473,321 Members | 1,708 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,321 software developers and data experts.

Verify a Windows Account

I have an application that allows a user to enter a user name, user password, and the domain or machine name. From this information I would like to verify the user account and password is valid. This must work for either a domain or a local machine account. I have tried to find examples from the web and it seems every example that I have found does not work or produces odd results.

I have tested each of these on Windows 2000, Windows XP, Windows 2003. But I have not found a solution that works for all of them consitantly. Actually the three attempts do not even return the same results. Some may return success while another returns false for the same user!!. Then on say XP it is the opposite where one returns false but the other will work and then on some accounts it just does not work at all.

I will even take help in determining why these are not acting the same on all servers.
The authUserLocal does not seem to work all of the time.
static bool authUserLocal(string username, string password)
{
string path = "WinNT://" + Environment.MachineName + ",computer";
DirectoryEntry entry = new DirectoryEntry(path, username, password);
try
{
Object o = entry.NativeGuid;
return true;
}
catch
{
return false;
}

}

static bool authUserAD(string username,string password)
{
DirectoryEntry entry = new DirectoryEntry("LDAP://" + Environment.GetEnvironmentVariable("USERDNSDOMAIN" ).ToString(),username,password);
try
{
Object o = entry.NativeGuid;
return true;
}
catch
{
return false;
}
}

and this is another attempt..
public class UserLogon
{
[DllImport("advapi32.dll")]
public static extern bool LogonUser(string lpszUsername,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);

//CloseHandle parameters. When you are finished,
//free the memory allocated for the handle.
[DllImport("kernel32.dll",
CharSet=System.Runtime.InteropServices.CharSet.Aut o)]
public static extern bool CloseHandle(IntPtr handle);

public static bool logonUser(string username, string domain, string userpassword)
{
//LogonUser parameters

IntPtr tokenHandle = IntPtr.Zero;

try
{
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_NETWORK = 3;

//Call LogonUser to obtain a
//handle to an access token

bool returnValue = true;

returnValue = LogonUser(username, domain,
userpassword,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);

if(false == returnValue)
{
Console.Write("LogonUser failed...");
return false;
}

CloseHandle(tokenHandle);
return true;
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return true;

}

}
public class ClassAuth
{
[DllImport("C:\\WINNT\\System32\\advapi32.dll")]
public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);

[DllImport("C:\\WINNT\\System32\\Kernel32.dll")]
public static extern int GetLastError();
public bool SetLogin(string uid,string pwd) //,HttpContext context)
{
try
{
int token1;
bool loggedOn = LogonUser(uid,".",pwd,2,0,out token1);
IntPtr token2 = new IntPtr(token1);

WindowsIdentity wi = new WindowsIdentity(token2);
//WindowsPrincipal wp = new WindowsPrincipal(wi);
//HttpContext.Current.User = wp;
return true;
}
catch(Exception exp)
{
MessageBox.Show( exp.Message );
return false;
}
}

}
Jul 21 '05 #1
4 3656
"Reader" <po******@news.group> wrote in message
news:uT*************@TK2MSFTNGP09.phx.gbl...
I have an application that allows a user to enter a
user name, user password, and the domain or
machine name. From this information I would like to
verify the user account and password is valid. This
must work for either a domain or a local machine
account. I have tried to find examples from the web
and it seems every example that I have found does
not work or produces odd results.
As if you didn't have enough approaches, I put together a quick little hack
in C# that alllows for verification of the password by means of the native
function LogonUser(). I just tested it logging in to the local machine as
well as a domain. Seems to work OK. I'll post it, if you think it will help
you.
I have tested each of these on Windows 2000,
Windows XP, Windows 2003. But I have not found
a solution that works for all of them consitantly.


For one of the methods, at least, this is by design.

Before XP, in order to use the LogonUser() function the owner of the calling
thread must have the SE_TCB_NAME privilege (friendly name "act as part of
the operating system"). The LocalSystem account has the privilege out of the
box but to give other accounts such an elevated privilege is scary. So,
beginning with XP, the privilege is no longer required. This _could_ be the
source of _some_ of the perceived inconsistency.

Regards,
Will
Jul 21 '05 #2
If you would please post your test I would like to see if I too will be able
to get it to work.

I'll look into that privilage issue on the 2000 servers that I have here.
The amusing thing is that on my 2000 servers I was only able to verify the
user name and password that I was currently using but if I entered anything
else that would not work. Really strange I know... :P This all could be
just user issues.
"William DePalo [MVP VC++]" <wi***********@mvps.org> wrote in message
news:uB**************@TK2MSFTNGP11.phx.gbl...
"Reader" <po******@news.group> wrote in message
news:uT*************@TK2MSFTNGP09.phx.gbl...
I have an application that allows a user to enter a
user name, user password, and the domain or
machine name. From this information I would like to
verify the user account and password is valid. This
must work for either a domain or a local machine
account. I have tried to find examples from the web
and it seems every example that I have found does
not work or produces odd results.
As if you didn't have enough approaches, I put together a quick little

hack in C# that alllows for verification of the password by means of the native
function LogonUser(). I just tested it logging in to the local machine as
well as a domain. Seems to work OK. I'll post it, if you think it will help you.
I have tested each of these on Windows 2000,
Windows XP, Windows 2003. But I have not found
a solution that works for all of them consitantly.
For one of the methods, at least, this is by design.

