Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LogonUser advapi32.dll different on XP than Win2k

58 views
Skip to first unread message

Ken Beard

unread,
Jan 17, 2003, 11:28:36 AM1/17/03
to

I have code to impersonate a user that using this function "LogonUser" from
the library advapi32.dll. The code works great on an XP machine but it does
not work on a Win2K machine. Anyone got any ideas has to why? and possibly
a fix? Example code is below. The impersonateValidUser function returns
true on XP but it fails the first If statement on Win2K.

Thanks

Ken

Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As
String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal
dwLogonType As Integer, ByVal dwLogonProvider As Integer, ByRef phtoken As
IntPtr) As Integer

Declare Auto Function DuplicateToken Lib "advapi32.dll" (ByVal
ExistingTokenHandle As IntPtr, ByVal ImpersonationLevel As Integer, ByRef
DuplicateTokenHandle As IntPtr) As Integer

Private Function impersonateValidUser() As Boolean

Dim tempWindowsIdentity As WindowsIdentity

Dim token As IntPtr

Dim tokenDuplicate As IntPtr

If LogonUser(_UserName, _Domain, _Password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, token) <> 0 Then

If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then

tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)

impersonationContext = tempWindowsIdentity.Impersonate()

If impersonationContext Is Nothing Then

impersonateValidUser = False

Else

impersonateValidUser = True

End If

Else

impersonateValidUser = False

End If

Else

impersonateValidUser = False

End If

End Function


MikeB

unread,
Jan 17, 2003, 12:06:44 PM1/17/03
to

"Ken Beard" <ken....@puco.state.oh.us> wrote in message
news:O7N0yVkvCHA.1676@TK2MSFTNGP10...

> I have code to impersonate a user that using this function "LogonUser"
from
> the library advapi32.dll. The code works great on an XP machine but it
does
> not work on a Win2K machine. Anyone got any ideas has to why? and
possibly
> a fix? Example code is below. The impersonateValidUser function returns
> true on XP but it fails the first If statement on Win2K.
>
>

From the LogonUser docs:

=========================================
Windows 2000: The process calling LogonUser requires the SE_TCB_NAME
privilege. The privilege does not need to be enabled. The LogonUser function
enables the privilege as necessary. If the calling process does not have
this privilege, LogonUser fails and GetLastError returns
ERROR_PRIVILEGE_NOT_HELD.

Windows XP: The SE_TCB_NAME privilege is no longer required.
=========================================

You'll probably want to do some Google newsgroups searches for workaround
ideas. It's generally considered to be a bad idea from a security
standpoint to give the TCB privilege to accounts.

--
MikeB


Ken Beard

unread,
Jan 17, 2003, 1:58:53 PM1/17/03
to
First I want to thank you for the information, but after further testing I'm
not getting the error associated with the TCB. I am getting an error of 127
which is ERROR_PROC_NOT_FOUND. Any other thoughts becuase Google isn't
pulling much.

Thanks

Ken


"MikeB" <mailbox...@mailnull.com> wrote in message
news:eezxGrkvCHA.2380@TK2MSFTNGP12...

MikeB

unread,
Jan 17, 2003, 4:09:16 PM1/17/03
to

"Ken Beard" <ken....@puco.state.oh.us> wrote in message
news:eSBcyplvCHA.2504@TK2MSFTNGP10...

> First I want to thank you for the information, but after further testing
I'm
> not getting the error associated with the TCB. I am getting an error of
127
> which is ERROR_PROC_NOT_FOUND. Any other thoughts becuase Google isn't
> pulling much.

To be honest, I'm not sure I trust the error code. Assuming you haven't
already, you might want to run a test giving the TCB privilege to the
account that the process calling LogonUser() is running under.

If this fixes the problem, then you know you'll need to work around the TCB
issue. I thnk the usual workaround is to proxy the LogonUser call to a
service running under an account with the TCB privilege.

--
MikeB


MikeB

unread,
Jan 17, 2003, 4:26:04 PM1/17/03
to

"MikeB" <mailbox...@mailnull.com> wrote in message
news:#arfoymvCHA.1848@TK2MSFTNGP09...

>
> "Ken Beard" <ken....@puco.state.oh.us> wrote in message
> news:eSBcyplvCHA.2504@TK2MSFTNGP10...
> > First I want to thank you for the information, but after further testing
> I'm
> > not getting the error associated with the TCB. I am getting an error of
> 127
> > which is ERROR_PROC_NOT_FOUND. Any other thoughts becuase Google isn't
> > pulling much.
>
> To be honest, I'm not sure I trust the error code. Assuming you haven't
> already, you might want to run a test giving the TCB privilege to the
> account that the process calling LogonUser() is running under.

Additional note: I think that to get the correct error code, you will need
to call Marshal.GetLastWin32Error(), otherwise you might be getting an error
code that was set by Framework code performing behind the scenes activity.

