Reputation: 31316
Overhead of LogonUser?
After doing a chunk of reading about authenticating users (both here in SO land and the internet generally), it seems fairly obvious that the "best" way to authenticate a user (and thus detect things like expired password, etc) is to call Win32 LogonUser(), rather than attempt to use PrincipalContext.ValidateCredentials in .NET.
However I'm not fully clear on though is what LogonUser actually does - and thus what overhead does it carry with it? The MSDN's not entirely clear on this, the part that mostly concerns me is right at the end which says that LogonUser calls NPLoginNotify(), and it's not entirely clear what this does (other than preparing logon scripts), nor what happens to the results of the call.
I was initially concerned that LogonUser loaded the user's profile, but some further reading has put that concern to bed as a non-issue (unless I'm wrong on this one, but from what I can tell LogonUser never loads the profile - this would have to be explicitly loaded through a different function call).
The context for this is an intranet webapp that requires the ability to authenticate against active directory, so there will be a number of logins and logouts to the app: probably not that many initially, but may ramp significantly in the future. It seems that calling LoginUser with a type of LOGIN32_LOGIN_NETWORK and then immediately discarding the token that it gives me may be the best route forward.
Is there any overhead I'm not aware of, or am I just worrying unduly?
Upvotes: 1
Views: 382
Answers (1)
Reputation: 25269
The MSDN page seems quite clear:
The LOGON32_LOGON_NETWORK logon type is fastest, but it has the following limitations:
The function returns an impersonation token, not a primary token. You cannot use this token directly in the CreateProcessAsUser function. However, you can call the DuplicateTokenEx function to convert the token to a primary token, and then use it in CreateProcessAsUser.
If you convert the token to a primary token and use it in CreateProcessAsUser to start a process, the new process cannot access other network resources, such as remote servers or printers, through the redirector. An exception is that if the network resource is not access controlled, then the new process will be able to access it.
Upvotes: 1
Related Questions
- What is the overhead on PostAuthenticateRequest?
- C# Active Directory Browsing best practices
- Using LogonUser() only to Validate Credentials
- DirectoryServices.AccountManagement - group membership checking efficiency
- C# LDAP performance
- ASP.net Windows authentication compared to Forms authentication using ActiveDirectoryMembershipProvider
- Network utilization - AccountManagement vs. DirectoryServices
- When does ASP.NET authentication occur?
- Active Directory group authentication performance
- System.DirectoryServices.AccountManagement Performance Issue?