DECRYPT_RESPONSE; {$EXTERNALSYM PKERB_DECRYPT_RESPONSE} _KERB_DECRYPT_RESPONSE = record DecryptedData: array [0..ANYSIZE_ARRAY - 1] of UCHAR; end; {$EXTERNALSYM _KERB_DECRYPT_RESPONSE} KERB_DECRYPT_RESPONSE = _KERB_DECRYPT_RESPONSE; {$EXTERNALSYM KERB_DECRYPT_RESPONSE} TKerbDecryptResponse = KERB_DECRYPT_RESPONSE; PKerbDecryptResponse = PKERB_DECRYPT_RESPONSE; // // Request structure for adding a binding cache entry. TCB privilege // is required for this operation. // PKERB_ADD_BINDING_CACHE_ENTRY_REQUEST = ^KERB_ADD_BINDING_CACHE_ENTRY_REQUEST; {$EXTERNALSYM PKERB_ADD_BINDING_CACHE_ENTRY_REQUEST} _KERB_ADD_BINDING_CACHE_ENTRY_REQUEST = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; RealmName: UNICODE_STRING; KdcAddress: UNICODE_STRING; AddressType: ULONG; //dsgetdc.h DS_NETBIOS_ADDRESS||DS_INET_ADDRESS end; {$EXTERNALSYM _KERB_ADD_BINDING_CACHE_ENTRY_REQUEST} KERB_ADD_BINDING_CACHE_ENTRY_REQUEST = _KERB_ADD_BINDING_CACHE_ENTRY_REQUEST; {$EXTERNALSYM KERB_ADD_BINDING_CACHE_ENTRY_REQUEST} TKerbAddBindingCacheEntryRequest = KERB_ADD_BINDING_CACHE_ENTRY_REQUEST; PKerbAddBindingCacheEntryRequest = PKERB_ADD_BINDING_CACHE_ENTRY_REQUEST; // // Request structure for reacquiring smartcard credentials for a // given LUID. // Requires TCB. // _KERB_REFRESH_SCCRED_REQUEST = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; CredentialBlob: UNICODE_STRING; // optional LogonId: LUID; Flags: ULONG; end; {$EXTERNALSYM _KERB_REFRESH_SCCRED_REQUEST} KERB_REFRESH_SCCRED_REQUEST = _KERB_REFRESH_SCCRED_REQUEST; {$EXTERNALSYM KERB_REFRESH_SCCRED_REQUEST} PKERB_REFRESH_SCCRED_REQUEST = ^KERB_REFRESH_SCCRED_REQUEST; {$EXTERNALSYM PKERB_REFRESH_SCCRED_REQUEST} TKerbRefreshScCredRequest = KERB_REFRESH_SCCRED_REQUEST; PKerbRefreshScCredRequest = PKERB_REFRESH_SCCRED_REQUEST; // // Flags for KERB_REFRESH_SCCRED_REQUEST // // KERB_REFRESH_SCCRED_RELEASE // Release the smartcard handle for LUID // // KERB_REFRESH_SCCRED_GETTGT // Use the certificate hash in the blob to get a TGT for the logon // session. // const KERB_REFRESH_SCCRED_RELEASE = $0; {$EXTERNALSYM KERB_REFRESH_SCCRED_RELEASE} KERB_REFRESH_SCCRED_GETTGT = $1; {$EXTERNALSYM KERB_REFRESH_SCCRED_GETTGT} // // Request structure for adding extra Server credentials to a given // logon session. Only applicable during AcceptSecurityContext, and // requires TCB to alter "other" creds // type _KERB_ADD_CREDENTIALS_REQUEST = record MessageType: KERB_PROTOCOL_MESSAGE_TYPE; UserName: UNICODE_STRING; DomainName: UNICODE_STRING; Password: UNICODE_STRING; LogonId: LUID; // optional Flags: ULONG; end; {$EXTERNALSYM _KERB_ADD_CREDENTIALS_REQUEST} KERB_ADD_CREDENTIALS_REQUEST = _KERB_ADD_CREDENTIALS_REQUEST; {$EXTERNALSYM KERB_ADD_CREDENTIALS_REQUEST} PKERB_ADD_CREDENTIALS_REQUEST = ^KERB_ADD_CREDENTIALS_REQUEST; {$EXTERNALSYM PKERB_ADD_CREDENTIALS_REQUEST} TKerbAddCredentialsRequest = KERB_ADD_CREDENTIALS_REQUEST; PKerbAddCredentialsRequest = PKERB_ADD_CREDENTIALS_REQUEST; const KERB_REQUEST_ADD_CREDENTIAL = 1; {$EXTERNALSYM KERB_REQUEST_ADD_CREDENTIAL} KERB_REQUEST_REPLACE_CREDENTIAL = 2; {$EXTERNALSYM KERB_REQUEST_REPLACE_CREDENTIAL} KERB_REQUEST_REMOVE_CREDENTIAL = 4; {$EXTERNALSYM KERB_REQUEST_REMOVE_CREDENTIAL} {$ENDIF