From d4fb2ba5626eb43978bbbad54976c470cb42df46 Mon Sep 17 00:00:00 2001 From: Tal Aloni Date: Fri, 13 Jan 2017 22:36:20 +0200 Subject: [PATCH] SSPIHelper: Improved documentation --- SMBLibrary/Win32/Authentication/SSPIHelper.cs | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/SMBLibrary/Win32/Authentication/SSPIHelper.cs b/SMBLibrary/Win32/Authentication/SSPIHelper.cs index 176ea39..04321dd 100644 --- a/SMBLibrary/Win32/Authentication/SSPIHelper.cs +++ b/SMBLibrary/Win32/Authentication/SSPIHelper.cs @@ -287,9 +287,19 @@ namespace SMBLibrary.Authentication.Win32 } /// - /// Note: The 'limitblankpassworduse' (Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa) - /// will cause AcceptSecurityContext to return SEC_E_LOGON_DENIED when the correct password is blank. + /// AcceptSecurityContext will return SEC_E_LOGON_DENIED when the password is correct in these cases: + /// 1. The account is listed under the "Deny access to this computer from the network" list. + /// 2. 'limitblankpassworduse' is set to 1, non-guest is attempting to login with an empty password, + /// and the Guest account is disabled, has non-empty pasword set or listed under the "Deny access to this computer from the network" list. /// + /// + /// 1. 'limitblankpassworduse' will not affect the Guest account. + /// 2. Listing the user in the "Deny access to this computer from the network" or the "Deny logon locally" lists will not affect AcceptSecurityContext if all of these conditions are met. + /// - 'limitblankpassworduse' is set to 1. + /// - The user has an empty password set. + /// - Guest is NOT listed in the "Deny access to this computer from the network" list. + /// - Guest is enabled and has empty pasword set. + /// public static bool AuthenticateType3Message(SecHandle serverContext, byte[] type3MessageBytes) { SecHandle newContext = new SecHandle();