From c8b66a16c98f77b8a5c10554071533ea6b901210 Mon Sep 17 00:00:00 2001 From: Tal Aloni Date: Sun, 26 Feb 2017 19:43:17 +0200 Subject: [PATCH] IntegratedNTLMAuthenticationProvider: Bugfix: IsGuest was not always set when the username did not exist --- SMBLibrary/Win32/IntegratedNTLMAuthenticationProvider.cs | 5 +++-- SMBLibrary/Win32/Security/SSPIHelper.cs | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/SMBLibrary/Win32/IntegratedNTLMAuthenticationProvider.cs b/SMBLibrary/Win32/IntegratedNTLMAuthenticationProvider.cs index 36ce1ef..4a95feb 100644 --- a/SMBLibrary/Win32/IntegratedNTLMAuthenticationProvider.cs +++ b/SMBLibrary/Win32/IntegratedNTLMAuthenticationProvider.cs @@ -75,7 +75,8 @@ namespace SMBLibrary.Win32.Security authContext.UserName = message.UserName; authContext.SessionKey = message.EncryptedRandomSessionKey; - if ((message.NegotiateFlags & NegotiateFlags.Anonymous) > 0) + if ((message.NegotiateFlags & NegotiateFlags.Anonymous) > 0 || + !IsUserExists(message.UserName)) { if (this.EnableGuestLogin) { @@ -113,7 +114,7 @@ namespace SMBLibrary.Win32.Security // 3. The specified account does not exist. // OR: // The password is correct but 'limitblankpassworduse' is set to 1 (logon over a network is disabled for accounts without a password). - bool allowFallback = (!IsUserExists(message.UserName) || result == Win32Error.ERROR_ACCOUNT_RESTRICTION); + bool allowFallback = (result == Win32Error.ERROR_ACCOUNT_RESTRICTION); if (allowFallback && this.EnableGuestLogin) { authContext.IsGuest = true; diff --git a/SMBLibrary/Win32/Security/SSPIHelper.cs b/SMBLibrary/Win32/Security/SSPIHelper.cs index f85683e..29bc3b3 100644 --- a/SMBLibrary/Win32/Security/SSPIHelper.cs +++ b/SMBLibrary/Win32/Security/SSPIHelper.cs @@ -325,6 +325,8 @@ namespace SMBLibrary.Win32.Security /// 1. The account is listed under the "Deny access to this computer from the network" list. /// 2. 'limitblankpassworduse' is set to 1, non-guest is attempting to login with an empty password, /// and the Guest account is disabled, has non-empty pasword set or listed under the "Deny access to this computer from the network" list. + /// + /// Note: "If the Guest account is enabled, SSPI logon may succeed as Guest for user credentials that are not valid". /// /// /// 1. 'limitblankpassworduse' will not affect the Guest account.