JWA_IMPLEMENTATIONSECTION} {$IFNDEF JWA_OMIT_SECTIONS} implementation //uses ... {$ENDIF JWA_OMIT_SECTIONS} {$IFNDEF JWA_INTERFACESECTION} {$IFNDEF JWA_INCLUDEMODE} const secur32 = 'secur32.dll'; advapi32 = 'advapi32.dll'; {$ENDIF JWA_INCLUDEMODE} function LSA_SUCCESS(Error: NTSTATUS): BOOL; begin Result := LONG(Error) > 0; end; function KERB_IS_MS_PRINCIPAL(X: Integer): BOOL; begin Result := (X <= KRB_NT_MS_PRINCIPAL) or (X >= KRB_NT_ENTERPRISE_PRINCIPAL); end; {$IFDEF DYNAMIC_LINK} var _LsaRegisterLogonProcess: Pointer; function LsaRegisterLogonProcess; begin GetProcedureAddress(_LsaRegisterLogonProcess, secur32, 'LsaRegisterLogonProcess'); asm MOV ESP, EBP POP EBP JMP [_LsaRegisterLogonProcess] end; end; var _LsaLogonUser: Pointer; function LsaLogonUser; begin GetProcedureAddress(_LsaLogonUser, secur32, 'LsaLogonUser'); asm MOV ESP, EBP POP EBP JMP [_LsaLogonUser] end; end; var _LsaLookupAuthenticationPackage: Pointer; function LsaLookupAuthenticationPackage; begin GetProcedureAddress(_LsaLookupAuthenticationPackage, secur32, 'LsaLookupAuthenticationPackage'); asm MOV ESP, EBP POP EBP JMP [_LsaLookupAuthenticationPackage] end; end; var _LsaFreeReturnBuffer: Pointer; function LsaFreeReturnBuffer; begin GetProcedureAddress(_LsaFreeReturnBuffer, secur32, 'LsaFreeReturnBuffer'); asm MOV ESP, EBP POP EBP JMP [_LsaFreeReturnBuffer] end; end; var _LsaCallAuthenticationPackage: Pointer; function LsaCallAuthenticationPackage; begin GetProcedureAddress(_LsaCallAuthenticationPackage, secur32, 'LsaCallAuthenticationPackage'); asm MOV ESP, EBP POP EBP JMP [_LsaCallAuthenticationPackage] end; end; var _LsaDeregisterLogonProcess: Pointer; function LsaDeregisterLogonProcess; begin GetProcedureAddress(_LsaDeregisterLogonProcess, secur32, 'LsaDeregisterLogonProcess'); asm MOV ESP, EBP POP EBP JMP [_LsaDeregisterLogonProcess] end; end; var _LsaConnectUntrusted: Pointer; function LsaConnectUntrusted; begin GetProcedureAddress(_LsaConnectUntrusted, secur32, 'LsaConnectUntrusted'); asm MOV ESP, EBP POP EBP JMP [_LsaConnectUntrusted] end; end; var _LsaFreeMemory: Pointer; function LsaFreeMemory; begin GetProcedureAddress(_LsaFreeMemory, advapi32, 'LsaFreeMemory'); asm MOV ESP, EBP POP EBP JMP [_LsaFreeMemory] end; end; var _LsaClose: Pointer; function LsaClose; begin GetProcedureAddress(_LsaClose, advapi32, 'LsaClose'); asm MOV ESP, EBP POP EBP JMP [_LsaClose] end; end; var _LsaOpenPolicy: Pointer; function LsaOpenPolicy; begin GetProcedureAddress(_LsaOpenPolicy, advapi32, 'LsaOpenPolicy'); asm MOV ESP, EBP POP EBP JMP [_LsaOpenPolicy] end; end; var _LsaEnumerateLogonSessions: Pointer; function LsaEnumerateLogonSessions; begin GetProcedureAddress(_LsaEnumerateLogonSessions, secur32, 'LsaEnumerateLogonSessions'); asm MOV ESP, EBP POP EBP JMP [_LsaEnumerateLogonSessions] end; end; var _LsaGetLogonSessionData: Pointer; function LsaGetLogonSessionData; begin GetProcedureAddress(_LsaGetLogonSessionData, secur32, 'LsaGetLogonSessionData'); asm MOV ESP, EBP POP EBP JMP [_LsaGetLogonSessionData] end; end; var _LsaQueryInformationPolicy: Pointer; function LsaQueryInformationPolicy; begin GetProcedureAddress(_LsaQueryInformationPolicy, advapi32, 'LsaQueryInformationPolicy'); asm MOV ESP, EBP POP