Login/Register
Windows Logon as a user without a password with Python
Asked Answered
pythonwindowskerberosimpersonation
C

1

2

I have a situation here. Using Python, I have a process been created (running as SYSTEM or Administrator user) and I need to call an application using a different username without password. So reading this link bellow, the conclusion is that could be possible, Impersonating another user without password, using Kerberos... but I am not finding any solution written in Python and actually I have no idea if there is a better approach for this problem.

https://blogs.msdn.microsoft.com/winsdk/2015/08/28/logon-as-a-user-without-a-password/

Python 3.4.1 x64, Windows 7.

Anyone can help me on this?

Thanks very much!

PS: This could be possible using "win32" modules, however I do not have any process running for this target_user to catch a process token.

Clotho answered 30/3, 2017 at 9:48 Comment(10)
It has to be running as SYSTEM, such as by using a custom service or the task scheduler service. Administrators usually don't have SeTcbPrivilege (i.e. trusted computer base).Transcendence
Yes, no problem for that. My actual problem is how to do that with Python.Clotho
I'll write a ctypes example calling the LSA (local security authority) functions. It probably won't be short and simple. To use the token you'll need to call CreateProcessAsUser.Transcendence
I looked into this and need to confirm that you're working on a domain connected machine. Kerberos is for non-local logons using a domain controller.Transcendence
Yes, I am in an AD connected machine with a Python application running. This application need to execute commands using a different username (non-admin user) (without password).Clotho
For a Batch logon of a local user, use an LSA handle from LsaConnectUntrusted with the "Negotiate" package and MsV1_0S4ULogon information. For a domain user, use an LSA handle from LsaRegisterLogonProcess with the "Kerberos" package and KerbS4ULogon information. Currently I can only test a local logon, and the token I get works fine with CreateProcessAsUser in a test running from an interactive SYSTEM command prompt that was started with psexec -sid cmd.exe (PsExec).Transcendence
Nice! Do you have a sample or an idea how to start in Python for a domain user?Clotho
Flinkas, I haven't forgotten you, but I've had other things on my plate. I've been working on the ctypes wrapper for this a little at a time.Transcendence
Thanks very much!! Meanwhile i am trying to do your approach, but without success.. =\Clotho
Sorry to keep you waiting. I'm going to post what I've done for this problem, so you can at least test the functions logon_msv1, logon_msv1_s4u, and logon_kerb_s4u. The first two work for me, but I need more infrastructure to make them generally useful -- e.g. setting the token's Windows session ID to run an interactive process in a console or terminal services session, and adding the SID of the target session's main logon session to the token groups to grant access to the WindowStation and Desktop for creating windows and messaging.Transcendence
T
5

Here's a rough draft of a ctypes wrapper to call LsaLogonUser for an MsV1 interactive logon, MsV1 S4U logon (service for user, batch), or Kerberos S4U domain logon.

import os
import ctypes
import collections

from ctypes import wintypes

ntdll = ctypes.WinDLL('ntdll')
secur32 = ctypes.WinDLL('secur32')
kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
advapi32 = ctypes.WinDLL('advapi32', use_last_error=True)

MAX_COMPUTER_NAME_LENGTH = 15

SECURITY_LOGON_TYPE = wintypes.ULONG
Interactive = 2
Network = 3
Batch = 4
Service = 5

LOGON_SUBMIT_TYPE = wintypes.ULONG
PROFILE_BUFFER_TYPE = wintypes.ULONG

MsV1_0InteractiveLogon = 2
MsV1_0Lm20Logon = 3
MsV1_0NetworkLogon = 4
MsV1_0WorkstationUnlockLogon = 7
MsV1_0S4ULogon = 12
MsV1_0NoElevationLogon = 82

