Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

User validation

36 views
Skip to first unread message

Tolo Oliver

unread,
May 4, 2001, 3:55:47 AM5/4/01
to
How can I check if a User and his password is right for Windows? When I say
for Windows I mean if is part of Domain check in the Domain, if is not part
of a Domain check in the local Windows user database.

Thanks.

Serge Perevoznyk

unread,
May 4, 2001, 5:25:50 AM5/4/01
to
> How can I check if a User and his password is right for Windows?

Collecting user credentials from a User-mode application can be annoying to
the users and can provide a possible security hole in the enterprise
computing environment. The Unified Logon requirement (a requirement that the
user should only have to type their credentials one time at the Ctl-Alt-Del
screen of either Windows 95 or Windows NT), was added to the Microsoft
BackOffice logo requirements for these very reasons. It is important to make
sure that you really need to gather credentials and that some other method
of client/server validation is not more appropriate.

The LogonUser API has been available and documented since Windows NT 3.51,
and is commonly used to verify user credentials. Unfortunately, there are
some restrictions on using LogonUser that are not always convenient to
satisfy. The first and biggest of these restrictions is that the process
calling LogonUser must have the SE_TCB_NAME privilege (in User Manager, this
is the "Act as part of the Operating System" right). The SE_TCB_NAME
privilege is very powerful and should not be granted to any arbitrary user
just so that they can run an application that needs to validate credentials.
The recommended method is to call LogonUser from a service running in the
local system account since the local system account already has the
SE_TCB_NAME privilege.

One other problem with LogonUser is that the API is not implemented on
Windows 95.

As another option, you can use the Security Support Provider Interface
(SSPI) to do a network style logon with provided user credentials. This
method of validation has the advantage of not requiring any special
privilege, as well as working on Windows 95. The end result of using the
SSPI services to validate the credentials is a logon that is analogous to
calling the LogonUser API with the LOGON32_LOGON_NETWORK logon type. The
biggest downside to this type of logon is that you cannot access remote
network resources after impersonating a network type logon. If your
application is calling LogonUser with the LOGON32_LOGON_INTERACTIVE logon
type to workaround Windows NT's inability to perform delegation, then the
SSPI logon/validation will probably not be a viable alternative.

Serge Perevoznyk

Marcel van Brakel

unread,
May 4, 2001, 8:50:19 AM5/4/01
to
In article <3af26197$1_2@dnews>, to...@engelsa.com says...

> How can I check if a User and his password is right for Windows? When I say
> for Windows I mean if is part of Domain check in the Domain, if is not part
> of a Domain check in the local Windows user database.

Try creating a logon session for that combination by calling LogonUser
(). Note that you will need to have the "act as part of the operating
system" (SE_TCB) privilege to execute that function. Just being an
administrator isn't sufficient, a service application running under the
localsystem account is.

best regards,
Marcel van Brakel

Project JEDI: http://delphi-jedi.org

Do not send me private e-mail unless explicitly requested otherwise.
If you do anyway please include a billing address...

Tolo Oliver

unread,
May 4, 2001, 10:56:25 AM5/4/01
to
Opps :-)

Thanks


0 new messages