EBP JMP [_LsaQueryInformationPolicy] end; end; var _LsaSetInformationPolicy: Pointer; function LsaSetInformationPolicy; begin GetProcedureAddress(_LsaSetInformationPolicy, advapi32, 'LsaSetInformationPolicy'); asm MOV ESP, EBP POP EBP JMP [_LsaSetInformationPolicy] end; end; var _LsaQueryDomainInformationPolicy: Pointer; function LsaQueryDomainInformationPolicy; begin GetProcedureAddress(_LsaQueryDomainInformationPolicy, advapi32, 'LsaQueryDomainInformationPolicy'); asm MOV ESP, EBP POP EBP JMP [_LsaQueryDomainInformationPolicy] end; end; var _LsaSetDomainInformationPolicy: Pointer; function LsaSetDomainInformationPolicy; begin GetProcedureAddress(_LsaSetDomainInformationPolicy, advapi32, 'LsaSetDomainInformationPolicy'); asm MOV ESP, EBP POP EBP JMP [_LsaSetDomainInformationPolicy] end; end; var _LsaRegisterPolicyChangeNot: Pointer; function LsaRegisterPolicyChangeNotification; begin GetProcedureAddress(_LsaRegisterPolicyChangeNot, secur32, 'LsaRegisterPolicyChangeNotification'); asm MOV ESP, EBP POP EBP JMP [_LsaRegisterPolicyChangeNot] end; end; var _LsaUnregisterPolicyChangeNot: Pointer; function LsaUnregisterPolicyChangeNotification; begin GetProcedureAddress(_LsaUnregisterPolicyChangeNot, secur32, 'LsaUnregisterPolicyChangeNotification'); asm MOV ESP, EBP POP EBP JMP [_LsaUnregisterPolicyChangeNot] end; end; var _LsaEnumerateTrustedDomains: Pointer; function LsaEnumerateTrustedDomains; begin GetProcedureAddress(_LsaEnumerateTrustedDomains, advapi32, 'LsaEnumerateTrustedDomains'); asm MOV ESP, EBP POP EBP JMP [_LsaEnumerateTrustedDomains] end; end; var _LsaLookupNames: Pointer; function LsaLookupNames; begin GetProcedureAddress(_LsaLookupNames, advapi32, 'LsaLookupNames'); asm MOV ESP, EBP POP EBP JMP [_LsaLookupNames] end; end; var _LsaLookupNames2: Pointer; function LsaLookupNames2; begin GetProcedureAddress(_LsaLookupNames2, advapi32, 'LsaLookupNames2'); asm MOV ESP, EBP POP EBP JMP [_LsaLookupNames2] end; end; var _LsaLookupSids: Pointer; function LsaLookupSids; begin GetProcedureAddress(_LsaLookupSids, advapi32, 'LsaLookupSids'); asm MOV ESP, EBP POP EBP JMP [_LsaLookupSids] end; end; var _LsaEnumAccountsWithUserRight: Pointer; function LsaEnumerateAccountsWithUserRight; begin GetProcedureAddress(_LsaEnumAccountsWithUserRight, advapi32, 'LsaEnumerateAccountsWithUserRight'); asm MOV ESP, EBP POP EBP JMP [_LsaEnumAccountsWithUserRight] end; end; var _LsaEnumerateAccountRights: Pointer; function LsaEnumerateAccountRights; begin GetProcedureAddress(_LsaEnumerateAccountRights, advapi32, 'LsaEnumerateAccountRights'); asm MOV ESP, EBP POP EBP JMP [_LsaEnumerateAccountRights] end; end; var _LsaAddAccountRights: Pointer; function LsaAddAccountRights; begin GetProcedureAddress(_LsaAddAccountRights, advapi32, 'LsaAddAccountRights'); asm MOV ESP, EBP POP EBP JMP [_LsaAddAccountRights] end; end; var _LsaRemoveAccountRights: Pointer; function LsaRemoveAccountRights; begin GetProcedureAddress(_LsaRemoveAccountRights, advapi32, 'LsaRemoveAccountRights'); asm MOV ESP, EBP POP EBP JMP [_LsaRemoveAccountRights] end; end; var _LsaOpenTrustedDomainByName: Pointer; function LsaOpenTrustedDomainByName; begin GetProcedureAddress(_LsaOpenTrustedDomainByName, advapi32, 