EDIT: Thank you @RbMm for your clarification questions!
I am implementing MFA in a credential provider (not a wrapper provider). One of the options I must support is to verify the same UPN is used for logging in to the computer and validating with the MFA provider. I use LsaLogonUser, ImpersonateLoggedOnUser and GetUserNameEx(UserNamePrincipal) to obtain this information. This works in most environments; however, on a computer connected to a hybrid Azure AD domain, LsaLogonUser fails. This lead to an investigation the results of which are elaborated below:
I have a computer belonging to an AzureAD hybrid domain, but I have no way of getting the SAM-compatible domain name from the AzureAD domain name. For example, I can log in with a user whose AzureAD upn is, for example's sake [email protected]. The SAM-compatible name is localdomain\localuser. GetUserNameEx(NameUserPrincipal) reutrns [email protected] GetUserNameEx(NameSamCompatible) returns localdomain\localuser HOWEVER in the following code, TranslateName fails with GetLastError() returning ERROR_NO_SUCH_DOMAIN.
TCHAR validBuffer[MAX_PATH+1];
ULONG nValidSize = MAX_PATH;
TranslateName("[email protected]", NameUserPrincipal, NameSamCompatible, validBuffer, &nValidSize);
I have also tried the following APIs without success, they all fail with different return values:
GetComputerObjectName fails with any value passed to NameFormat
GetCompterNameEx fails with ERROR_CANT_ACCESS_DOMAIN_INFO for any relevant value of NameType
NetWkstaGetInfo does not return any useful information in any field
Also, if you look at the computer's join information in This PC > Properties > Advanced System Properties, u see it as part of a workgroup, not a domain. -if you run the dsregcmd /status command:
- executed within the aforementioned user's logon session: the 'Diagnostic' part lists the localdomain in the output
- executed from a command prompt running with the LocalSystem account, the output does not list the localdomain anywhere.
An important point (thanks @RbMm) - the code services a Windows Credential Provider, when using the 'Other User' tile. I am trying to pre-verify the entered credentials using LsaLogonUser, before serializing them successfully in my implementation of ICredentialProviderCredential2::GetSerialization. Using '[email protected]' fails, while using 'localdomain\[email protected]' or 'localdomain\localuser' succeeds. When logging in with Windows' built in password provider, using '[email protected]' of course works. Maybe I should be using a different authentication package for LsaLogonUser?
I am STUMPED.
thanks for anyone's help..
- Uriel