I’ve been messing around with the Windows LSA and implementing my own authentication package. It’s all part of an authentication server I’m building.  The *NIX component (a PAM module) was pulled together in an afternoon.

Windows is a slightly different story…..

As always, MSDN has great documentation on the APIs, but there is not a lot of other reference material out there.  I did find an article on building an LSA proxy which was some help, but there was no real source code to work from.

For anyone looking to implement an SSP/AP, a couple of things to remember…

  • Use a virtual machine with nothing on it bu Windows for testing.  Make sure you have a Restore Point – you will break the boot process frequently!
  • Remember to copy the Visual Studio shared runtime library over to \windows\System32 on your build system. (OK should have been obvious 🙂 ).  When LSASS.EXE can’t load a DLL it just ignores it quietly.  No error, no nothing.
  • Build the right architecture for your test system (yeah – again obvious…)

There were some other things I found interesting.  The API talks about a function table that both the Sp and the Ap functions should be registered in.  Interestingly MSV1_0 (the NTLM authentication library) doesn’t include all the Ap functions in the table.  So you need to find them in the DLL exports.  Seems to be a hangover from old implementation I guess.

Anyway – in the interests of helping others out there, the source codefor a basic proxy can be found here.

It’s got the VS 2012 project in there.  Just compile it, copy the DLL to \Windows\System32 on your test system and then add the library name to the list of library names in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages

Hope it’s of use to someone.  The Pwitc name is the name of the authentication server I’m building – just pretend it says "LsassProxy" or somesuch!