Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LogonUser fails

1 view
Skip to first unread message

David Kaplan

unread,
Mar 26, 2003, 1:03:38 PM3/26/03
to
I wrote some impersonation sample code (below) based on
the Platform SDK Security help topic on LogonUser, and ran
it on a Win2K Pro machine connected to a Win2K network.
It tries to impersonate a domain user who is a member of
the local Administrators group, and loops through all
possible combinations of the dwLogonType and
dwLogonProvider parameters. In all cases, LogonUser
returns phToken NULL and fSuccess FALSE.

It seems there must be some administrative setting, either
on the local machine or on our domain, which needs to be
changed in order to permit impersonation.

Any ideas?

Thanks,
- Dave Kaplan


======================================
/*
#define LOGON32_LOGON_INTERACTIVE 2
#define LOGON32_LOGON_NETWORK 3
#define LOGON32_LOGON_BATCH 4
#define LOGON32_LOGON_SERVICE 5
#define LOGON32_LOGON_UNLOCK 7
#if(_WIN32_WINNT >= 0x0500)
#define LOGON32_LOGON_NETWORK_CLEARTEXT 8
#define LOGON32_LOGON_NEW_CREDENTIALS 9
#endif // (_WIN32_WINNT >= 0x0500)

#define LOGON32_PROVIDER_DEFAULT 0
#define LOGON32_PROVIDER_WINNT35 1
#if(_WIN32_WINNT >= 0x0400)
#define LOGON32_PROVIDER_WINNT40 2
#endif // _WIN32_WINNT >= 0x0400
#if(_WIN32_WINNT >= 0x0500)
#define LOGON32_PROVIDER_WINNT50 3
#endif // (_WIN32_WINNT >= 0x0500)
*/

#define LOGON32_LOGON_NETWORK_CLEARTEXT 8
#define LOGON32_LOGON_NEW_CREDENTIALS 9

#define LOGON32_PROVIDER_WINNT40 2
#define LOGON32_PROVIDER_WINNT50 3

void TestLogonUser()
{

PHANDLE phToken = NULL;
BOOL fSuccess = FALSE;

for( DWORD dwLogonType = LOGON32_LOGON_INTERACTIVE;
dwLogonType <=
LOGON32_LOGON_NEW_CREDENTIALS;
dwLogonType++
)
{
for( DWORD dwLogonProvider =
LOGON32_PROVIDER_DEFAULT;
dwLogonProvider <=
LOGON32_PROVIDER_WINNT50;
dwLogonProvider++
)
{
fSuccess =
LogonUser(
"User",
"DOMAIN",
"password",
dwLogonType,
dwLogonProvider,
phToken
);
}
}

}

Yu Chen [MS]

unread,
Mar 26, 2003, 2:36:35 PM3/26/03
to
In W2k, the process calling LogonUser requires the SE_TCB_NAME privilege.
The privilege does not need to be enabled. The LogonUser function enables
the privilege as necessary. If the calling process does not have this
privilege, LogonUser fails and GetLastError returns
ERROR_PRIVILEGE_NOT_HELD.

--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.


"David Kaplan" <no....@no.spam> wrote in message
news:3ec801c2f3c2$07124cc0$a401...@phx.gbl...

David Kaplan

unread,
Mar 26, 2003, 5:15:23 PM3/26/03
to
from looking at platform sdk docs, it appears my code will
need to call AdjustTokenPrivileges to acquire the
SE_TCB_NAME privilege, before calling LogonUser.

is that correct, and is there more setup required?

can you point me to any sample code for the entire
sequence?

thanks for any advice, as i am unfamiliar with the win2k
privilege model.

- dave kaplan

Yu Chen [MS]

unread,
Mar 26, 2003, 5:51:23 PM3/26/03
to
No you don't need to call AdjustTokenPrivileges before calling LogonUser.
All you need is to grant the account which runs your application the TCB
privilege. To do so, log in as administrator, use Local Security Policy
(gpedit.msc) to add this account into "Act as part of the operation system"
under "Local Computer Policy\Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment". If the
account is already logged in, you need to log it off then log back for the
change to take effect. Be aware it's dangerous to grant this privilege to a
user - by default no one (including administrators) has this privilege.