KerbInteractiveLogon = 2
KerbWorkstationUnlockLogon = 7
KerbS4ULogon = 12

MSV1_0_S4U_LOGON_FLAG_CHECK_LOGONHOURS = 0x2

KERB_S4U_LOGON_FLAG_CHECK_LOGONHOURS = 0x2
KERB_S4U_LOGON_FLAG_IDENTITY = 0x8

TOKEN_SOURCE_LENGTH = 8

NEGOTIATE_PACKAGE_NAME = b'Negotiate'
MICROSOFT_KERBEROS_NAME = b'Kerberos'
MSV1_0_PACKAGE_NAME = b'MICROSOFT_AUTHENTICATION_PACKAGE_V1_0'

DELETE       = 0x00010000
READ_CONTROL = 0x00020000
WRITE_DAC    = 0x00040000
WRITE_OWNER  = 0x00080000

STANDARD_RIGHTS_REQUIRED = (DELETE       |
                            READ_CONTROL |
                            WRITE_DAC    |
                            WRITE_OWNER)

TOKEN_ASSIGN_PRIMARY    = 0x0001
TOKEN_DUPLICATE         = 0x0002
TOKEN_IMPERSONATE       = 0x0004
TOKEN_QUERY             = 0x0008
TOKEN_QUERY_SOURCE      = 0x0010
TOKEN_ADJUST_PRIVILEGES = 0x0020
TOKEN_ADJUST_GROUPS     = 0x0040
TOKEN_ADJUST_DEFAULT    = 0x0080
TOKEN_ADJUST_SESSIONID  = 0x0100

TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED |
                    TOKEN_ASSIGN_PRIMARY     |
                    TOKEN_DUPLICATE          |
                    TOKEN_IMPERSONATE        |
                    TOKEN_QUERY              |
                    TOKEN_QUERY_SOURCE       |
                    TOKEN_ADJUST_PRIVILEGES  |
                    TOKEN_ADJUST_GROUPS      |
                    TOKEN_ADJUST_DEFAULT     |
                    TOKEN_ADJUST_SESSIONID)

DUPLICATE_CLOSE_SOURCE = 0x00000001
DUPLICATE_SAME_ACCESS  = 0x00000002

TOKEN_TYPE = wintypes.ULONG
TokenPrimary       = 1
TokenImpersonation = 2

SECURITY_IMPERSONATION_LEVEL = wintypes.ULONG
SecurityAnonymous      = 0
SecurityIdentification = 1
SecurityImpersonation  = 2
SecurityDelegation     = 3

class NTSTATUS(wintypes.LONG):

    def to_error(self):
        return ntdll.RtlNtStatusToDosError(self)

    def __repr__(self):
        name = self.__class__.__name__
        status = wintypes.ULONG.from_buffer(self)
        return '%s(%#010x)' % (name, status.value)

PNTSTATUS = ctypes.POINTER(NTSTATUS)

class BOOL(wintypes.BOOL):
    def __repr__(self):
        name = self.__class__.__name__
        return '%s(%s)' % (name, bool(self))

class HANDLE(wintypes.HANDLE):
    __slots__ = 'closed',

    def __int__(self):
        return self.value or 0

    def Detach(self):
        if not getattr(self, 'closed', False):
            self.closed = True
            value = int(self)
            self.value = None
            return value
        raise ValueError("already closed")

    def Close(self, CloseHandle=kernel32.CloseHandle):
        if self and not getattr(self, 'closed', False):
            CloseHandle(self.Detach())

    __del__ = Close

    def __repr__(self):
        return "%s(%d)" % (self.__class__.__name__, int(self))

class LARGE_INTEGER(wintypes.LARGE_INTEGER):
    # https://msdn.microsoft.com/en-us/library/ff553204
    ntdll.RtlSecondsSince1970ToTime.restype = None
    _unix_epoch = wintypes.LARGE_INTEGER()
    ntdll.RtlSecondsSince1970ToTime(0, ctypes.byref(_unix_epoch))
    _unix_epoch = _unix_epoch.value

    def __int__(self):
        return self.value

    def __repr__(self):
        name = self.__class__.__name__
        return '%s(%d)' % (name, self.value)

    def as_time(self):
        time100ns = self.value - self._unix_epoch
        if time100ns >= 0:
            return time100ns / 1e7
        raise ValueError('value predates the Unix epoch')