'LsaOpenTrustedDomainByName'); asm MOV ESP, EBP POP EBP JMP [_LsaOpenTrustedDomainByName] end; end; var _LsaQueryTrustedDomainInfo: Pointer; function LsaQueryTrustedDomainInfo; begin GetProcedureAddress(_LsaQueryTrustedDomainInfo, advapi32, 'LsaQueryTrustedDomainInfo'); asm MOV ESP, EBP POP EBP JMP [_LsaQueryTrustedDomainInfo] end; end; var _LsaSetTrustedDomainInformation: Pointer; function LsaSetTrustedDomainInformation; begin GetProcedureAddress(_LsaSetTrustedDomainInformation, advapi32, 'LsaSetTrustedDomainInformation'); asm MOV ESP, EBP POP EBP JMP [_LsaSetTrustedDomainInformation] end; end; var _LsaDeleteTrustedDomain: Pointer; function LsaDeleteTrustedDomain; begin GetProcedureAddress(_LsaDeleteTrustedDomain, advapi32, 'LsaDeleteTrustedDomain'); asm MOV ESP, EBP POP EBP JMP [_LsaDeleteTrustedDomain] end; end; var _LsaQueryTrustedDomainInfoByName: Pointer; function LsaQueryTrustedDomainInfoByName; begin GetProcedureAddress(_LsaQueryTrustedDomainInfoByName, advapi32, 'LsaQueryTrustedDomainInfoByName'); asm MOV ESP, EBP POP EBP JMP [_LsaQueryTrustedDomainInfoByName] end; end; var _LsaSetTrustedDomainInfoByName: Pointer; function LsaSetTrustedDomainInfoByName; begin GetProcedureAddress(_LsaSetTrustedDomainInfoByName, advapi32, 'LsaSetTrustedDomainInfoByName'); asm MOV ESP, EBP POP EBP JMP [_LsaSetTrustedDomainInfoByName] end; end; var _LsaEnumerateTrustedDomainsEx: Pointer; function LsaEnumerateTrustedDomainsEx; begin GetProcedureAddress(_LsaEnumerateTrustedDomainsEx, advapi32, 'LsaEnumerateTrustedDomainsEx'); asm MOV ESP, EBP POP EBP JMP [_LsaEnumerateTrustedDomainsEx] end; end; var _LsaCreateTrustedDomainEx: Pointer; function LsaCreateTrustedDomainEx; begin GetProcedureAddress(_LsaCreateTrustedDomainEx, advapi32, 'LsaCreateTrustedDomainEx'); asm MOV ESP, EBP POP EBP JMP [_LsaCreateTrustedDomainEx] end; end; var _LsaQueryForestTrustInformation: Pointer; function LsaQueryForestTrustInformation; begin GetProcedureAddress(_LsaQueryForestTrustInformation, advapi32, 'LsaQueryForestTrustInformation'); asm MOV ESP, EBP POP EBP JMP [_LsaQueryForestTrustInformation] end; end; var _LsaSetForestTrustInformation: Pointer; function LsaSetForestTrustInformation; begin GetProcedureAddress(_LsaSetForestTrustInformation, advapi32, 'LsaSetForestTrustInformation'); asm MOV ESP, EBP POP EBP JMP [_LsaSetForestTrustInformation] end; end; var _LsaStorePrivateData: Pointer; function LsaStorePrivateData; begin GetProcedureAddress(_LsaStorePrivateData, advapi32, 'LsaStorePrivateData'); asm MOV ESP, EBP POP EBP JMP [_LsaStorePrivateData] end; end; var _LsaRetrievePrivateData: Pointer; function LsaRetrievePrivateData; begin GetProcedureAddress(_LsaRetrievePrivateData, advapi32, 'LsaRetrievePrivateData'); asm MOV ESP, EBP POP EBP JMP [_LsaRetrievePrivateData] end; end; var _LsaNtStatusToWinError: Pointer; function LsaNtStatusToWinError; begin GetProcedureAddress(_LsaNtStatusToWinError, advapi32, 'LsaNtStatusToWinError'); asm MOV ESP, EBP POP EBP JMP [_LsaNtStatusToWinError] end; end; {$ELSE} function LsaRegisterLogonProcess; external secur32 name 'LsaRegisterLogonProcess'; function LsaLogonUser; external secur32 name 'LsaLogonUser'; function LsaLookupAuthenticationPackage; external secur32 