Edit

Share via

KERB_CERTIFICATE_LOGON structure (ntsecapi.h)

  • Article

The KERB_CERTIFICATE_LOGON structure contains information about a smart card logon session.

It is passed as the AuthenticationInformation parameter to the LsaLogonUser function when the Kerberos security package performs an interactive smart card logon.

Syntax

typedef struct _KERB_CERTIFICATE_LOGON {
  KERB_LOGON_SUBMIT_TYPE MessageType;
  UNICODE_STRING         DomainName;
  UNICODE_STRING         UserName;
  UNICODE_STRING         Pin;
  ULONG                  Flags;
  ULONG                  CspDataLength;
  PUCHAR                 CspData;
} KERB_CERTIFICATE_LOGON, *PKERB_CERTIFICATE_LOGON;

Members

MessageType

A member of the KERB_LOGON_SUBMIT_TYPE enumeration that indicates how this structure is used. The member must be one of the following values.

Value Meaning
KerbCertificateLogon
13
 This structure is passed as the AuthenticationInformation parameter to the LsaLogonUser function to perform an interactive smart card logon.
KerbCertificateUnlockLogon
15
 This structure is used as the Logon member of a KERB_CERTIFICATE_UNLOCK_LOGON structure.

DomainName

The domain name of the user to authenticate. The value of this member can be empty. If the value is not empty, LsaLogonUser uses the value to locate the Key Distribution Center (KDC). If the value is empty, LsaLogonUser attempts to authenticate against the domain to which the computer is joined. The pointer is relative to the beginning of the structure and is not an absolute memory pointer.

UserName

The user name of the user to authenticate. The value of this member can be empty. If the value is not empty, LsaLogonUser uses the value to locate the user account to authenticate. The pointer is relative to the beginning of the structure and is not an absolute memory pointer.

Pin

The PIN to use to authenticate the user. The Length member of this structure does not include the terminating null character of the PIN. The pointer is relative to the beginning of the structure and is not an absolute memory pointer.

The PIN can be protected by using the CredProtect function.

Flags

Optional flags that control the behavior of the authentication. The following values are defined.

Value Meaning
KERB_CERTIFICATE_LOGON_FLAG_CHECK_DUPLICATES
0x1
 The KDC checks the certificate for multiple account mappings.
KERB_CERTIFICATE_LOGON_FLAG_USE_CERTIFICATE_INFO
0x2
 The KDC uses the certificate information for authentication.

Windows Server 2008 R2, Windows 7, Windows Server 2008 and Windows Vista:  This flag is not available.

CspDataLength

The length, in characters, of the CspData member.

CspData

A pointer to a KERB_SMARTCARD_CSP_INFO structure that contains information about the smart card cryptographic service provider (CSP) ) or a pointer to a marshaled KERB_CERTIFICATE_INFO structure when updating certificate credentials.

Remarks

This structure, along with the data pointed to by the DomainName, UserName, Pin, and CspData members, is contained in a single block of contiguous memory. When this structure is serialized, the offsets specified by each of these members must be multiples of two.

The pointers stored in the members of UNICODE_STRING type are relative to the beginning of the structure and are not absolute memory pointers.

Requirements

Requirement Value
Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Header ntsecapi.h

See also

KERB_CERTIFICATE_UNLOCK_LOGON

KERB_SMARTCARD_CSP_INFO

LsaLogonUser