Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Why does the LogonUser API call succeed with the wrong password?

319 views
Skip to first unread message

Rhys Jones

unread,
Aug 17, 2001, 12:53:34 PM8/17/01
to
**STOP PRESS** I've just worked it out!

If the actual password is blank then LogonUser succeeds regardless of
the password supplied . . . Is this correct?

----------------------------------------------------------------------------------------------------------------
I'm trying to use LogonUser to validate username/password credentials
for a secure website that I'm building. Unfortunately, on the live web
server the call to LogonUser succeeds regardless of whether the
password is correct or not. As long as the user account is valid, it
ignores the password. On the test server it all works as expected.

Some details;

I'm using VB6 to create the COM+ components. The non-obvious
parameters to LogonUser are LOGON32_LOGON_NETWORK and
LOGON32_PROVIDER_DEFAULT.

The web server is IIS 5 on Windows 2000 Server.

The web server runs under the usual IUSR_<<MACHINE>> account. The COM+
application is configured to use a custom account which has been
granted 'Act as part of the OS' privileges.

Does anyone have any idea what's going on?

Rhys

Joe Richards

unread,
Aug 17, 2001, 4:26:52 PM8/17/01
to
No that is incorrect, if the password is wrong logonuser will return
"unknown user name or bad password".

Take a look at my web site (www.joeware.net), I have a tool called auth.exe
that does command line authentication which uses the following for
authentication (C++):

if (LogonUser(lpszUserName, lpszDomain, lpszPassword,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &token))
{
cout <<"Logon Successful."<<endl;
retval=true;
}


You will see that if the password doesn't match up, it flags an error.

--
---
Joe Richards
humore...@hotmail.com
Opinions expressed are, as always, Joe's and probably insulting to someone
somewhere so just relax. =)
http://www.joeware.net


"Rhys Jones" <rh...@rmjcs.nospam.please.com> wrote in message
news:0viqntckolc2s1miq...@4ax.com...

Rhys Jones

unread,
Aug 20, 2001, 8:53:13 AM8/20/01
to
Joe,

I'm not talking about what I think ought to be happening, I'm talking
about what *is* happenings. I was a bit surprised myself so I have
double checked what is going on, and LogonUser is definitely returning
success (zero) if the username is valid and the actual users password
is blank, regardless of what password is supplied to LogonUser.

Any thoughts?

Like your site ;)

Rhys

Nimish Mathur

unread,
Aug 20, 2001, 9:03:07 AM8/20/01
to
then why is it not happening with me here??? it allways return what joe
said... never a success..

"Rhys Jones" <rh...@rmjcs.com> wrote in message
news:tp12otc6jfqbelck6...@4ax.com...

Joe Richards

unread,
Aug 20, 2001, 11:49:57 AM8/20/01
to
Is my Auth returning the same thing? If not, there has to be something not
correct going on in the code. What that could be I am at a loss to say.
However the auth program should let you know if your system is acting flaky.

Thanks on the site. =)

--
---
Joe Richards
humore...@hotmail.com
Opinions expressed are, as always, Joe's and probably insulting to someone
somewhere so just relax. =)
http://www.joeware.net

"Rhys Jones" <rh...@rmjcs.com> wrote in message
news:tp12otc6jfqbelck6...@4ax.com...

Michael Stern

unread,
Aug 20, 2001, 12:38:36 PM8/20/01
to
why do you assume "0" means success?

MSDN--LogonUser: If the function succeeds, the return value is nonzero.
MSDN--LogonUser: If the function fails, the return value is zero.

Use the app.lastdllerror to get the last dll-error.

"Rhys Jones" <rh...@rmjcs.com> schrieb im Newsbeitrag
news:tp12otc6jfqbelck6...@4ax.com...

Joe Richards

unread,
Aug 20, 2001, 5:49:02 PM8/20/01
to
Good catch, that completely slipped by me.

--
---
Joe Richards
humore...@hotmail.com
Opinions expressed are, as always, Joe's and probably insulting to someone
somewhere so just relax. =)
http://www.joeware.net


"Michael Stern" <mh...@gmx.at> wrote in message
news:Ol9VqdZKBHA.1716@tkmsftngp05...

Michael Stern

unread,
Aug 21, 2001, 4:05:36 AM8/21/01
to
^^

there's one big mistake one can make and that's thinking (s)he is perfect
and only all the other people's programs have bugs. ;)

cheers,
michael


"Joe Richards" <humore...@hotmail.com> schrieb im Newsbeitrag
news:ONZ$uHcKBHA.1128@tkmsftngp02...

Rhys Jones

unread,
Aug 22, 2001, 11:29:06 AM8/22/01
to
Whoops - I didn't say that zero indicated success - my fingers did! I
meant non-zero. The snippet of VB code is as follows (with zero
clearly being failure!);

lngAPIResult = LogonUser(strUserName, gstrDomainName, _
strPassword, LOGON32_LOGON_NETWORK, _
LOGON32_PROVIDER_DEFAULT, _
lngTokenHandle)
If (lngAPIResult = 0) Then
' Report failure.
Else
lngAPIResult = CloseHandle(lngTokenHandle)
' Process success.

Thanks for your time and apologies for there being days between posts
but I'm not in the office as often as I ought to be.

Any more ideas?

Rhys


On Mon, 20 Aug 2001 18:38:36 +0200, "Michael Stern" <mh...@gmx.at>
wrote:

tonyha...@gmail.com

unread,
May 25, 2014, 1:14:40 PM5/25/14
to
P invoking with domain '.' logontype network and default provider with return success for a bad username and will return a token for the guest account
0 new messages