    @classmethod
    def from_time(cls, t):
        time100ns = int(t * 10**7)
        return cls(time100ns + cls._unix_epoch)

CHAR = ctypes.c_char
WCHAR = ctypes.c_wchar
PCHAR = ctypes.POINTER(CHAR)
PWCHAR = ctypes.POINTER(WCHAR)

class STRING(ctypes.Structure):
    _fields_ = (('Length',        wintypes.USHORT),
                ('MaximumLength', wintypes.USHORT),
                ('Buffer',        PCHAR))

PSTRING = ctypes.POINTER(STRING)

class UNICODE_STRING(ctypes.Structure):
    _fields_ = (('Length',        wintypes.USHORT),
                ('MaximumLength', wintypes.USHORT),
                ('Buffer',        PWCHAR))

PUNICODE_STRING = ctypes.POINTER(UNICODE_STRING)

class LUID(ctypes.Structure):
    _fields_ = (('LowPart',  wintypes.DWORD),
                ('HighPart', wintypes.LONG))

    def __new__(cls, value=0):
        return cls.from_buffer_copy(ctypes.c_ulonglong(value))

    def __int__(self):
        return ctypes.c_ulonglong.from_buffer(self).value

    def __repr__(self):
        name = self.__class__.__name__
        return '%s(%#x)' % (name, int(self))

PLUID = ctypes.POINTER(LUID)
PSID = wintypes.LPVOID

class SID_AND_ATTRIBUTES(ctypes.Structure):
    _fields_ = (('Sid',        PSID),
                ('Attributes', wintypes.DWORD))

PSID_AND_ATTRIBUTES = ctypes.POINTER(SID_AND_ATTRIBUTES)

class TOKEN_GROUPS(ctypes.Structure):
    _fields_ = (('GroupCount', wintypes.DWORD),
                ('Groups',     SID_AND_ATTRIBUTES * 1))

PTOKEN_GROUPS = ctypes.POINTER(TOKEN_GROUPS)

class TOKEN_SOURCE(ctypes.Structure):
    _fields_ = (('SourceName', CHAR * TOKEN_SOURCE_LENGTH),
                ('SourceIdentifier', LUID))
    def __init__(self, SourceName=None, SourceIdentifier=None):
        if SourceName is not None:
            if not isinstance(SourceName, bytes):
                SourceName = SourceName.encode('mbcs')
            self.SourceName = SourceName
        if SourceIdentifier is None:
            luid = self.SourceIdentifier
            ntdll.NtAllocateLocallyUniqueId(ctypes.byref(luid))
        else:
            self.SourceIdentifier = SourceIdentifier

PTOKEN_SOURCE = ctypes.POINTER(TOKEN_SOURCE)

py_source_context = TOKEN_SOURCE(b"PYTHON  ")
py_origin_name = b"Python-%d" % os.getpid()
py_logon_process_name = b"PythonLogonProcess-%d" % os.getpid()

SIZE_T = ctypes.c_size_t

class QUOTA_LIMITS(ctypes.Structure):
    _fields_ = (('PagedPoolLimit',        SIZE_T),
                ('NonPagedPoolLimit',     SIZE_T),
                ('MinimumWorkingSetSize', SIZE_T),
                ('MaximumWorkingSetSize', SIZE_T),
                ('PagefileLimit',         SIZE_T),
                ('TimeLimit',             wintypes.LARGE_INTEGER))

PQUOTA_LIMITS = ctypes.POINTER(QUOTA_LIMITS)

