dotnet · SteveSyfuhs · Jul 21, 2023 · Jul 21, 2023
diff --git a/Kerberos.NET/Win32/LsaInterop.cs b/Kerberos.NET/Win32/LsaInterop.cs
@@ -3,17 +3,24 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 // -----------------------------------------------------------------------
 
-using Kerberos.NET.Client;
-using Kerberos.NET.Entities;
 using System;
 using System.Collections.Generic;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Text;
+using Kerberos.NET.Client;
+using Kerberos.NET.Entities;
 using static Kerberos.NET.Win32.NativeMethods;
 
 namespace Kerberos.NET.Win32
 {
+    [Flags]
+    public enum LsaMode
+    {
+        SameProcess = 1 << 16,
+        MarshallingNeeded = 1 << 17
+    }
+
     /// <summary>
     /// Provides a layer to interact with the LSA functions used to create logon sessions and manipulate the ticket caches.
     /// </summary>
@@ -29,7 +36,6 @@ public class LsaInterop : IDisposable
         private readonly int negotiateAuthPackage;
 
         private LsaTokenSafeHandle impersonationContext;
-        private LUID luid;
 
         private bool disposedValue;
 
@@ -54,9 +60,10 @@ public class LsaInterop : IDisposable
          * pool of memory to create a working for the current operation. On dispose it zeros the memory and returns it to the pool.
          */
 
-        private LsaInterop(LsaSafeHandle lsaHandle, string packageName = KerberosPackageName)
+        private LsaInterop(LsaSafeHandle lsaHandle, string packageName = KerberosPackageName, LsaMode securityMode = default)
         {
             this.lsaHandle = lsaHandle;
+            this.SecurityMode = securityMode;
 
             var kerberosPackageName = new LSA_STRING
             {
@@ -79,6 +86,13 @@ private LsaInterop(LsaSafeHandle lsaHandle, string packageName = KerberosPackage
             LsaThrowIfError(result);
         }
 
+        /// <summary>
+        /// The current LogonId represented by this LSA Handle.
+        /// </summary>
+        public ulong LogonId => this.impersonationContext?.Luid ?? 0;
+
+        public LsaMode SecurityMode { get; }
+
         /// <summary>
         /// Create a new instance of the interop and allow this instance to behave as SYSTEM.
         /// Note that this call requires the TrustedComputingBase privilege to execute.
@@ -88,16 +102,7 @@ private LsaInterop(LsaSafeHandle lsaHandle, string packageName = KerberosPackage
         /// <returns>Returns an instance of the <see cref="LsaInterop"/> class.</returns>
         public static LsaInterop RegisterLogonProcess(string name = null, string package = KerberosPackageName)
         {
-            string processNameStr;
-
-            if (string.IsNullOrWhiteSpace(name))
-            {
-                processNameStr = ProcessName;
-            }
-            else
-            {
-                processNameStr = name;
-            }
+            string processNameStr = string.IsNullOrWhiteSpace(name) ? ProcessName : name;
 
             if (string.IsNullOrWhiteSpace(package))
             {
@@ -111,11 +116,11 @@ public static LsaInterop RegisterLogonProcess(string name = null, string package
                 MaximumLength = (ushort)processNameStr.Length
             };
 
-            var result = LsaRegisterLogonProcess(ref processName, out LsaSafeHandle lsaHandle, out ulong securityMode);
+            var result = LsaRegisterLogonProcess(ref processName, out LsaSafeHandle lsaHandle, out LsaMode securityMode);
 
             LsaThrowIfError(result);
 
-            return new LsaInterop(lsaHandle, package);
+            return new LsaInterop(lsaHandle, package, securityMode);
         }
 
         /// <summary>
@@ -137,11 +142,6 @@ public static LsaInterop Connect(string package = KerberosPackageName)
             return new LsaInterop(lsaHandle, package);
         }
 
-        /// <summary>
-        /// The current LogonId represented by this LSA Handle.
-        /// </summary>
-        public ulong LogonId => this.luid;
-
         /// <summary>
         /// Create a "NewCredentials" logon session for the current LSA Handle. This does not authenticate the user
         /// and only uses the credentials provided for outbound calls similar to the /netonly flag for runas.exe.
@@ -237,13 +237,15 @@ LogonType logonType
                          ref tokenSource,
                          out profileBuffer,
                          ref profileLength,
-                         out this.luid,
+                         out LUID luid,
                          out tokenHandle,
                          out IntPtr pQuotas,
                          out int subStatus
                      );
 
                     LsaThrowIfError(result);
+
+                    tokenHandle.Luid = luid;
                 }
                 finally
                 {

diff --git a/Kerberos.NET/Win32/LsaTokenSafeHandle.cs b/Kerberos.NET/Win32/LsaTokenSafeHandle.cs
@@ -21,6 +21,8 @@ public LsaTokenSafeHandle()
 
         public override bool IsInvalid => this.handle == IntPtr.Zero;
 
+        public ulong Luid { get; internal set; }
+
         protected override bool ReleaseHandle()
         {
             this.Revert();

diff --git a/Kerberos.NET/Win32/NativeMethods.cs b/Kerberos.NET/Win32/NativeMethods.cs
@@ -168,7 +168,7 @@ [Out] out LsaSafeHandle LsaHandle
         public static extern int LsaRegisterLogonProcess(
             ref LSA_STRING LogonProcessName,
             out LsaSafeHandle LsaHandle,
-            out ulong SecurityMode
+            out LsaMode SecurityMode
         );
 
         [DllImport(SECUR32)]