Having a few strage behaviours with this function, mainly in that when I try
to logon to another computer with a different name/pass to the current user
of the local machine, it tries to impersonate me, not the credentials I gave
it.
LogonUser succeeds only when using LOGON32_LOGON_NEW_CREDENTIALS (9). Any
other LogonType causes error 126: Specified module could not be found -
whatever that means...
The initial WindowsIdentity.GetCurrent() reveals "DELLWING\Trent" as the
user, which is my local account. Upon success of LogonUser I create a new
WindowsIdentity with the received token. Printing out the details reveals
"DELLWING\Trent" as the user, even though I supplied "Administrator" and the
password of the remote box. I then get "Unable to Impersonate User" when
trying Impersonate().
Why would the token come back represent me when I specified a whole nother
user and computer?
My code looks like this currently (thanks to Willy Denoyette).
-----------------------
using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Security.Permissions;
namespace SecurityTest
{
/// <summary>
/// Summary description for Class1.
/// </summary>
class SecurityTest
{
[DllImport("advapi32.DLL")]
public static extern int LogonUser(string lpszUsername, string lpszDomain,
string lpszPassword, int dwLogonType, int dwLogonProvider, out IntPtr
phToken);
/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main(string[] args)
{
IntPtr admin_token;
// This works fine
WindowsIdentity wid_current = WindowsIdentity.GetCurrent();
Console.WriteLine("Current Name: " + wid_current.Name);
Console.WriteLine("Current Token: " + wid_current.Token);
if (LogonUser("Administrator", "192.168.0.5", "password", 9, 0, out
admin_token) != 0)
{
WindowsIdentity wid_admin = new WindowsIdentity(admin_token);
Console.WriteLine("Remote Name: " + wid_admin.Name);
Console.WriteLine("Remote Token: " + wid_admin.Token);
WindowsImpersonationContext wic = null;
try
{
wic = wid_admin.Impersonate();
// Always get an exception here after Impersonate
System.IO.File.Copy("C:\\test_read\\test.txt",
"\\\\192.168.0.5\\trent\\test.txt", true);
}
catch (System.Exception se)
{
Console.WriteLine(se.Message);
}
finally
{
if (wic != null) wic.Undo();
}
}
else
{
int ret = Marshal.GetLastWin32Error();
Console.WriteLine(ret.ToString(), "Error");
}
}
} 2 5076
"BLiTZWiNG" <BL*******@discussions.microsoft.com> wrote in message
news:D0**********************************@microsof t.com... Having a few strage behaviours with this function, mainly in that when I try to logon to another computer with a different name/pass to the current user of the local machine, it tries to impersonate me, not the credentials I gave it.
LogonUser succeeds only when using LOGON32_LOGON_NEW_CREDENTIALS (9). Any other LogonType causes error 126: Specified module could not be found - whatever that means...
The initial WindowsIdentity.GetCurrent() reveals "DELLWING\Trent" as the user, which is my local account. Upon success of LogonUser I create a new WindowsIdentity with the received token. Printing out the details reveals "DELLWING\Trent" as the user, even though I supplied "Administrator" and the password of the remote box. I then get "Unable to Impersonate User" when trying Impersonate().
Why would the token come back represent me when I specified a whole nother user and computer?