PULONG = ctypes.POINTER(wintypes.ULONG)
LSA_OPERATIONAL_MODE = wintypes.ULONG
PLSA_OPERATIONAL_MODE = PULONG
PHANDLE = ctypes.POINTER(wintypes.HANDLE)
PLPVOID = ctypes.POINTER(wintypes.LPVOID)
LPDWORD = ctypes.POINTER(wintypes.DWORD)

class ContiguousUnicode(ctypes.Structure):
    # _string_names_: sequence matched to underscore-prefixed fields

    def _get_unicode_string(self, name):
        wchar_size = ctypes.sizeof(WCHAR)
        s = getattr(self, '_%s' % name)
        length = s.Length // wchar_size
        buf = s.Buffer
        if buf:
            return buf[:length]
        return None

    def _set_unicode_buffer(self, value):
        cls = type(self)
        wchar_size = ctypes.sizeof(WCHAR)
        bufsize = (len(value) + 1) * wchar_size
        ctypes.resize(self, ctypes.sizeof(cls) + bufsize)
        addr = ctypes.addressof(self) + ctypes.sizeof(cls)
        ctypes.memmove(addr, value, bufsize)

    def _set_unicode_string(self, name, value):
        values = []
        for n in self._string_names_:
            if n == name:
                values.append(value or u'')
            else:
                values.append(getattr(self, n) or u'')
        self._set_unicode_buffer(u'\x00'.join(values))

        cls = type(self)
        wchar_size = ctypes.sizeof(WCHAR)
        addr = ctypes.addressof(self) + ctypes.sizeof(cls)
        for n, v in zip(self._string_names_, values):
            ptr = ctypes.cast(addr, PWCHAR)
            ustr = getattr(self, '_%s' % n)
            length = ustr.Length = len(v) * wchar_size
            full_length = length + wchar_size
            if ((n == name and value is None) or
                (n != name and not (length or ustr.Buffer))):
                ustr.Buffer = None
                ustr.MaximumLength = 0
            else:
                ustr.Buffer = ptr
                ustr.MaximumLength = full_length
            addr += full_length

    def __getattr__(self, name):
        if name not in self._string_names_:
            raise AttributeError
        return self._get_unicode_string(name)

    def __setattr__(self, name, value):
        if name in self._string_names_:
            self._set_unicode_string(name, value)
        else:
            super(ContiguousUnicode, self).__setattr__(name, value)

    @classmethod
    def from_address_copy(cls, address, size=None):
        x = ctypes.Structure.__new__(cls)
        if size is not None:
            ctypes.resize(x, size)
        ctypes.memmove(ctypes.byref(x), address, ctypes.sizeof(x))
        delta = ctypes.addressof(x) - address
        for n in cls._string_names_:
            ustr = getattr(x, '_%s' % n)
            addr = ctypes.c_void_p.from_buffer(ustr.Buffer)
            if addr:
                addr.value += delta
        return x

class AuthInfo(ContiguousUnicode):
    # _message_type_: from a logon-submit-type enumeration
    def __init__(self):
        self.MessageType = self._message_type_

class MSV1_0_INTERACTIVE_LOGON(AuthInfo):
    _message_type_ = MsV1_0InteractiveLogon
    _string_names_ = 'LogonDomainName', 'UserName', 'Password'

    _fields_ = (('MessageType',      LOGON_SUBMIT_TYPE),
                ('_LogonDomainName', UNICODE_STRING),
                ('_UserName',        UNICODE_STRING),
                ('_Password',        UNICODE_STRING))

    def __init__(self, UserName=None, Password=None, LogonDomainName=None):
        super(MSV1_0_INTERACTIVE_LOGON, self).__init__()
        if LogonDomainName is not None:
            self.LogonDomainName = LogonDomainName
        if UserName is not None:
            self.UserName = UserName
        if Password is not None:
            self.Password = Password

class S4ULogon(AuthInfo):
    _string_names_ = 'UserPrincipalName', 'DomainName'