Before XP, in order to use the LogonUser() function the owner of the

calling thread must have the SE_TCB_NAME privilege (friendly name "act as part of
the operating system"). The LocalSystem account has the privilege out of the box but to give other accounts such an elevated privilege is scary. So,
beginning with XP, the privilege is no longer required. This _could_ be the source of _some_ of the perceived inconsistency.

Regards,
Will

Jul 21 '05 #3
"Reader" <po******@news.group> wrote in message
news:%2******************@TK2MSFTNGP12.phx.gbl...
If you would please post your test I would like to see if I too will be
able
to get it to work.


OK, sure.

First the disclaimer: I am a C++/Win32 kinda guy. For now, any C#/.Net I do
is strictly for fun. So I make no claim about best practices. My little hack
uses the runtime's Platform Invoke service to get at the Win32 API that I
know well. The C# wrapper class uses some "unsafe" methods.

A very quick scan of the docs seems to indicate that the WindowsIdentity
class may hold some promise and in fact be a better approach.

That said, this program prints the user name under which it is running,
tries to log in to a domain account and if successful switches the thread
context to that of a domain user. It demonstrates that by printing the name
of the user a second time. I tested it here, on Windows XP Pro/SP2, logging
in once to an account on the local machine and once to a domain account.

This is the test program:

using System;

class Class1
{
[STAThread]
static void Main(string[] args)
{
Win32User user;

Console.WriteLine("User is {0}", Win32User.getUserName() );

user = new Win32User("MyDomain", "MyUserName", "MyPassword");

if ( user.logon() )
{
Console.WriteLine("Logon succeeds, begin impersonating ...");
user.beginImpersonation();
Console.WriteLine(" ... {0}", Win32User.getUserName() );
Console.WriteLine("end impersonation, we are now ...");
user.endImpersonation();
Console.WriteLine(" ... {0}", Win32User.getUserName() );

user.logoff();
}

else
Console.WriteLine("Logon fails with error code {0}",
user.getErrorCode() );
}
}

This is the class that wraps the API functions LogonUser(),
ImpersonateLoggedOnUser(), RevertToSelf() etc

using System;
using System.Runtime.InteropServices;

public class Win32User
{
[ DllImport("advapi32.dll", SetLastError = true) ]
public unsafe static extern int LogonUser(String name, String domain,
String password,
int type, int provider, int *phandle);

[ DllImport("advapi32.dll", SetLastError = true) ]
public static extern int RevertToSelf();

[ DllImport("advapi32.dll", SetLastError = true) ]
public static extern int ImpersonateLoggedOnUser(int handle);

[ DllImport("kernel32.dll") ]
public static extern bool CloseHandle(int handle);

[ DllImport("secur32.dll", SetLastError = true) ]
public unsafe static extern int GetUserNameEx(int type, sbyte *user, int
*size);

private int handle;
private int err;
private String dom;
private String nam;
private String pwd;

public const int Interactive = 2;
public const int Batch = 4;
public const int Network = 3;
public const int Service = 5;

// Domain user

public Win32User(String domain, String name, String password)
{
dom = domain;
nam = name;
pwd = password;
handle = 0;
}

// Local machine user

public Win32User(String name, String password): this(null, name, password)
{
}

// Logs on the specified user in the specified mode

unsafe public bool logon(int typ)
{
int status;
bool ok;

if ( handle != 0 )
CloseHandle(handle);

handle = 0;

fixed ( int *ph = &handle )
{
status = LogonUser(nam, dom, pwd, typ, 0, ph);
}

ok = status != 0;

if ( ok )
err = 0;

else
err = Marshal.GetLastWin32Error();

return ok;
}

// logs on interactively

public bool logon()
{
return logon(Win32User.Interactive);
}

// logs off - call this method after logon or a handle leak results

public void logoff()
{
if ( handle != 0 )
CloseHandle(handle);

handle = 0;
}

// causes the calling thread to impersonate the logged on user;
// logon must have been called previously

public bool beginImpersonation()
{
int status;
bool ok;

if ( handle == 0 )
{
ok = false;
err = 1245;
}

else
{
status = ImpersonateLoggedOnUser(handle);

ok = status != 0;

if ( ok )
err = 0;

else
err = Marshal.GetLastWin32Error();
}

return ok;
}

// ends impersonation, reverts to self

public bool endImpersonation()
{
int status;
bool ok;

status = RevertToSelf();

ok = status != 0;

if ( ok )
err = 0;

else
err = Marshal.GetLastWin32Error();

return ok;
}

// returns a SAM compatible string describing the user context of the
calling thread

static unsafe public String getUserName()
{
int status, size;
int *psize;
String result;
sbyte[] name;

size = 1024;
psize = &size;
name = new sbyte[size];

fixed ( sbyte* pname = name )
{
status = GetUserNameEx(2, pname, psize);

if ( status == 0 )
result = null;

else
result = new String(pname, 0, size - 1);
}

return result;
}

// returns the last Win32 error code of a failed method

public int getErrorCode()
{
return err;
}
}

Regards,
Will
Jul 21 '05 #4
I blogged something on this a few days ago
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!283.entry
--
William Stacey, MVP
http://mvp.support.microsoft.com

