Re: Checking for NT domain existance
From: RockinFewl (rockinBUBBLE_at_WRAPwhirlywiryweb.com)
Date: 06/17/04
- Next message: Yvan: "How to setup L2TP/IPSec VPN client in CE4.2 ?"
- Previous message: N Davies: "Loose network connection on final build"
- In reply to: John Spaith [MS]: "Re: Checking for NT domain existance"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 17 Jun 2004 12:31:57 +0200
Thanks for this great post John.
We'd probably go with the third option: a 'confirmed commit' is a
pattern that we'll need for other settings anyway -- e.g. IP-address or
software upgrade; in these cases it's obvious the device has to do a
rollback autonomously, when it suspects it's no longer accessible or
operational after a change.
Thanks again,
Koen.
--
Notice: Remove all packaging [from e-mail address] before use.
John Spaith [MS] wrote:
> In CE 5.0 we've added the API DsGetDcName(), which can lookup a domain to
> see if it exists and also get you useful information about it, like the
> domain controller name, etc. You're on CE 4.2 of course, so this doesn't
> help.
>
> I talked with the local security gurus and they said even if you had this
> API on 4.2, it would not be completely safe. Just because the domain
> existed would not necassarily mean you could authenticate against it. You
> could still end up in the state where your device was inaccessible.
>
> The safe way to do this is to actually authenticate a user against the
> domain before "committing" the DefaultDomain change. Of course now you have
> a chicken and egg problem because you have to write this registry value out
> even before you know whether it's safe or not and then do you
> authentication. I can think of some workarounds (hacks is a better word) to
> this.
>
> (1)
> If you're using SSL, you could prompt the user for their user name and
> password in the FORM at the same time they updated the domain. Obviously
> doing this in clear is scary, unless you %100 trust the network, which I
> wouldn't do. After you have userName/password for a valid domain account on
> CE device, you then write out DefaultDomain and then try to authenticate
> with that user/password. If it succeeds then you're done. If it fails back
> out the DefaultDomain change.
>
> How do you authenticate a user on CE? You can do it using the NTLM SSPI
> directly, but we have a set of helper utilities that web server/telnet/ftp
> use to do their user authentication. The functions are defined in authhlp.h
> and are implemented in authhlp.lib. (I believe you have to be an OEM to get
> at these, but I may be wrong.) You would then do:
>
> AuthHelpInitialize();
> AuthHelpValidateUserW(szUserName,szPassword,NULL,0); // TRUE if you can
> auth, FALSE if authentication fails for whatever reason (bad password,
> *can't find domain*, etc...).
>
> Getting SSL setup on a headless is another can of worms unfortunatly. If
> you do do this, call RtlSecureZeroMEmory on the user name and password once
> you're done using it to increase security. Don't use memset() since the
> compiler map optimize it out. Here's code for this function:
>
> FORCEINLINE
> PVOID
> RtlSecureZeroMemory(
> IN PVOID ptr,
> IN SIZE_T cnt
> )
> {
> volatile char *vptr = (volatile char *)ptr;
> while (cnt) {
> *vptr = 0;
> vptr++;
> cnt--;
> }
> return ptr;
> }
>
> (2)
> If you don't have SSL, then if there is some dummy account that can be sent
> across to auth against then consider this. Steps would be identical to (1)
> except that the web browser user would enter in these bogus credentials
> instead of their real credentials. Ideally this would be like a guest
> account or something with even less priveleges - the only thing the account
> can do is be authenticated against.
>
> If you're having individual users configure this and not domain admins, then
> getting them information about the dummy account would be hard. I don't
> think many admins would like creating a useless account for these purposes.
> I'm throwing this out however in hopes it may inspire you to think of
> something better.
>
> (3)
> Write out DefaultDomain and don't worry at all whether it will work or not.
> The web page HTML should auto-redirect to a page that requires auth (maybe
> allow a few seconds if you're doing other config settings). This should
> then prompt user for userName/Password.
>
> To handle bogus domain scenario, once you write DefaultDomain start up a
> timer - say give it a timeout of 30 seconds or whatever. If your ISAPI is
> accessed, then stop the timer because it means the domain is OK. If however
> the timer fires, then assume the DefaultDomain is bogus.
>
> Don't tie this timer to your ISAPI extension itself unless you do an extra
> LoadLibrary() on your ISAPI to make sure web server doesn't unload your
> ISAPI on a HTTP refresh or when it clears its cache every 30 minutes.
>
> --
> I hope you can think of something more eloquent here, but this hopefully
> will get you on the right track.
- Next message: Yvan: "How to setup L2TP/IPSec VPN client in CE4.2 ?"
- Previous message: N Davies: "Loose network connection on final build"
- In reply to: John Spaith [MS]: "Re: Checking for NT domain existance"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
