Authenticating against network server using non-domain account

I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

re: Authenticating against network server using non-domain account

Martin,

Have you tried using the machine name in the domain parameter?


--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e9Ma45kAGHA.2788@TK2MSFTNGP14.phx.gbl...
I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

re: Authenticating against network server using non-domain account

I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

"Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote in message news:ufuP8IlAGHA.2704@TK2MSFTNGP15.phx.gbl...
Martin,

Have you tried using the machine name in the domain parameter?


--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e9Ma45kAGHA.2788@TK2MSFTNGP14.phx.gbl...
I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

re: Authenticating against network server using non-domain account

P.S. I've looked at
WebConfigurationManager.GetWebApplication("system. net/mailSettings");

But I can never get that to return anything and the only example I can find
with it being used is with ConnectionStrings.

I would have thought this would have worked.

SmtpSection smtpSec =
WebConfigurationManager.GetWebApplicationSection(" mailSettings") as
SmtpSection;

Debug.WriteLine(smtpSect.Network.UserName);

But smtpSec is always null

re: Authenticating against network server using non-domain account

Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e7dADQmAGHA.3352@TK2MSFTNGP10.phx.gbl...
I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

"Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote in message news:ufuP8IlAGHA.2704@TK2MSFTNGP15.phx.gbl...
Martin,

Have you tried using the machine name in the domain parameter?


--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e9Ma45kAGHA.2788@TK2MSFTNGP14.phx.gbl...
I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

re: Authenticating against network server using non-domain account

IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new IntPtr(0);

bool result = advapi32.LogonUser(userName, domain, password, advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref tokenHandle);

LogonType.Interactive = 2, LogonProvider.Default = 0


Sorry; error code is 1326 - "Logon failure: unknown user name or bad password" even though the details are correct (I created the account specifically).


"Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message news:OxcgIbmAGHA.4004@TK2MSFTNGP15.phx.gbl...
Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e7dADQmAGHA.3352@TK2MSFTNGP10.phx.gbl...
I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

"Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote in message news:ufuP8IlAGHA.2704@TK2MSFTNGP15.phx.gbl...
Martin,

Have you tried using the machine name in the domain parameter?


--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e9Ma45kAGHA.2788@TK2MSFTNGP14.phx.gbl...
I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

re: Authenticating against network server using non-domain account

Have you tried logging in with an account local to the server that has the same username and password as the user on the remote machine and impersonating that instead? My understanding is that this "trick" will work with NTLM in a situation where you can't use domain accounts/Kerberos.

Joe K.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:eysELimAGHA.3184@TK2MSFTNGP10.phx.gbl...
IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new IntPtr(0);

bool result = advapi32.LogonUser(userName, domain, password, advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref tokenHandle);

LogonType.Interactive = 2, LogonProvider.Default = 0


Sorry; error code is 1326 - "Logon failure: unknown user name or bad password" even though the details are correct (I created the account specifically).


"Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message news:OxcgIbmAGHA.4004@TK2MSFTNGP15.phx.gbl...
Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e7dADQmAGHA.3352@TK2MSFTNGP10.phx.gbl...
I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

"Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote in message news:ufuP8IlAGHA.2704@TK2MSFTNGP15.phx.gbl...
Martin,

Have you tried using the machine name in the domain parameter?


--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e9Ma45kAGHA.2788@TK2MSFTNGP14.phx.gbl...
I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

re: Authenticating against network server using non-domain account

No, interactive will not work. you need to call LogonUser with LOGON32_LOGON_NEW_CREDENTIALS, this logon type returns an access token that will get used to access the network resource while cloning the access token of the current logon user and use this one to access local resources.
Note that this requires W2K or higher.

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:eysELimAGHA.3184@TK2MSFTNGP10.phx.gbl...
IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new IntPtr(0);

bool result = advapi32.LogonUser(userName, domain, password, advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref tokenHandle);

LogonType.Interactive = 2, LogonProvider.Default = 0


Sorry; error code is 1326 - "Logon failure: unknown user name or bad password" even though the details are correct (I created the account specifically).


"Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message news:OxcgIbmAGHA.4004@TK2MSFTNGP15.phx.gbl...
Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e7dADQmAGHA.3352@TK2MSFTNGP10.phx.gbl...
I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

"Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote in message news:ufuP8IlAGHA.2704@TK2MSFTNGP15.phx.gbl...
Martin,

Have you tried using the machine name in the domain parameter?


--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e9Ma45kAGHA.2788@TK2MSFTNGP14.phx.gbl...
I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

re: Authenticating against network server using non-domain account

Joe,

This should do as well, but is not needed on W2K or higher (needs the kerberos provider). Much better is to use "split token identity", as provided by using LOGON32_LOGON_NEW_CREDENTIALS as logontype.

Willy.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:%23B8g9inAGHA.2620@tk2msftngp13.phx.gbl...
Have you tried logging in with an account local to the server that has the same username and password as the user on the remote machine and impersonating that instead? My understanding is that this "trick" will work with NTLM in a situation where you can't use domain accounts/Kerberos.

Joe K.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:eysELimAGHA.3184@TK2MSFTNGP10.phx.gbl...
IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new IntPtr(0);

bool result = advapi32.LogonUser(userName, domain, password, advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref tokenHandle);

LogonType.Interactive = 2, LogonProvider.Default = 0


Sorry; error code is 1326 - "Logon failure: unknown user name or bad password" even though the details are correct (I created the account specifically).


"Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message news:OxcgIbmAGHA.4004@TK2MSFTNGP15.phx.gbl...
Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e7dADQmAGHA.3352@TK2MSFTNGP10.phx.gbl...
I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

"Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote in message news:ufuP8IlAGHA.2704@TK2MSFTNGP15.phx.gbl...
Martin,

Have you tried using the machine name in the domain parameter?


--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e9Ma45kAGHA.2788@TK2MSFTNGP14.phx.gbl...
I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

re: Authenticating against network server using non-domain account

Neato, thanks.

I'm still learning what all those flags do.

Joe K.

"Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message news:O%23%23zVnoAGHA.2704@TK2MSFTNGP15.phx.gbl...
Joe,

This should do as well, but is not needed on W2K or higher (needs the kerberos provider). Much better is to use "split token identity", as provided by using LOGON32_LOGON_NEW_CREDENTIALS as logontype.

Willy.

re: Authenticating against network server using non-domain account

Thanks very much; that does exactly what I wanted.
"Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message news:%23dMDIeoAGHA.208@tk2msftngp13.phx.gbl...
No, interactive will not work. you need to call LogonUser with LOGON32_LOGON_NEW_CREDENTIALS, this logon type returns an access token that will get used to access the network resource while cloning the access token of the current logon user and use this one to access local resources.
Note that this requires W2K or higher.

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:eysELimAGHA.3184@TK2MSFTNGP10.phx.gbl...
IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new IntPtr(0);

bool result = advapi32.LogonUser(userName, domain, password, advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref tokenHandle);

LogonType.Interactive = 2, LogonProvider.Default = 0


Sorry; error code is 1326 - "Logon failure: unknown user name or bad password" even though the details are correct (I created the account specifically).


"Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message news:OxcgIbmAGHA.4004@TK2MSFTNGP15.phx.gbl...
Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e7dADQmAGHA.3352@TK2MSFTNGP10.phx.gbl...
I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

"Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote in message news:ufuP8IlAGHA.2704@TK2MSFTNGP15.phx.gbl...
Martin,

Have you tried using the machine name in the domain parameter?


--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e9Ma45kAGHA.2788@TK2MSFTNGP14.phx.gbl...
I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?