    _fields_ = (('MessageType',        LOGON_SUBMIT_TYPE),
                ('Flags',              wintypes.ULONG),
                ('_UserPrincipalName', UNICODE_STRING),
                ('_DomainName',        UNICODE_STRING))

    def __init__(self, UserPrincipalName=None, DomainName=None, Flags=0):
        super(S4ULogon, self).__init__()
        self.Flags = Flags
        if UserPrincipalName is not None:
            self.UserPrincipalName = UserPrincipalName
        if DomainName is not None:
            self.DomainName = DomainName

class MSV1_0_S4U_LOGON(S4ULogon):
    _message_type_ = MsV1_0S4ULogon

class KERB_S4U_LOGON(S4ULogon):
    _message_type_ = KerbS4ULogon

PMSV1_0_S4U_LOGON = ctypes.POINTER(MSV1_0_S4U_LOGON)
PKERB_S4U_LOGON = ctypes.POINTER(KERB_S4U_LOGON)

class ProfileBuffer(ContiguousUnicode):
    # _message_type_
    def __init__(self):
        self.MessageType = self._message_type_

class MSV1_0_INTERACTIVE_PROFILE(ProfileBuffer):
    _message_type_ = MsV1_0InteractiveLogon
    _string_names_ = ('LogonScript', 'HomeDirectory', 'FullName',
                      'ProfilePath', 'HomeDirectoryDrive', 'LogonServer')
    _fields_ = (('MessageType',         PROFILE_BUFFER_TYPE),
                ('LogonCount',          wintypes.USHORT),
                ('BadPasswordCount',    wintypes.USHORT),
                ('LogonTime',           LARGE_INTEGER),
                ('LogoffTime',          LARGE_INTEGER),
                ('KickOffTime',         LARGE_INTEGER),
                ('PasswordLastSet',     LARGE_INTEGER),
                ('PasswordCanChange',   LARGE_INTEGER),
                ('PasswordMustChange',  LARGE_INTEGER),
                ('_LogonScript',        UNICODE_STRING),
                ('_HomeDirectory',      UNICODE_STRING),
                ('_FullName',           UNICODE_STRING),
                ('_ProfilePath',        UNICODE_STRING),
                ('_HomeDirectoryDrive', UNICODE_STRING),
                ('_LogonServer',        UNICODE_STRING),
                ('UserFlags',           wintypes.ULONG))

class SECURITY_ATTRIBUTES(ctypes.Structure):
    _fields_ = (('nLength',              wintypes.DWORD),
                ('lpSecurityDescriptor', wintypes.LPVOID),
                ('bInheritHandle',       wintypes.BOOL))
    def __init__(self, **kwds):
        self.nLength = ctypes.sizeof(self)
        super(SECURITY_ATTRIBUTES, self).__init__(**kwds)

LPSECURITY_ATTRIBUTES = ctypes.POINTER(SECURITY_ATTRIBUTES)

def _check_status(result, func, args):
    if result.value < 0:
        raise ctypes.WinError(result.to_error())
    return args

def _check_bool(result, func, args):
    if not result:
        raise ctypes.WinError(ctypes.get_last_error())
    return args

def WIN(func, restype, *argtypes):
    func.restype = restype
    func.argtypes = argtypes
    if issubclass(restype, NTSTATUS):
        func.errcheck = _check_status
    elif issubclass(restype, BOOL):
        func.errcheck = _check_bool

# https://msdn.microsoft.com/en-us/library/ms683179
WIN(kernel32.GetCurrentProcess, wintypes.HANDLE)

# https://msdn.microsoft.com/en-us/library/ms724251
WIN(kernel32.DuplicateHandle, BOOL,
    wintypes.HANDLE, # _In_  hSourceProcessHandle
    wintypes.HANDLE, # _In_  hSourceHandle
    wintypes.HANDLE, # _In_  hTargetProcessHandle
    PHANDLE,         # _Out_ lpTargetHandle
    wintypes.DWORD,  # _In_  dwDesiredAccess
    wintypes.BOOL,   # _In_  bInheritHandle
    wintypes.DWORD)  # _In_  dwOptions