name 'LsaLookupAuthenticationPackage'; function LsaFreeReturnBuffer; external secur32 name 'LsaFreeReturnBuffer'; function LsaCallAuthenticationPackage; external secur32 name 'LsaCallAuthenticationPackage'; function LsaDeregisterLogonProcess; external secur32 name 'LsaDeregisterLogonProcess'; function LsaConnectUntrusted; external secur32 name 'LsaConnectUntrusted'; function LsaFreeMemory; external advapi32 name 'LsaFreeMemory'; function LsaClose; external advapi32 name 'LsaClose'; function LsaOpenPolicy; external advapi32 name 'LsaOpenPolicy'; function LsaEnumerateLogonSessions; external secur32 name 'LsaEnumerateLogonSessions'; function LsaGetLogonSessionData; external secur32 name 'LsaGetLogonSessionData'; function LsaQueryInformationPolicy; external advapi32 name 'LsaQueryInformationPolicy'; function LsaSetInformationPolicy; external advapi32 name 'LsaSetInformationPolicy'; function LsaQueryDomainInformationPolicy; external advapi32 name 'LsaQueryDomainInformationPolicy'; function LsaSetDomainInformationPolicy; external advapi32 name 'LsaSetDomainInformationPolicy'; function LsaRegisterPolicyChangeNotification; external secur32 name 'LsaRegisterPolicyChangeNotification'; function LsaUnregisterPolicyChangeNotification; external secur32 name 'LsaUnregisterPolicyChangeNotification'; function LsaEnumerateTrustedDomains; external advapi32 name 'LsaEnumerateTrustedDomains'; function LsaLookupNames; external advapi32 name 'LsaLookupNames'; function LsaLookupNames2; external advapi32 name 'LsaLookupNames2'; function LsaLookupSids; external advapi32 name 'LsaLookupSids'; function LsaEnumerateAccountsWithUserRight; external advapi32 name 'LsaEnumerateAccountsWithUserRight'; function LsaEnumerateAccountRights; external advapi32 name 'LsaEnumerateAccountRights'; function LsaAddAccountRights; external advapi32 name 'LsaAddAccountRights'; function LsaRemoveAccountRights; external advapi32 name 'LsaRemoveAccountRights'; function LsaOpenTrustedDomainByName; external advapi32 name 'LsaOpenTrustedDomainByName'; function LsaQueryTrustedDomainInfo; external advapi32 name 'LsaQueryTrustedDomainInfo'; function LsaSetTrustedDomainInformation; external advapi32 name 'LsaSetTrustedDomainInformation'; function LsaDeleteTrustedDomain; external advapi32 name 'LsaDeleteTrustedDomain'; function LsaQueryTrustedDomainInfoByName; external advapi32 name 'LsaQueryTrustedDomainInfoByName'; function LsaSetTrustedDomainInfoByName; external advapi32 name 'LsaSetTrustedDomainInfoByName'; function LsaEnumerateTrustedDomainsEx; external advapi32 name 'LsaEnumerateTrustedDomainsEx'; function LsaCreateTrustedDomainEx; external advapi32 name 'LsaCreateTrustedDomainEx'; function LsaQueryForestTrustInformation; external advapi32 name 'LsaQueryForestTrustInformation'; function LsaSetForestTrustInformation; external advapi32 name 'LsaSetForestTrustInformation'; function LsaStorePrivateData; external advapi32 name 'LsaStorePrivateData'; function LsaRetrievePrivateData; external advapi32 name 'LsaRetrievePrivateData'; function LsaNtStatusToWinError; external advapi32 name 'LsaNtStatusToWinError'; {$ENDIF DYNAMIC_LINK} {$ENDIF JWA_INTERFACESECTION} {$IFNDEF JWA_OMIT_SECTIONS} end. {$ENDIF JWA_OMIT_SECTIONS}