How do I check a username/password validity on a local device on a WinCE device?

Suppose that you get a username and a password and you want to see whether it is legitimate.  The telnet server as an example of this – you give it a username & password that it needs to check before letting you party on CE.  It’s possible to do the check by some calls into the SSPI layer, but these are convoluted.  WinCE has a helper library, authhlp, in order to do the work for you.  Note that authhlp is not officially supported or doc’d in MSDN.  It is used by quite a few of our network services so the code is very well tested, but it’s not something we can officially support.  Consider this a blog for the desperate who doesn’t want to mess with SSPI.

The include header is authhlp.h, and you link to authhlp.lib.  For general embedded it lives in <WinceRoot>\public\<YourProject>\cesysgen\sdk\lib\<CPUPATH>\authhlp.lib.   It is a static library, so there are no extra SYSGEN’s that you need to be able to use it.  Note however that you do need to include the underlying security SYSGENs, in particular SYSGEN_AUTH_NTLM.

Using it is straightforward.  You can see sample code of it in the telnet server in <WinceRoot>\public\servers\sdk\samples\telnetd.  You need a one time AuthHelpInitialize(), AuthHelpUnload() at the time your service/app is shutting down.  To check username/password, just call AuthHelpValidateUserA/AuthHelpValidateUserW.  The code is reasonably self-documenting, including a bunch of information at the top of the file.  There is also an optional and primitive “ACL” system that Authhelp can support, where it can check not only for a username/password being legitimate but whether a given user is in the allowed or denied list or even if they’re in the NTLM security group. 

How do you actually tie into getting the username & passwords?  To use a domain controller to validate against, set HKEY_LOCAL_MACHINE\Comm\Redir\DefaultDomain to the name of the domain.  The domain should be the actual domain name, not a particular domain controller (so WINGROUP not  If this registry key is not set, then the security mechanism will use a local CE database of user names and passwords.  This is configured with NTLMSetUserInfo<> and friends.

I don't know if this would work at all on Windows Mobile, in particular I don't think we ship the libs & headers in its SDK, and I've only ever tested this with Platform Builder generated images.  Even for you PB guys, remember this is technically unsupported (which is why this is in a blog & not MSDN proper :)).

[Author: John Spaith]