# https://msdn.microsoft.com/en-us/library/ms724295
WIN(kernel32.GetComputerNameW, BOOL,
    wintypes.LPWSTR, # _Out_   lpBuffer
    LPDWORD)         # _Inout_ lpnSize

# https://msdn.microsoft.com/en-us/library/aa379295
WIN(advapi32.OpenProcessToken, BOOL,
    wintypes.HANDLE, # _In_  ProcessHandle
    wintypes.DWORD,  # _In_  DesiredAccess
    PHANDLE)         # _Out_ TokenHandle

# https://msdn.microsoft.com/en-us/library/aa446617
WIN(advapi32.DuplicateTokenEx, BOOL,
    wintypes.HANDLE,              # _In_     hExistingToken
    wintypes.DWORD,               # _In_     dwDesiredAccess
    LPSECURITY_ATTRIBUTES,        # _In_opt_ lpTokenAttributes
    SECURITY_IMPERSONATION_LEVEL, # _In_     ImpersonationLevel
    TOKEN_TYPE,                   # _In_     TokenType
    PHANDLE)                      # _Out_    phNewToken

# https://msdn.microsoft.com/en-us/library/ff566415
WIN(ntdll.NtAllocateLocallyUniqueId, NTSTATUS,
    PLUID) # _Out_ LUID

# https://msdn.microsoft.com/en-us/library/aa378279
WIN(secur32.LsaFreeReturnBuffer, NTSTATUS,
    wintypes.LPVOID,) # _In_ Buffer

# https://msdn.microsoft.com/en-us/library/aa378265
WIN(secur32.LsaConnectUntrusted, NTSTATUS,
    PHANDLE,) # _Out_ LsaHandle

#https://msdn.microsoft.com/en-us/library/aa378318
WIN(secur32.LsaRegisterLogonProcess, NTSTATUS,
    PSTRING,               # _In_  LogonProcessName
    PHANDLE,               # _Out_ LsaHandle
    PLSA_OPERATIONAL_MODE) # _Out_ SecurityMode

# https://msdn.microsoft.com/en-us/library/aa378269
WIN(secur32.LsaDeregisterLogonProcess, NTSTATUS,
    wintypes.HANDLE) # _In_ LsaHandle

# https://msdn.microsoft.com/en-us/library/aa378297
WIN(secur32.LsaLookupAuthenticationPackage, NTSTATUS,
    wintypes.HANDLE, # _In_  LsaHandle
    PSTRING,         # _In_  PackageName
    PULONG)          # _Out_ AuthenticationPackage

# https://msdn.microsoft.com/en-us/library/aa378292
WIN(secur32.LsaLogonUser, NTSTATUS,
    wintypes.HANDLE,     # _In_     LsaHandle
    PSTRING,             # _In_     OriginName
    SECURITY_LOGON_TYPE, # _In_     LogonType
    wintypes.ULONG,      # _In_     AuthenticationPackage
    wintypes.LPVOID,     # _In_     AuthenticationInformation
    wintypes.ULONG,      # _In_     AuthenticationInformationLength
    PTOKEN_GROUPS,       # _In_opt_ LocalGroups
    PTOKEN_SOURCE,       # _In_     SourceContext
    PLPVOID,             # _Out_    ProfileBuffer
    PULONG,              # _Out_    ProfileBufferLength
    PLUID,               # _Out_    LogonId
    PHANDLE,             # _Out_    Token
    PQUOTA_LIMITS,       # _Out_    Quotas
    PNTSTATUS)           # _Out_    SubStatus

