Thanks
Ken
Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As
String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal
dwLogonType As Integer, ByVal dwLogonProvider As Integer, ByRef phtoken As
IntPtr) As Integer
Declare Auto Function DuplicateToken Lib "advapi32.dll" (ByVal
ExistingTokenHandle As IntPtr, ByVal ImpersonationLevel As Integer, ByRef
DuplicateTokenHandle As IntPtr) As Integer
Private Function impersonateValidUser() As Boolean
Dim tempWindowsIdentity As WindowsIdentity
Dim token As IntPtr
Dim tokenDuplicate As IntPtr
If LogonUser(_UserName, _Domain, _Password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
impersonationContext = tempWindowsIdentity.Impersonate()
If impersonationContext Is Nothing Then
impersonateValidUser = False
Else
impersonateValidUser = True
End If
Else
impersonateValidUser = False
End If
Else
impersonateValidUser = False
End If
End Function
From the LogonUser docs:
=========================================
Windows 2000: The process calling LogonUser requires the SE_TCB_NAME
privilege. The privilege does not need to be enabled. The LogonUser function
enables the privilege as necessary. If the calling process does not have
this privilege, LogonUser fails and GetLastError returns
ERROR_PRIVILEGE_NOT_HELD.
Windows XP: The SE_TCB_NAME privilege is no longer required.
=========================================
You'll probably want to do some Google newsgroups searches for workaround
ideas. It's generally considered to be a bad idea from a security
standpoint to give the TCB privilege to accounts.
--
MikeB
Thanks
Ken
"MikeB" <mailbox...@mailnull.com> wrote in message
news:eezxGrkvCHA.2380@TK2MSFTNGP12...
To be honest, I'm not sure I trust the error code. Assuming you haven't
already, you might want to run a test giving the TCB privilege to the
account that the process calling LogonUser() is running under.
If this fixes the problem, then you know you'll need to work around the TCB
issue. I thnk the usual workaround is to proxy the LogonUser call to a
service running under an account with the TCB privilege.
--
MikeB
Additional note: I think that to get the correct error code, you will need
to call Marshal.GetLastWin32Error(), otherwise you might be getting an error
code that was set by Framework code performing behind the scenes activity.
--
MikeB
Mike is right. The only difference that I can think of is the privilege
difference. Pleaes double check that the account that you are running on
has this privilege.
BTW, MSDN has some code samples on this API. You can also test with these
samples.
Best regards,
yhhuang
VS.NET, Visual C++
Microsoft
This posting is provided "AS IS" with no warranties, and confers no rights.
Got .Net? http://www.gotdotnet.com
--------------------
!Reply-To: "Ken Beard" <ken....@puc.state.oh.us>
!From: "Ken Beard" <ken....@puco.state.oh.us>
!References: <O7N0yVkvCHA.1676@TK2MSFTNGP10> <eezxGrkvCHA.2380@TK2MSFTNGP12>
!Subject: Re: LogonUser advapi32.dll different on XP than Win2k
!Date: Fri, 17 Jan 2003 13:58:53 -0500
!Lines: 110
!X-Priority: 3
!X-MSMail-Priority: Normal
!X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
!X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
!Message-ID: <eSBcyplvCHA.2504@TK2MSFTNGP10>
!Newsgroups: microsoft.public.dotnet.framework
!NNTP-Posting-Host: 198.234.129.210
!Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP10
!Xref: cpmsftngxa09 microsoft.public.dotnet.framework:34851
!X-Tomcat-NG: microsoft.public.dotnet.framework
!
!First I want to thank you for the information, but after further testing
I'm
!not getting the error associated with the TCB. I am getting an error of
127
!which is ERROR_PROC_NOT_FOUND. Any other thoughts becuase Google isn't
!pulling much.
!
!Thanks
!
!Ken
!
!
!"MikeB" <mailbox...@mailnull.com> wrote in message
!news:eezxGrkvCHA.2380@TK2MSFTNGP12...
!>
!> "Ken Beard" <ken....@puco.state.oh.us> wrote in message
!> news:O7N0yVkvCHA.1676@TK2MSFTNGP10...
!> > I have code to impersonate a user that using this function "LogonUser"
!> from
!> > the library advapi32.dll. The code works great on an XP machine but it
!> does
!> > not work on a Win2K machine. Anyone got any ideas has to why? and
!> possibly
!> > a fix? Example code is below. The impersonateValidUser function
returns
!> > true on XP but it fails the first If statement on Win2K.
!> >
!> >
!>
!> From the LogonUser docs:
!>
!> =========================================
!> Windows 2000: The process calling LogonUser requires the SE_TCB_NAME
!> privilege. The privilege does not need to be enabled. The LogonUser
!function
!> enables the privilege as necessary. If the calling process does not have
!> this privilege, LogonUser fails and GetLastError returns
!> ERROR_PRIVILEGE_NOT_HELD.
!>
!> Windows XP: The SE_TCB_NAME privilege is no longer required.
!> =========================================
!>
!> You'll probably want to do some Google newsgroups searches for workaround
!> ideas. It's generally considered to be a bad idea from a security
!> standpoint to give the TCB privilege to accounts.
!>
!> >
!> > Thanks
!> >
!> > Ken
!> >
!> > Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername
!As
!> > String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal
!> > dwLogonType As Integer, ByVal dwLogonProvider As Integer, ByRef phtoken
!As
!> > IntPtr) As Integer
!> >
!> > Declare Auto Function DuplicateToken Lib "advapi32.dll" (ByVal
!> > ExistingTokenHandle As IntPtr, ByVal ImpersonationLevel As Integer,
!ByRef
!> > DuplicateTokenHandle As IntPtr) As Integer
!> >
!> > Private Function impersonateValidUser() As Boolean
!> >
!> > Dim tempWindowsIdentity As WindowsIdentity
!> >
!> > Dim token As IntPtr
!> >
!> > Dim tokenDuplicate As IntPtr
!> >
!> > If LogonUser(_UserName, _Domain, _Password,
!LOGON32_LOGON_INTERACTIVE,
!> > LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
!> >
!> > If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
!> >
!> > tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
!> >
!> > impersonationContext = tempWindowsIdentity.Impersonate()
!> >
!> > If impersonationContext Is Nothing Then
!> >
!> > impersonateValidUser = False
!> >
!> > Else
!> >
!> > impersonateValidUser = True
!> >
!> > End If
!> >
!> > Else
!> >
!> > impersonateValidUser = False
!> >
!> > End If
!> >
!> > Else
!> >
!> > impersonateValidUser = False
!> >
!> > End If
!> >
!> > End Function
!> >
!> >
!>
!> --
!> MikeB
!>
!>
!
!
!
Ken Beard
"Yan-Hong Huang[MSFT]" <yhh...@online.microsoft.com> wrote in message
news:JPi$mVDwCHA.3284@cpmsftngxa06...