Reputation: 1808
Using LogonUser() only to Validate Credentials
We are developing an application with an internal user accounts system, but would like to be able to use credentials from Active Directory and/or Windows accounts. To that end we store the User SID in a field in the application's users table. Our login mechanism functions like this:
- Prompt user for domain, login, password
- Call LogonUser(logon, domain, password, logon_type, logon_provider, &hToken)
- If successful, get User SID from hToken
- Close hToken
- Search our application's database for a user with the given SID; if found, we are considered logged in to that account.
The problem that has come up is this: we have been using LOGON32_LOGON_NETWORK for the logon_type, but we have now run into some security configurations where "Access this computer from the network" is denied, meaning the Network logon type is prohibited.
My question is what logon type should we be using for this situation? Interactive? We are not actually using the Logon token for anything other than extracting the user's SID. Our application has its own internal groups and permissions; we do not use Windows groups or permissions in any way. From the perspective of Windows and the domain controller, all we are doing is logging on and quickly logging off.
Or are we looking at this in a completely wrong way, and we should be using some other login method entirely?
Thanks
Upvotes: 5
Views: 4494
Answers (3)
Reputation: 936
I also have been surprised to find out that the LogonUser() with the LOGON32_LOGON_NETWORK type fails when user right "Access this computer from the network" is not granted for Everyone on local computer.
I use the following workaround:
- First try
LogonUser()with theLOGON32_LOGON_NETWORKtype. - If it fails with error
ERROR_LOGON_TYPE_NOT_GRANTED, callLogonUser()with theLOGON32_LOGON_NEW_CREDENTIALStype and theLOGON32_PROVIDER_WINNT50logon provider.
Upvotes: 2
Reputation: 36318
The convention is to use LOGON32_LOGON_BATCH, as documented:
This logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct intervention. This type is also for higher performance servers that process many plaintext authentication attempts at a time, such as mail or web servers.
(emphasis mine).
The system administrators may still need to reconfigure the server to grant batch logon access to the users in question, but because this does not grant the user access to any Windows functionality (e.g., the ability to use Remote Desktop, to connect to a network share, or to log on interactively if they somehow gain access to the console) this should not be a problem.
Upvotes: 0
Reputation: 13993
You can communicate with the SSPI services to validate a user's credentials and acquire a token, without requiring special privileges. This requires a lot of obscure code and
See http://support.microsoft.com/kb/180548 for an example; the SSPLogonUser function is where the token is acquired.
Upvotes: 0
Related Questions
- LogonUser() not authenticating user for invalid domain when computer is not on a domain
- Why doesn't LogonUser(...) work for domain accounts?
- How to verify user logged in to domain or locally
- LogonUser returns true for a wrong password
- Win32: How to validate credentials against Active Directory?
- is it possible to use LogonUser API without password?
- Validate domain user credentials with .NET 2
- Incorrect password passed to LogonUser() but the Active Directory account is not locked as expected
- How to have LogonUser not use cached credentials?
- ValidateUser instead of LogonUser?