goauthentik · BeryJu · Jan 10, 2026 · Jan 10, 2026 · Jan 11, 2026 · Jan 11, 2026
diff --git a/ee/wcp/CMakeLists.txt b/ee/wcp/CMakeLists.txt
@@ -316,6 +316,8 @@ set(PROJECT_INSALL_DIR "${CMAKE_CURRENT_BINARY_DIR}/ak_cred_provider/Release")
 add_subdirectory(cefexe)
 set_property(TARGET ak_cef PROPERTY MSVC_RUNTIME_LIBRARY MultiThreaded)
 
+add_subdirectory(ak_lsa)
+
 # Display configuration settings.
 PRINT_CEF_CONFIG()
 

diff --git a/ee/wcp/Makefile b/ee/wcp/Makefile
@@ -4,7 +4,7 @@ include ../../common.mk
 
 OUT_TARGET := wcp
 
-TARGETS := ak_cred_provider ak_common cefexe cefsimple
+TARGETS := ak_cred_provider ak_lsa ak_common cefexe cefsimple
 
 CLANG_FORMAT := "C:\Program Files\LLVM\bin\clang-format.exe"
 FORMAT_FIND_ARGS := -iname '*.h' -o -iname '*.cpp' -o -iname '*.hpp'

diff --git a/ee/wcp/ak_cred_provider/Credential.cpp b/ee/wcp/ak_cred_provider/Credential.cpp
@@ -307,13 +307,13 @@ LRESULT APIENTRY Credential::WndProc(_In_ HWND hWnd, _In_ UINT uMsg, _In_ WPARAM
                           .c_str());
         if ((m_oCefAppData.pCefApp)) {
           spdlog::debug("WndProc:: CEFLaunch");
-          pData->strUsername = "";
+          pData->strUserToken = "";
           try {
             CEFLaunch(pData, m_oCefAppData.pCefApp);
           } catch (const std::exception& e) {
             SPDLOG_WARN("Failed to CEFLaunch", e.what());
           }
-          spdlog::debug(std::string("User logged in: " + pData->strUsername).c_str());
+          spdlog::debug(std::string("User logged in: " + pData->strUserToken).c_str());
           spdlog::debug("WndProc:: CEFLaunched");
         } else {
           ::MessageBox(hWnd,
@@ -751,25 +751,7 @@ IFACEMETHODIMP Credential::Connect(IQueryContinueWithStatus* pqcws) {
     } else {
       strCredUser = std::wstring(m_pszQualifiedUserName);
     }
-    std::wstring strAuthUser =
-        std::wstring(m_oHookData.strUsername.begin(), m_oHookData.strUsername.end());
-    if ((strAuthUser == strCredUser) && (strCredUser != L"")) {
-      // Reset password
-      USER_INFO_1003 oUserInfo1003;
-      DWORD dwParamErr = 0;
-      m_strPass = GetRandomWStr(WIN_PASS_LEN);
-      oUserInfo1003.usri1003_password = (LPWSTR)(m_strPass.c_str());
-      if (NetUserSetInfo(NULL, strCredUser.c_str(), 1003, (LPBYTE)(&oUserInfo1003), &dwParamErr) !=
-          NERR_Success) {
-        hr = E_FAIL;
-      }
-    } else {
-      if (strAuthUser != L"") {
-        MessageBox(hwndOwner, std::wstring(L"Username mismatch.").c_str(),
-                   (LPCWSTR)L"Login Failure", MB_OK | MB_TASKMODAL);
-      }
-      hr = E_FAIL;
-    }
+    m_strPass = utf8_decode(m_oHookData.strUserToken);
   } else {
     hr = E_POINTER;
   }

diff --git a/ee/wcp/ak_cred_provider/Helpers.cpp b/ee/wcp/ak_cred_provider/Helpers.cpp
@@ -303,7 +303,7 @@ HRESULT RetrieveNegotiateAuthPackage(_Out_ ULONG* pulAuthPackage) {
   if (SUCCEEDED(HRESULT_FROM_NT(status))) {
     ULONG ulAuthPackage;
     LSA_STRING lsaszKerberosName;
-    _LsaInitString(&lsaszKerberosName, NEGOSSP_NAME_A);
+    _LsaInitString(&lsaszKerberosName, "ak_lsa");
 
     status = LsaLookupAuthenticationPackage(hLsa, &lsaszKerberosName, &ulAuthPackage);
     if (SUCCEEDED(HRESULT_FROM_NT(status))) {

diff --git a/ee/wcp/ak_cred_provider/include/Credential.h b/ee/wcp/ak_cred_provider/include/Credential.h
@@ -22,9 +22,9 @@ struct sHookData {
     hInstance = phInstance;
     oMutex.unlock();
   }
-  void UpdateUser(const std::string& strUser) {
+  void UpdateUserToken(const std::string& strUser) {
     oMutex.lock();
-    strUsername = strUser;
+    strUserToken = strUser;
     oMutex.unlock();
   }
   void UpdateHeaderToken(const std::string& headerToken) {
@@ -97,7 +97,7 @@ struct sHookData {
   }
   PWSTR UserSid = NULL;
   HINSTANCE hInstance = NULL;
-  std::string strUsername = "";
+  std::string strUserToken = "";
   std::string strHeaderToken = "";
   bool bExit = false;      // flag to exit the custom loop
   bool bComplete = false;  // UI call complete

diff --git a/ee/wcp/ak_lsa/CMakeLists.txt b/ee/wcp/ak_lsa/CMakeLists.txt
@@ -0,0 +1,37 @@
+project(ak_lsa)
+
+set(CMAKE_BUILD_TYPE Release)
+set(CMAKE_CXX_STANDARD 20)
+
+set(SRCS
+  PrepareProfile.cpp
+  PrepareToken.cpp
+  Main.cpp
+)
+
+find_library(CREDUI_LIB_PATH Credui.lib)
+find_library(SECUR32_LIB_PATH Secur32.lib)
+find_library(SHLWAPI_LIB_PATH Shlwapi.lib)
+
+add_library(${PROJECT_NAME} SHARED
+	${SRCS}
+)
+target_compile_definitions(${PROJECT_NAME} PUBLIC UNICODE _UNICODE SECURITY_WIN32)
+
+include_directories(
+	include
+)
+
+include_directories(${PROJECT_NAME} PUBLIC ..)
+
+target_link_libraries(${PROJECT_NAME}
+  ${CREDUI_LIB_PATH}
+  ${SECUR32_LIB_PATH}
+  ${SHLWAPI_LIB_PATH}
+  authentik_sys_bridge
+  ak_common
+  spdlog
+)
+set_property(TARGET ak_lsa PROPERTY MSVC_RUNTIME_LIBRARY MultiThreaded)
+set_property(TARGET authentik_sys PROPERTY MSVC_RUNTIME_LIBRARY MultiThreaded)
+set_property(TARGET authentik_sys_bridge PROPERTY MSVC_RUNTIME_LIBRARY MultiThreaded)