How to Fix Error 1935 on Win32 API LogonUser() Function

Question

I'm trying to use this Function.

The User I'm trying to impersonate is not in the same domain. I can mount the Server using the credentials just fine.

But whenever I call LogonUser

bLogonSucc = ::LogonUser(sUserName
            , sDomain
            , sUserPW
            , LOGON32_LOGON_INTERACTIVE
            , LOGON32_PROVIDER_DEFAULT
            , &hToken);

I get the error 1935:

ERROR_AUTHENTICATION_FIREWALL_FAILED
1935 (0x78F)
The computer you are signing into is protected by an authentication firewall. The specified account is not allowed to authenticate to the computer.

My goal is to open a File on a Server, where the User is used as Login to said destination and open the File.

If I use LOGON32_LOGON_NEW_CREDENTIALS as Parameter, the LogonUser Function & Impersonate works, but somehow still doesn't work later on in the code.

Can't seem to find a solution for this.

Any Ideas on how to solve this? The Firewall should be setup correctly.

Answer 1

This error occurs because the user or group, has been granted the correct rights to access the share. But the share is in another domain, and even though that domain trusts the one the user is coming from, the trust was set up with ‘selective authentication’.

You can try this.

Go to the domain that’s providing the share, log into a domain controller

1. Open 'Control Panel\System and Security\Administrative Tools'
2. Open ‘Active Directory Users and Computers’
3. View
4. Advanced Features
5. Locate the COMPUTER you are trying to authenticate
6. Properties
7. Security
8. Add in the user (or group) that requires access
9. Grant the “Allowed to authenticate” right
10. Apply and OK