--
MikeB


Yan-Hong Huang[MSFT]

unread,
Jan 19, 2003, 10:38:30 PM1/19/03
to
Hi Ken,

Mike is right. The only difference that I can think of is the privilege
difference. Pleaes double check that the account that you are running on
has this privilege.

BTW, MSDN has some code samples on this API. You can also test with these
samples.

Best regards,
yhhuang
VS.NET, Visual C++
Microsoft

This posting is provided "AS IS" with no warranties, and confers no rights.
Got .Net? http://www.gotdotnet.com
--------------------
!Reply-To: "Ken Beard" <ken....@puc.state.oh.us>
!From: "Ken Beard" <ken....@puco.state.oh.us>
!References: <O7N0yVkvCHA.1676@TK2MSFTNGP10> <eezxGrkvCHA.2380@TK2MSFTNGP12>
!Subject: Re: LogonUser advapi32.dll different on XP than Win2k
!Date: Fri, 17 Jan 2003 13:58:53 -0500
!Lines: 110
!X-Priority: 3
!X-MSMail-Priority: Normal
!X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
!X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
!Message-ID: <eSBcyplvCHA.2504@TK2MSFTNGP10>
!Newsgroups: microsoft.public.dotnet.framework
!NNTP-Posting-Host: 198.234.129.210
!Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP10
!Xref: cpmsftngxa09 microsoft.public.dotnet.framework:34851
!X-Tomcat-NG: microsoft.public.dotnet.framework
!
!First I want to thank you for the information, but after further testing
I'm
!not getting the error associated with the TCB. I am getting an error of
127
!which is ERROR_PROC_NOT_FOUND. Any other thoughts becuase Google isn't
!pulling much.
!
!Thanks
!
!Ken
!
!
!"MikeB" <mailbox...@mailnull.com> wrote in message
!news:eezxGrkvCHA.2380@TK2MSFTNGP12...
!>
!> "Ken Beard" <ken....@puco.state.oh.us> wrote in message
!> news:O7N0yVkvCHA.1676@TK2MSFTNGP10...
!> > I have code to impersonate a user that using this function "LogonUser"
!> from
!> > the library advapi32.dll. The code works great on an XP machine but it
!> does
!> > not work on a Win2K machine. Anyone got any ideas has to why? and
!> possibly
!> > a fix? Example code is below. The impersonateValidUser function
returns
!> > true on XP but it fails the first If statement on Win2K.
!> >
!> >
!>
!> From the LogonUser docs:
!>
!> =========================================
!> Windows 2000: The process calling LogonUser requires the SE_TCB_NAME
!> privilege. The privilege does not need to be enabled. The LogonUser
!function
!> enables the privilege as necessary. If the calling process does not have
!> this privilege, LogonUser fails and GetLastError returns
!> ERROR_PRIVILEGE_NOT_HELD.
!>
!> Windows XP: The SE_TCB_NAME privilege is no longer required.
!> =========================================
!>
!> You'll probably want to do some Google newsgroups searches for workaround
!> ideas. It's generally considered to be a bad idea from a security
!> standpoint to give the TCB privilege to accounts.
!>
!> >
!> > Thanks
!> >
!> > Ken
!> >
!> > Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername
!As
!> > String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal
!> > dwLogonType As Integer, ByVal dwLogonProvider As Integer, ByRef phtoken
!As
!> > IntPtr) As Integer
!> >
!> > Declare Auto Function DuplicateToken Lib "advapi32.dll" (ByVal
!> > ExistingTokenHandle As IntPtr, ByVal ImpersonationLevel As Integer,
!ByRef
!> > DuplicateTokenHandle As IntPtr) As Integer
!> >
!> > Private Function impersonateValidUser() As Boolean
!> >
!> > Dim tempWindowsIdentity As WindowsIdentity
!> >
!> > Dim token As IntPtr
!> >
!> > Dim tokenDuplicate As IntPtr
!> >
!> > If LogonUser(_UserName, _Domain, _Password,
!LOGON32_LOGON_INTERACTIVE,
!> > LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
!> >
!> > If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
!> >
!> > tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
!> >
!> > impersonationContext = tempWindowsIdentity.Impersonate()
!> >
!> > If impersonationContext Is Nothing Then
!> >
!> > impersonateValidUser = False
!> >
!> > Else
!> >
!> > impersonateValidUser = True
!> >
!> > End If
!> >
!> > Else
!> >
!> > impersonateValidUser = False
!> >
!> > End If
!> >
!> > Else
!> >
!> > impersonateValidUser = False
!> >
!> > End If
!> >
!> > End Function
!> >
!> >
!>
!> --
!> MikeB
!>
!>
!
!
!

Ken Beard

unread,
Jan 21, 2003, 8:38:33 AM1/21/03
to

Thanks Mike and yhhuang. I believe you two have me on the right track for a
fix. I'll do some further testing. Have a good day.

Ken Beard


"Yan-Hong Huang[MSFT]" <yhh...@online.microsoft.com> wrote in message
news:JPi$mVDwCHA.3284@cpmsftngxa06...

0 new messages