LsaLookupAuthenticationPackage failed, rsshap.dll doesn't exist

  • Document ID:7024524
  • Creation Date:02-Apr-2020
  • Modified Date:01-Sep-2020
    • Micro Focus Products:
      Reflection for Secure IT Server for Windows

Environment

Reflection for Secure IT Server for Windows 8.3
Microsoft Windows Server 2019 on Intel or equivalent, 64-bit
Microsoft Windows Server 2016 on Intel or equivalent, 64-bit

Situation

This document identifies a scenario that will result in local user accounts failing to authenticate with public key authentication when additional protection for the Windows Local Security Authority (LSA) process is enabled.  The ssh client will receive a user authentication error or will be prompted to try a different authentication type and then succeed authenticating.   Local user accounts that use public key authentication and cached credentials will not experience this problem. Domain user accounts that use public key authentication will continue to successfully authenticate.

When the problem occurs the following warning event is recorded in the Windows Event viewer or in a Reflection For Secure IT Server for Windows (RSSW) Debug log set to record at least errors and warnings.

000000000350 2020-04-02 17:35:27.724 6248 SK64ENWS2016\LU2:[Warning][20039] windowsserverauthenticator.cpp:WindowsServerAuthenticator::GetLSALogonUserHandle(1321) LsaLookupAuthenticationPackage failed.  If c:\windows\system32\rsshap.dll doesn't exist, please install the 64 bit version of the server.  If it does exist, please make sure to reboot after installation

Resolution

Fixed in Reflection for Secure IT Server Server for Windows version 8.3 Update 1 (8.3.437).

Previous version workarounds:

A. Cache the credentials for local users logging into the RSSW using the secure Credential Cache.
1. Open the Reflection for Secure IT Server Console.

2. Select the Configuration tab.

3. In the tree pane select Credential Cache.

4. Enable "Record passwords in the cache when users log in".

5. Save the configuration.

6. Instruct local user accounts to login with password authentication.

7. Refresh the Credential Cache to see credentials listed in the cache.

8. Disable "Record passwords in the cache when users log in".

9. Enable "Use cached passwords to give users access to domain resources."

10. Save the configuration change.

11. Test a public key login with a local account.

12. Public key will succeed.  If not, use the Debug log to determine why or contact Micro Focus Customer Support.

B. Contact Micro Focus Customer Support

1. Maintained customers may contact Micro Focus Customer Support for a temporary fix.  The fix does not require using the Credential Cache. 

Cause

Third party authentication packages must be signed by Microsoft when the LSA process is being protected.  Reflection for Secure IT Server for Windows uses a propriety authentication package for use with some authentication scenarios.  The RSSW package is is signed by Attachmate, not Microsoft.  The registry key that is used to protect the LSA process is RunAsPPL and the value is one ("RunAsPPL"=dword:00000001).

For a full discussion on the topic of protecting the LSA process please see Microsoft Document Configuring Additional LSA Protection.

Status

Reported to Engineering

Additional Information

Steps to reproduce issue:

1. Launch the Reflection for Secure IT Server console (sshconsole.exe).

2. Enable Debug logging and set level to Protocol details.

3. Save the configuration change.

4. Configure the local user account that will log in to the Reflection for Secure IT Server (RSSW) with public key authentication.

5. Authenticate with public key authentication to ensure it is successful.

6. Enable Windows Server 2016 or 2019 with Local Security Authority Protection.

a. Open RegEdit.exe.
b. Back up the Registry.
c. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
d. Set the value of the registry key to: "RunAsPPL"=dword:00000001.
e. Restart the computer.

7. Authenticate with public key authentication.

8. Public key authentication fails and [Warning][20039] event is recorded in the debug log.  The [Trace][40252] event that precedes it that the LSA Authentication Package is being invoked.

000000000348 2020-04-02 17:35:27.724 6248 SK64ENWS2016\LU2:[Trace][40252] windowsserverauthenticator.cpp:WindowsServerAuthenticator::GetLSALogonUserHandle(1111) Invoking LSA Authentication Package
000000000349 2020-04-02 17:35:27.724 6248 :[Trace][40138] RemoteLogServer for [SK64ENWS2016\LU2] RSSHAP, thread 1003, from 10.8.3.69:51813:
Listening on port 49754
000000000350 2020-04-02 17:35:27.724 6248 SK64ENWS2016\LU2:[Warning][20039] windowsserverauthenticator.cpp:WindowsServerAuthenticator::GetLSALogonUserHandle(1321) LsaLookupAuthenticationPackage failed.  If c:\windows\system32\rsshap.dll doesn't exist, please install the 64 bit version of the server.  If it does exist, please make sure to reboot after installation

To the client it will appear as a user authentication error has occurred either because a password prompt appears or "user authentication failed" message appears.

Note: A domain user logging in with public key authentication will be able to successfully login.