"Reader" <po******@news.group> wrote in message news:uT*************@TK2MSFTNGP09.phx.gbl...
I have an application that allows a user to enter a user name, user password, and the domain or machine name. From this information I would like to verify the user account and password is valid. This must work for either a domain or a local machine account. I have tried to find examples from the web and it seems every example that I have found does not work or produces odd results.

I have tested each of these on Windows 2000, Windows XP, Windows 2003. But I have not found a solution that works for all of them consitantly. Actually the three attempts do not even return the same results. Some may return success while another returns false for the same user!!. Then on say XP it is the opposite where one returns false but the other will work and then on some accounts it just does not work at all.

I will even take help in determining why these are not acting the same on all servers.
The authUserLocal does not seem to work all of the time.
static bool authUserLocal(string username, string password)
{
string path = "WinNT://" + Environment.MachineName + ",computer";
DirectoryEntry entry = new DirectoryEntry(path, username, password);
try
{
Object o = entry.NativeGuid;
return true;
}
catch
{
return false;
}

}

static bool authUserAD(string username,string password)
{
DirectoryEntry entry = new DirectoryEntry("LDAP://" + Environment.GetEnvironmentVariable("USERDNSDOMAIN" ).ToString(),username,password);
try
{
Object o = entry.NativeGuid;
return true;
}
catch
{
return false;
}
}

and this is another attempt..
public class UserLogon
{
[DllImport("advapi32.dll")]
public static extern bool LogonUser(string lpszUsername,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);

//CloseHandle parameters. When you are finished,
//free the memory allocated for the handle.
[DllImport("kernel32.dll",
CharSet=System.Runtime.InteropServices.CharSet.Aut o)]
public static extern bool CloseHandle(IntPtr handle);

public static bool logonUser(string username, string domain, string userpassword)
{
//LogonUser parameters

IntPtr tokenHandle = IntPtr.Zero;

try
{
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_NETWORK = 3;

//Call LogonUser to obtain a
//handle to an access token

bool returnValue = true;

returnValue = LogonUser(username, domain,
userpassword,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);

if(false == returnValue)
{
Console.Write("LogonUser failed...");
return false;
}

CloseHandle(tokenHandle);
return true;
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return true;

}

}
public class ClassAuth
{
[DllImport("C:\\WINNT\\System32\\advapi32.dll")]
public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);

[DllImport("C:\\WINNT\\System32\\Kernel32.dll")]
public static extern int GetLastError();
public bool SetLogin(string uid,string pwd) //,HttpContext context)
{
try
{
int token1;
bool loggedOn = LogonUser(uid,".",pwd,2,0,out token1);
IntPtr token2 = new IntPtr(token1);

WindowsIdentity wi = new WindowsIdentity(token2);
//WindowsPrincipal wp = new WindowsPrincipal(wi);
//HttpContext.Current.User = wp;
return true;
}
catch(Exception exp)
{
MessageBox.Show( exp.Message );
return false;
}
}

}
Jul 21 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: Support | last post by:
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40"> <head>...
23
by: Han | last post by:
Our app runs on end-users machines (apache2.x + php5). At this moment it is quite easy for someone (who has access to the console) to insert a couple lines of php code to steal sensitive info. ...
1
by: Andrea Temporin | last post by:
I would like to grant access to my application with the same user of Windows. How can I verify user and password with those of the system? Now we are using LogonUser API but it works only if the...
4
by: Reader | last post by:
I have an application that allows a user to enter a user name, user password, and the domain or machine name. From this information I would like to verify the user account and password is valid. ...
0
by: service | last post by:
This is a multi-part message in MIME format --siNt1NhCoyB3mEPydjXJyOTcg=_X6kQe0H0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable - This mail is a HTML mail. Not all...
17
by: Jon B | last post by:
Hi All! I have a ASP.NET 2.0 site that works on the Windows 2000 Server. However, when I tried to view this site on my local Windows XP machine, I get "Server Unavailable". If I switch the...
0
by: cashdeskmac | last post by:
When trying to start web applications I get a message that I am unable to debug on the web server because I do not have permission, and that I should verify that I am a member of the debugger's...
0
by: PayPal Security Measures! | last post by:
<P><A href="http://www.paypal.com/cgi-bin/webscr?cmd=_home" target=_blank><IMG src="https://www.paypal.com/en_US/i/logo/paypal_logo.gif" border=0></A</P> <TABLE cellSpacing=0 cellPadding=0...
0
by: Ahmedhussain | last post by:
Hi everyone, I am totally new to IIS. I somehow configured IIS and now whenever I try to add a website, on testing it gives me the error of authorization, i.e. "Cannot verify access to path :...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.