the code
The only reason I'm providing these files is so that you can use them to cut and paste the sample code, but I will not support you running the tests as they assume a certain environment (the most obvious problem is that, the domain and account names that I've used won't match yours, but there are other configuration issues such as required privileges and logon rights). I could have spent the time to make these tests completely self contained (by configuring domain accounts, groups, privileges, logon rights, etc.), but instead I decided to ship the book :-)
With that caveat out of the way, there are lots of files in the above ZIP file that have to do with building my test harnesses (I include them only for completeness so that you can verify that the samples at least compile). The source files you want are named after the chapters of the book (feel free to discard the other stuff if you don't want to compile them).
This tool will help you explore logon session and window station boundaries. The implementation shows how to use the Debug privilege to inject code (via a DLL) into another process temporarily in order to collect information about its environment (in this case, I collect the logon session ID, window station name, full command line, and dup the process token handle).
This tool is a full-fledged logon session broker. It deals with complex issues such as creating new logon sessions, window station and desktop DACLs, injecting code into the SYSTEM logon session via a temporary service, and loading/creating user profiles. I wrote a two-part article about this code in MSDN Magazine that you'll find helpful as a guide when perusing the source code.
This tool allows you to view and edit the security descriptors on Winsta0 and the default desktop. This not only is useful for exploring window station and desktop security, it also is an example of using the Windows 2000 interactive access control editor that I mentioned many times in the book.
This tool will help you explore Kerberos, especially in conjunction with the SSPI workbench. I dedicated a column to this tool in the May issue of MSDN Magazine.
This tool will help you explore NTLM, Kerberos, SPNEGO, and will help you get your head around SSPI. The source code is rather complex, but most of the complexity is in driving the interactive user interface (which is designed to help you learn how these protocols and SSPI work). Focus on model.cpp (this is where all the actual SSPI calls are made), and set breakpoints to see the actual parameters being passed to SSPI in various scenarios that you set up via the workbench user interface. I dedicated a column to this topic in the August 2000 issue of MSDN Magazine. A followup column will appear in a future issue (I didn't have enough room in the column for the full article), and I'll post a link here when it does.
This is some sample code that provides a function you can use (from OUTSIDE the TCB) to verify a user name and password using either NTLM or Kerberos. Enjoy!
This simple component is incredibly useful for dumping the security context you're running under in any scenario. You make a call to it and it dumps a pretty-printed HTML string describing the contents of the thread and process token currently in place. You can use this to debug security related problems (it's always important to ascertain your security context when you are having trouble). You can also use this to spelunk around in IIS with the various IIS authentication options. The source code for this component will help you understand how to scrape out the contents of a token.