My code looks like this currently (thanks to Willy Denoyette). ----------------------- using System; using System.Runtime.InteropServices; using System.Security.Principal; using System.Security.Permissions;
namespace SecurityTest { /// <summary> /// Summary description for Class1. /// </summary> class SecurityTest { [DllImport("advapi32.DLL")] public static extern int LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, out IntPtr phToken);
/// <summary> /// The main entry point for the application. /// </summary> [STAThread] static void Main(string[] args) { IntPtr admin_token;
// This works fine WindowsIdentity wid_current = WindowsIdentity.GetCurrent(); Console.WriteLine("Current Name: " + wid_current.Name); Console.WriteLine("Current Token: " + wid_current.Token);
if (LogonUser("Administrator", "192.168.0.5", "password", 9, 0, out admin_token) != 0) { WindowsIdentity wid_admin = new WindowsIdentity(admin_token); Console.WriteLine("Remote Name: " + wid_admin.Name); Console.WriteLine("Remote Token: " + wid_admin.Token);
WindowsImpersonationContext wic = null; try { wic = wid_admin.Impersonate(); // Always get an exception here after Impersonate
System.IO.File.Copy("C:\\test_read\\test.txt", "\\\\192.168.0.5\\trent\\test.txt", true);
} catch (System.Exception se) { Console.WriteLine(se.Message); } finally { if (wic != null) wic.Undo(); } } else { int ret = Marshal.GetLastWin32Error(); Console.WriteLine(ret.ToString(), "Error"); } } }
A few remarks:
LogonUser returns or a "direct" token or an "impersonation" token. A direct
token kan be used to impersonate, an impersonation token cannot and will
return an error.
Both LOGON32_LOGON_NEW_CREDENTIALS (9) and LOGON32_LOGON_NETWORK_CLEARTEXT
Logontypes returns a direct token, but LOGON32_LOGON_NETWORK does not.
Why the error 126? The reason is that the original error code is lost in the
call chain. To prevent this you should add SetLastError=true in the
DllImport.
[DllImport("advapi32.DLL"), SetLastError=true]
Why is the local identity still the same, simply because logontype 9 returns
a clone of the current token but also creates a hidden secondary token.
The clone will be used to access local resources while the secondary token
will ONLY be used when accessing remote resources.
Logontype 9 requires a "negotiate" logon provider (W2K or higher), when
running on W2K the default however is NTLM, so it's better to specify
LOGON32_PROVIDER_WINNT50 (5) a logon provider to make sure negotiate is used
in all cases.
if (LogonUser("Administrator", "192.168.0.5", "password", 9, 5, out
admin_token) != 0)
Willy.
Thanks again Willy. I will try what you have suggested here.
However note that I used unmanaged function ImpersonateLoggedOnUser and
succeeded with the copy, so I at least have a solution. I'm not sure if there
are downsides to that way though. I am still going to persist with the
managed way.
Also note that the 2k3 server I'm trying to copy to is now suffering UserEnv
errors 1058 (unable to save group policy object) :/ I can see there is a fix
for it but I have to discuss it with my boss.
"Willy Denoyette [MVP]" wrote: "BLiTZWiNG" <BL*******@discussions.microsoft.com> wrote in message news:D0**********************************@microsof t.com... Having a few strage behaviours with this function, mainly in that when I try to logon to another computer with a different name/pass to the current user of the local machine, it tries to impersonate me, not the credentials I gave it.
LogonUser succeeds only when using LOGON32_LOGON_NEW_CREDENTIALS (9). Any other LogonType causes error 126: Specified module could not be found - whatever that means...
The initial WindowsIdentity.GetCurrent() reveals "DELLWING\Trent" as the user, which is my local account. Upon success of LogonUser I create a new WindowsIdentity with the received token. Printing out the details reveals "DELLWING\Trent" as the user, even though I supplied "Administrator" and the password of the remote box. I then get "Unable to Impersonate User" when trying Impersonate().
Why would the token come back represent me when I specified a whole nother user and computer?