In XP and Windows 2003 server, LogonUser no longer requires caller to have
TCB privilege.

--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.


"David Kaplan" <no....@no.spam> wrote in message

news:4b3f01c2f3e5$324cceb0$a101...@phx.gbl...

David Kaplan

unread,
Mar 26, 2003, 7:07:27 PM3/26/03
to
i added the account into "Act as part of the operating
system" but it still fails with ERROR_PRIVILEGE_NOT_HELD.
i also logged off and then back on (although the account
itself was never logged on) - still fails with
ERROR_PRIVILEGE_NOT_HELD.

my test code is attached at the end of this msg. it
simply tests LogonUser using the documented default
parameters (LOGON32_LOGON_NETWORK_CLEARTEXT,
LOGON32_PROVIDER_DEFAULT), then in a loop with all
possible parameter combinations. i run it under the
debugger, and see that phToken is always returned NULL,
fSuccess is always returned FALSE, and dwError is always
returned ERROR_PRIVILEGE_NOT_HELD (except when
dwLogonType=6, which returns an invalid parameter code, as
expected).

i can also post the code someplace if you tell me where.

any other ideas?

thanks,
- dave

=============================


void TestLogonUser()
{
PHANDLE phToken = NULL;
BOOL fSuccess = FALSE;

DWORD dwError;

fSuccess =
LogonUser(
"User",
"DOMAIN",
"password",

LOGON32_LOGON_NETWORK_CLEARTEXT,
LOGON32_PROVIDER_DEFAULT,
phToken
);

dwError = GetLastError();


for( DWORD dwLogonType =
LOGON32_LOGON_INTERACTIVE;
dwLogonType <= LOGON32_LOGON_NEW_CREDENTIALS;
dwLogonType++
)
{
for( DWORD dwLogonProvider =
LOGON32_PROVIDER_DEFAULT;
dwLogonProvider <=
LOGON32_PROVIDER_WINNT50;
dwLogonProvider++
)
{
fSuccess =
LogonUser(
"User",
"DOMAIN",
"password",
dwLogonType,
dwLogonProvider,
phToken
);

dwError = GetLastError();
}
}

}

Yu Chen [MS]

unread,
Mar 26, 2003, 7:33:08 PM3/26/03
to
You need to grant TCB privilege to the account that you log in as and run
your test under (administrator ?), not the "User" account that your test
passes into LogonUser.

--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.


"David Kaplan" <no....@no.spam> wrote in message

news:4fa501c2f3f4$da108240$3001...@phx.gbl...

David Kaplan

unread,
Mar 26, 2003, 8:08:18 PM3/26/03
to
i assume that by "TCB privilege" you mean "Act as part of
the operating system"?

i granted "Act as part of the operating system" to my
personal domain account, which is a member of Admins group
on the machine i am running the test from.

now, instead of returning ERROR_PRIVILEGE_NOT_HELD, the
call to LogonUser throws an exception with "0xC0000005:
Access violation writing location 0x00000000"

ideas?

thanks,
- dave

>-----Original Message-----
>You need to grant TCB privilege to the account that you
log in as and run
>your test under (administrator ?), not the "User" account
that your test
>passes into LogonUser.
>
>

Yu Chen [MS]

unread,
Mar 26, 2003, 8:23:58 PM3/26/03
to
Right that's what I meant - "TCB privilege" = "Act as part of the operating
system".
As to the access violation, it's caused by you passing in a NULL pointer as
phToken. Instead, you should use:

HANDLE hToken;


BOOL fSuccess = FALSE;
DWORD dwError;

fSuccess =LogonUser(
"User",
"DOMAIN",
"password",
LOGON32_LOGON_NETWORK_CLEARTEXT,
LOGON32_PROVIDER_DEFAULT,

&hToken
);

Also, when you no longer need the hToken, you should call:
CloseHandle( hToken );

--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.


"David Kaplan" <no....@no.spam> wrote in message

news:44db01c2f3fd$5a580ab0$2f01...@phx.gbl...

David Kaplan

unread,
Mar 27, 2003, 12:54:41 PM3/27/03
to
that does it. thanks

>.
>

0 new messages