Helpers

def duplicate_token(source_token=None, access=TOKEN_ALL_ACCESS,
                    impersonation_level=SecurityImpersonation,
                    token_type=TokenPrimary, attributes=None):
    close_source = False
    if source_token is None:
        close_source = True
        source_token = HANDLE()
        advapi32.OpenProcessToken(kernel32.GetCurrentProcess(),
            TOKEN_ALL_ACCESS, ctypes.byref(source_token))
    token = HANDLE()
    try:
        advapi32.DuplicateTokenEx(source_token, access, attributes,
            impersonation_level, token_type, ctypes.byref(token))
    finally:
        if close_source:
            source_token.Close()
    return token

def lsa_connect_untrusted():
    handle = wintypes.HANDLE()
    secur32.LsaConnectUntrusted(ctypes.byref(handle))
    return handle.value

def lsa_register_logon_process(logon_process_name):
    if not isinstance(logon_process_name, bytes):
        logon_process_name = logon_process_name.encode('mbcs')
    logon_process_name = logon_process_name[:127]
    buf = ctypes.create_string_buffer(logon_process_name, 128)
    name = STRING(len(logon_process_name), len(buf), buf)
    handle = wintypes.HANDLE()
    mode = LSA_OPERATIONAL_MODE()
    secur32.LsaRegisterLogonProcess(ctypes.byref(name),
        ctypes.byref(handle), ctypes.byref(mode))
    return handle.value

def lsa_lookup_authentication_package(lsa_handle, package_name):
    if not isinstance(package_name, bytes):
        package_name = package_name.encode('mbcs')
    package_name = package_name[:127]
    buf = ctypes.create_string_buffer(package_name)
    name = STRING(len(package_name), len(buf), buf)
    package = wintypes.ULONG()
    secur32.LsaLookupAuthenticationPackage(lsa_handle, ctypes.byref(name),
        ctypes.byref(package))
    return package.value

API

# Low-level LSA logon

LOGONINFO = collections.namedtuple('LOGONINFO', ('Token', 'LogonId',
                'Profile', 'Quotas'))

def lsa_logon_user(auth_info, local_groups=None, origin_name=py_origin_name,
                   source_context=None, auth_package=None, logon_type=None,
                   lsa_handle=None):
    if local_groups is None:
        plocal_groups = PTOKEN_GROUPS()
    else:
        plocal_groups = ctypes.byref(local_groups)
    if source_context is None:
        source_context = py_source_context
    if not isinstance(origin_name, bytes):
        origin_name = origin_name.encode('mbcs')
    buf = ctypes.create_string_buffer(origin_name)
    origin_name = STRING(len(origin_name), len(buf), buf)
    if auth_package is None:
        if isinstance(auth_info, MSV1_0_S4U_LOGON):
            auth_package = NEGOTIATE_PACKAGE_NAME
        elif isinstance(auth_info, KERB_S4U_LOGON):
            auth_package = MICROSOFT_KERBEROS_NAME
        else:
            auth_package = MSV1_0_PACKAGE_NAME
    if logon_type is None:
        if isinstance(auth_info, S4ULogon):
            logon_type = Batch
        else:
            logon_type = Interactive
    profile_buffer = wintypes.LPVOID()
    profile_buffer_length = wintypes.ULONG()
    profile = None
    logonid = LUID()
    htoken = HANDLE()
    quotas = QUOTA_LIMITS()
    substatus = NTSTATUS()
    deregister = False
    if lsa_handle is None:
        lsa_handle = lsa_connect_untrusted()
        deregister = True
    try:
        if isinstance(auth_package, (str, bytes)):
            auth_package = lsa_lookup_authentication_package(lsa_handle,
                                auth_package)
        try:
            secur32.LsaLogonUser(lsa_handle, ctypes.byref(origin_name),
                logon_type, auth_package, ctypes.byref(auth_info),
                ctypes.sizeof(auth_info), plocal_groups,
                ctypes.byref(source_context), ctypes.byref(profile_buffer),
                ctypes.byref(profile_buffer_length), ctypes.byref(logonid),
                ctypes.byref(htoken), ctypes.byref(quotas),
                ctypes.byref(substatus))
        except WindowsError as e:
            if substatus.value:
                raise ctypes.WinError(substatus.to_error())
            raise
        finally:
            if profile_buffer:
                address = profile_buffer.value
                buftype = PROFILE_BUFFER_TYPE.from_address(address).value
                if buftype == MsV1_0InteractiveLogon:
                    profile = MSV1_0_INTERACTIVE_PROFILE.from_address_copy(
                                address, profile_buffer_length.value)
                secur32.LsaFreeReturnBuffer(address)
    finally:
        if deregister:
            secur32.LsaDeregisterLogonProcess(lsa_handle)
    return LOGONINFO(htoken, logonid, profile, quotas)

