It seems there must be some administrative setting, either
on the local machine or on our domain, which needs to be
changed in order to permit impersonation.
Any ideas?
Thanks,
- Dave Kaplan
======================================
/*
#define LOGON32_LOGON_INTERACTIVE 2
#define LOGON32_LOGON_NETWORK 3
#define LOGON32_LOGON_BATCH 4
#define LOGON32_LOGON_SERVICE 5
#define LOGON32_LOGON_UNLOCK 7
#if(_WIN32_WINNT >= 0x0500)
#define LOGON32_LOGON_NETWORK_CLEARTEXT 8
#define LOGON32_LOGON_NEW_CREDENTIALS 9
#endif // (_WIN32_WINNT >= 0x0500)
#define LOGON32_PROVIDER_DEFAULT 0
#define LOGON32_PROVIDER_WINNT35 1
#if(_WIN32_WINNT >= 0x0400)
#define LOGON32_PROVIDER_WINNT40 2
#endif // _WIN32_WINNT >= 0x0400
#if(_WIN32_WINNT >= 0x0500)
#define LOGON32_PROVIDER_WINNT50 3
#endif // (_WIN32_WINNT >= 0x0500)
*/
#define LOGON32_LOGON_NETWORK_CLEARTEXT 8
#define LOGON32_LOGON_NEW_CREDENTIALS 9
#define LOGON32_PROVIDER_WINNT40 2
#define LOGON32_PROVIDER_WINNT50 3
void TestLogonUser()
{
PHANDLE phToken = NULL;
BOOL fSuccess = FALSE;
for( DWORD dwLogonType = LOGON32_LOGON_INTERACTIVE;
dwLogonType <=
LOGON32_LOGON_NEW_CREDENTIALS;
dwLogonType++
)
{
for( DWORD dwLogonProvider =
LOGON32_PROVIDER_DEFAULT;
dwLogonProvider <=
LOGON32_PROVIDER_WINNT50;
dwLogonProvider++
)
{
fSuccess =
LogonUser(
"User",
"DOMAIN",
"password",
dwLogonType,
dwLogonProvider,
phToken
);
}
}
}
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"David Kaplan" <no....@no.spam> wrote in message
news:3ec801c2f3c2$07124cc0$a401...@phx.gbl...
is that correct, and is there more setup required?
can you point me to any sample code for the entire
sequence?
thanks for any advice, as i am unfamiliar with the win2k
privilege model.
- dave kaplan
In XP and Windows 2003 server, LogonUser no longer requires caller to have
TCB privilege.
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"David Kaplan" <no....@no.spam> wrote in message
news:4b3f01c2f3e5$324cceb0$a101...@phx.gbl...
my test code is attached at the end of this msg. it
simply tests LogonUser using the documented default
parameters (LOGON32_LOGON_NETWORK_CLEARTEXT,
LOGON32_PROVIDER_DEFAULT), then in a loop with all
possible parameter combinations. i run it under the
debugger, and see that phToken is always returned NULL,
fSuccess is always returned FALSE, and dwError is always
returned ERROR_PRIVILEGE_NOT_HELD (except when
dwLogonType=6, which returns an invalid parameter code, as
expected).
i can also post the code someplace if you tell me where.
any other ideas?
thanks,
- dave
=============================
void TestLogonUser()
{
PHANDLE phToken = NULL;
BOOL fSuccess = FALSE;
DWORD dwError;
fSuccess =
LogonUser(
"User",
"DOMAIN",
"password",
LOGON32_LOGON_NETWORK_CLEARTEXT,
LOGON32_PROVIDER_DEFAULT,
phToken
);
dwError = GetLastError();
for( DWORD dwLogonType =
LOGON32_LOGON_INTERACTIVE;
dwLogonType <= LOGON32_LOGON_NEW_CREDENTIALS;
dwLogonType++
)
{
for( DWORD dwLogonProvider =
LOGON32_PROVIDER_DEFAULT;
dwLogonProvider <=
LOGON32_PROVIDER_WINNT50;
dwLogonProvider++
)
{
fSuccess =
LogonUser(
"User",
"DOMAIN",
"password",
dwLogonType,
dwLogonProvider,
phToken
);
dwError = GetLastError();
}
}
}
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"David Kaplan" <no....@no.spam> wrote in message
news:4fa501c2f3f4$da108240$3001...@phx.gbl...
i granted "Act as part of the operating system" to my
personal domain account, which is a member of Admins group
on the machine i am running the test from.
now, instead of returning ERROR_PRIVILEGE_NOT_HELD, the
call to LogonUser throws an exception with "0xC0000005:
Access violation writing location 0x00000000"
ideas?
thanks,
- dave
>-----Original Message-----
>You need to grant TCB privilege to the account that you
log in as and run
>your test under (administrator ?), not the "User" account
that your test
>passes into LogonUser.
>
>
HANDLE hToken;
BOOL fSuccess = FALSE;
DWORD dwError;
fSuccess =LogonUser(
"User",
"DOMAIN",
"password",
LOGON32_LOGON_NETWORK_CLEARTEXT,
LOGON32_PROVIDER_DEFAULT,
&hToken
);
Also, when you no longer need the hToken, you should call:
CloseHandle( hToken );
--
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"David Kaplan" <no....@no.spam> wrote in message
news:44db01c2f3fd$5a580ab0$2f01...@phx.gbl...
>.
>