Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LOGON32_LOGON_NEW_CREDENTIALS and GetTokenInformation

621 views
Skip to first unread message

Nick Burkitt

unread,
Oct 26, 2006, 6:29:01 PM10/26/06
to
Hi.

I need to be able to use GetTokenInformation() on tokens created by
LogonUser() using the LOGON32_LOGON_NEW_CREDENTIALS logon type. Since
GetTokenInformation() isn't a network call, I get back information from the
token of the original user, rather than the user whose credentials were used
in the call to LogonUser().
How can I get the "network" token information?
Thanks,

-Nick

Skywing [MVP]

unread,
Oct 26, 2006, 6:39:29 PM10/26/06
to
No way that I know of to do this. This information is, as far as I know,
something that LSA takes care of (and is thus attached more to the logon
session id / authentication id rather than the token).

--
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net

"Nick Burkitt" <nick.b...@newsgroups.nospam> wrote in message
news:02297C95-7922-4B61...@microsoft.com...

Eric Perlin [MSFT]

unread,
Oct 26, 2006, 7:29:02 PM10/26/06
to
What information are you trying to find out about the "network" token?
As far as I know, the credentials aren't even verified until an outbound
call is made.
As such, there's no "network" token right after the call.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Eric Perlin [MSFT]

Nick Burkitt

unread,
Oct 27, 2006, 2:22:01 PM10/27/06
to
Hi Eric.

Thanks for the post. I'm trying to get the user, group, and privilege
information (TokenUser, TokenGroups, and TokenPrivileges) for the token that
will be used in a call to CreateProcessAsUser(). It's partly for validation,
partly for display/debugging purposes.

-Nick

Nick Burkitt

unread,
Oct 27, 2006, 2:27:02 PM10/27/06
to
Hi Ken - thanks. Does that imply that it might be possible to extract the
information from some other source, such as the logon session? Or is it
strictly write-only?

-Nick

Eric Perlin [MSFT]

unread,
Oct 27, 2006, 2:46:02 PM10/27/06
to
The new token (after logon), is pretty much a duplicated version of the one
that was effective when LogonUser was known.
The new token still has the same access/capabilities locally.
But the credentials you specify during that call will be used for accessing
network resources.
One one to simulate this is to use runas /netonly.
Let's assume you're currently logged on as a local user.
From a cmd prompt, runas /netonly /u:domain\username cmd
In the resulting cmd, you're are still that local user with regards to
accessing files on your machine. But if you net use \\server\share, the
domain\username credentials will be used.
The new token will have the same groups and privs as the previous token (use
"whoami /all" to check it out) with one exception, a new logon sid.
It refers to the new logon session and the corresponding credentials.
LsaGetLogonSessionData may yield some of the info you want.

Skywing [MVP]

unread,
Oct 27, 2006, 9:19:28 PM10/27/06
to
No good way that I know of to just up and query that information. Maybe you
could be a network provider and intercept credentials for UNC accesses or
something like that, but that is definitely a hack.

--
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net

"Nick Burkitt" <nick.b...@newsgroups.nospam> wrote in message

news:D9FAA970-A1DB-420F...@microsoft.com...

Skywing [MVP]

unread,
Oct 27, 2006, 9:21:21 PM10/27/06
to
In my experience, LsaGetLogonSessionData will just return data relating to
the local identity even on a runas /netonly - style token. There are a
couple of exceptions in that you have, I believe, an empty LogonServer and
an empty Upn. You'll also, of course, have a different
AuthenticationPackage (Negotiate) and LogonType for the new logon session as
returned by LsaGetLogonSessionData. All of the username and domain related
fields are not updated to point to the remote network credentials though as
that would break the idea of the local identity staying the same.

--
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net

"Eric Perlin [MSFT]" <EricPer...@discussions.microsoft.com> wrote in
message news:F2B0060A-931D-4E09...@microsoft.com...

Jeffrey Tan[MSFT]

unread,
Oct 31, 2006, 9:12:58 PM10/31/06
to
Hi Nick,

How about this issue now? Does the replies make sense to you?

The groups would not be calculated until an actual authentication were
attempted with the credentials, and then only on the remote machine(s) that
you connect to. On the machine where you call LogonUser with
LOGON32_LOGON_NEW_CREDENTIALS, it's not even known whether the credentials
supplied are valid, or even if the authenticating authority even exists.
For example, run this on your computer right now:

RUNAS /NETONLY /U:FAKEDOMAIN\FAKEUSER CMD.EXE

It will prompt you for a password, then start CMD.EXE in a new logon
session. The credentials you enter are retained, but aren't used for
anything until you attempt remote (SSPI) authentication. It's impossible
to know on the local machine what groups the user may be a member of on the
remote machine.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

Jeffrey Tan[MSFT]

unread,
Nov 3, 2006, 1:35:17 AM11/3/06
to
Hi Nick,

How about this issue now? Does our replies make sense to you? If you still
have anything unclear or need any help, please feel free to feedback.
Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

0 new messages