# High-level LSA logons

def logon_msv1(name, password, domain=None, local_groups=None,
                origin_name=py_origin_name, source_context=None):
    return lsa_logon_user(MSV1_0_INTERACTIVE_LOGON(name, password, domain),
                local_groups, origin_name, source_context)

def logon_msv1_s4u(name, local_groups=None, origin_name=py_origin_name,
                    source_context=None):
    domain = ctypes.create_unicode_buffer(MAX_COMPUTER_NAME_LENGTH + 1)
    length = wintypes.DWORD(len(domain))
    kernel32.GetComputerNameW(domain, ctypes.byref(length))
    return lsa_logon_user(MSV1_0_S4U_LOGON(name, domain.value),
                local_groups, origin_name, source_context)

def logon_kerb_s4u(name, realm=None, local_groups=None,
                     origin_name=py_origin_name,
                     source_context=None,
                     logon_process_name=py_logon_process_name):
    lsa_handle = lsa_register_logon_process(logon_process_name)
    try:
        return lsa_logon_user(KERB_S4U_LOGON(name, realm),
                    local_groups, origin_name, source_context,
                    lsa_handle=lsa_handle)
    finally:
        secur32.LsaDeregisterLogonProcess(lsa_handle)
Transcendence answered 5/4, 2017 at 13:57 Comment(9)
Wow!! You really saved me! I've tried to run your code, importing and calling like: token = eryksun_lib.logon_kerb_s4u(user, realm) ... but I got this error: Expected type 'Number', got 'bytes' instead.. at py_origin_name = b"Python-%d" % os.getpid()Clotho
Perhaps you made a mistake when copying the 3 sections to the file. I just copied them (in the given order) to lib.py and tested logon_kerb_s4u('user@domain') in both Python 2.7 and 3.6 on Windows 10. From a standard/admin logon I get access denied. From a SYSTEM process it fails with ERROR_NO_LOGON_SERVERS because I'm not on a domain. logon_msv1_s4u('user') works in all cases, but it only creates a usable impersonation token when called from a SYSTEM process; otherwise it creates an identification token.Transcendence
Not now because I have few problems such as my Python version (3.4) that is complaining about py_origin_name = b"Python-%d" % os.getpid() and other issues from another project. I will get back on this today to try to figure out why this is happening...Clotho
OK, that makes sense. I forgot that 3.4 doesn't support string methods on bytes objects. You can use py_origin_name = ("Python-%d" % os.getpid()).encode('mbcs').Transcendence
Exactly! Now I am checking in wich Windows version will run... But I believe only in Windows Server 2003+ or Windows 10.Clotho
These S4U logons should work in Vista and Server 2008. I don't think it's in Server 2003.Transcendence
It really upsets me how this site only provides a paucity of four rep for this exceptional answer. Did you borrow any of this implementation from anywhere?Lesley
@Quibblesome, the lack of upvotes just means that not many people need this. As to borrowing code, no I'd cite sources if I did. But I used a debugger to step through how the task scheduler implements S4U.Transcendence
Ye but like most auth stuff, the people that do need this, REALLY need this <3<3<3. I I got here via a disassembly of .NET's .Impersonate() so I'm happy there's a similarity in the paths. What puzzles me and makes me cautious is that pywin32 doesn't appear to have a wrapper for this function (yet it implements so very much). Any idea why that might be? Maybe I should ping Hammond. Always concerns me to run a bunch of critical code that isn't a big hot path for many others. I enjoy the safety of crowds.Lesley

© 2022 - 2024 — McMap. All rights reserved.