My code looks like this currently (thanks to Willy Denoyette). ----------------------- using System; using System.Runtime.InteropServices; using System.Security.Principal; using System.Security.Permissions;
namespace SecurityTest { /// <summary> /// Summary description for Class1. /// </summary> class SecurityTest { [DllImport("advapi32.DLL")] public static extern int LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, out IntPtr phToken);
/// <summary> /// The main entry point for the application. /// </summary> [STAThread] static void Main(string[] args) { IntPtr admin_token;
// This works fine WindowsIdentity wid_current = WindowsIdentity.GetCurrent(); Console.WriteLine("Current Name: " + wid_current.Name); Console.WriteLine("Current Token: " + wid_current.Token);
if (LogonUser("Administrator", "192.168.0.5", "password", 9, 0, out admin_token) != 0) { WindowsIdentity wid_admin = new WindowsIdentity(admin_token); Console.WriteLine("Remote Name: " + wid_admin.Name); Console.WriteLine("Remote Token: " + wid_admin.Token);
WindowsImpersonationContext wic = null; try { wic = wid_admin.Impersonate(); // Always get an exception here after Impersonate
System.IO.File.Copy("C:\\test_read\\test.txt", "\\\\192.168.0.5\\trent\\test.txt", true);
} catch (System.Exception se) { Console.WriteLine(se.Message); } finally { if (wic != null) wic.Undo(); } } else { int ret = Marshal.GetLastWin32Error(); Console.WriteLine(ret.ToString(), "Error"); } } }
A few remarks: LogonUser returns or a "direct" token or an "impersonation" token. A direct token kan be used to impersonate, an impersonation token cannot and will return an error. Both LOGON32_LOGON_NEW_CREDENTIALS (9) and LOGON32_LOGON_NETWORK_CLEARTEXT Logontypes returns a direct token, but LOGON32_LOGON_NETWORK does not.
Why the error 126? The reason is that the original error code is lost in the call chain. To prevent this you should add SetLastError=true in the DllImport.
[DllImport("advapi32.DLL"), SetLastError=true]
Why is the local identity still the same, simply because logontype 9 returns a clone of the current token but also creates a hidden secondary token. The clone will be used to access local resources while the secondary token will ONLY be used when accessing remote resources.
Logontype 9 requires a "negotiate" logon provider (W2K or higher), when running on W2K the default however is NTLM, so it's better to specify LOGON32_PROVIDER_WINNT50 (5) a logon provider to make sure negotiate is used in all cases.
if (LogonUser("Administrator", "192.168.0.5", "password", 9, 5, out admin_token) != 0)
Willy.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Mike |
last post by:
Any help would be greatly appreciated.
Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
SP5), and deployed...
|
by: Nimi |
last post by:
When I run my application , the LogonUser method fails the exception is
"LogonUser failed with error code :1314".
I know the error is because of some privileges .
I am using Windows 2000 sp4. I...
|
by: Rich |
last post by:
I am running IIS6 on a Win2k3 server.
I have an ASP.Net app (C#) that a user logs into and then I use
LogonUser to validate them and log them onto the server. I have
Windows Authentication ONLY...
|
by: Zeno Lee |
last post by:
I'm trying to authenticate a user against a windows network. I want it to
work across any kind of windows network from NT 4.0 up to Windows 2003 ADS.
So far I've been using DirectoryEntry and...
|
by: Dan |
last post by:
All,
I am attempting to use the LogonUser API in an
application. However, everytime I attempt to validate an
account using this I get an error. The code is 1421 which
has a description of...
|
by: Jason |
last post by:
I have an ASP.NET application with forms authentication.
However, the login details correspond to a Windows account
(I cannot use Windows authentication). If I obtain a token
with LogonUser, can I...
|
by: schaf |
last post by:
Hi NG !
I used the examples on the internet to create a Impersonate class which
allows me to log on as another user. After logged on as the new user I
could access files on a remote computer,...
|
by: Sajid |
last post by:
I use LogonUser for user authentication against AD. When I run this in XP is
works fine. But it gives me a Win32 Error 1314 (ERROR_PRIVILEGE_NOT_HELD) in
Win 2000. Any idea why and how do I solve...
|
by: nild |
last post by:
Hello
i have a strange problem. I'm using LogonUser to impersonate the user
under which my program must run. On Win XP or Server 2003 it works. But
on 2000 it doesn't. So i found out, to set...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |