473,326 Members | 2,148 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

HOW: Copy files in network with authentication ??

Hi,

Does anyone know how to copy files inside network from mashine one to
mashine2
if the mashine2 requires user/pass authentication ??

I need this for Windows platform.
Anyone did that ?

Thaks.
Nov 17 '05 #1
9 10513
"Kristijan Marin" <kr*************@hermes-plus.si> wrote in message
news:ee**************@TK2MSFTNGP10.phx.gbl...
Does anyone know how to copy files inside network from mashine one to
mashine2
if the mashine2 requires user/pass authentication ??

I need this for Windows platform.


Which Windows platform?

If it is one of NT/2K/XP/2K+3 that you are talking about you should be able
to use this sequence

LogonUser();
ImpersonateLoggedOnUser();
CopyFile();
RevertToSelf();
CloseHandle(); // on the token returned by LogonUser()

Prior to XP, the calling thread requires must be in the trusted computing
base which is to say it is the SE_TCB_NAME privilege which shows up in the
user manager as "Act as part of the operating system".

For that reason, this sequence is usually found in a server applications
which are implemented as services running under LocalSystem, having the
requisite privilege, and necessarily installed by an administrator.

Regards,
Will
Nov 17 '05 #2
William DePalo [MVP VC++] wrote:
Does anyone know how to copy files inside network from mashine one to
mashine2
if the mashine2 requires user/pass authentication ??
If it is one of NT/2K/XP/2K+3 that you are talking about you should be able
to use this sequence

LogonUser();
ImpersonateLoggedOnUser();
CopyFile();
RevertToSelf();
CloseHandle(); // on the token returned by LogonUser()


LogonUser only logs you in to the local computer, and it can't be used
to log on to a remote computer. The user must exist locally. If the user
doesn't exist locally, than WNetAddConnection seems to be the only way
to go, which is not safe, because if the app crashes, the connection
remains open. I have yet to find a solution that works and is safe.
LogonUser is totally out of question, because on a typical network a
local computer only has 1 user, while a file server has numerous others.

Tom
Nov 17 '05 #3

"Tamas Demjen" <td*****@yahoo.com> wrote in message
news:ub**************@TK2MSFTNGP12.phx.gbl...
William DePalo [MVP VC++] wrote:
Does anyone know how to copy files inside network from mashine one to
mashine2
if the mashine2 requires user/pass authentication ??

If it is one of NT/2K/XP/2K+3 that you are talking about you should be
able to use this sequence

LogonUser();
ImpersonateLoggedOnUser();
CopyFile();
RevertToSelf();
CloseHandle(); // on the token returned by LogonUser()


LogonUser only logs you in to the local computer, and it can't be used to
log on to a remote computer. The user must exist locally. If the user
doesn't exist locally, than WNetAddConnection seems to be the only way to
go, which is not safe, because if the app crashes, the connection remains
open. I have yet to find a solution that works and is safe. LogonUser is
totally out of question, because on a typical network a local computer
only has 1 user, while a file server has numerous others.

Tom


The purpose of LogonUser is to obtain an access token specifying the
credentials of a valid local or domain (remote) account. If you specify a
remote users credentials, the token obtained can be used to impersonate the
current thread and access the remote resource. Now, if you use non local
user credentials, accesses to local FS objects will fail (unless the remote
user is a shadow account of a local account), this can be solved by:
- specifying a domain user when calling LogonUser and granting this doamin
account access to the loacl FS resources, or,
- by specifying LOGON32_LOGON_NEW_CREDENTIALS as dwLogonType (W2K2 or
higher).

Willy.
Nov 17 '05 #4
Willy Denoyette [MVP] wrote:
The purpose of LogonUser is to obtain an access token specifying the
credentials of a valid local or domain (remote) account. If you specify a
remote users credentials, the token obtained can be used to impersonate the
current thread and access the remote resource. Now, if you use non local
user credentials, accesses to local FS objects will fail (unless the remote
user is a shadow account of a local account), this can be solved by:
- specifying a domain user when calling LogonUser and granting this doamin
account access to the loacl FS resources, or,
- by specifying LOGON32_LOGON_NEW_CREDENTIALS as dwLogonType (W2K2 or
higher).

Willy.


Thanks Willy, this seems to be solving a 2-year-old problem to me. The
following works nicely:

HANDLE token;
if(LogonUser(
"Tamas", "\\\\RemoteComputer",
"password",
LOGON32_LOGON_NEW_CREDENTIALS,
LOGON32_PROVIDER_DEFAULT,
&token))
{
if(ImpersonateLoggedOnUser(token))
{
CopyFile("c:\\0.txt", "\\\\RemoteComputer\\Share\\0.txt",
TRUE);
RevertToSelf();
}
CloseHandle(token);
}

Does the LOGON32_LOGON_NEW_CREDENTIALS flag require the server to be
W2k+, or the client (local) computer only?

I also tried this:
BOOL res = LogonUser(
"Tamas@RemoteComputer", NULL,
"password",
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&token);

and res was TRUE and the token was valid, but after the
ImpersonateLoggedOnUser call the remote FS was not accessible. Note that
RemoteComputer is not a true domain, it's just another computer in a
workgroup. I guess if I knew how to add access to the FS, that would
work too. <sigh> I'd spent days without success before.

Anyway, LOGON32_LOGON_NEW_CREDENTIALS does the trick, but only on W2k+.

Tom
Nov 17 '05 #5
Tamas,
Inline.
Willy.

"Tamas Demjen" <td*****@yahoo.com> wrote in message
news:us****************@tk2msftngp13.phx.gbl...
Willy Denoyette [MVP] wrote:
The purpose of LogonUser is to obtain an access token specifying the
credentials of a valid local or domain (remote) account. If you specify a
remote users credentials, the token obtained can be used to impersonate
the current thread and access the remote resource. Now, if you use non
local user credentials, accesses to local FS objects will fail (unless
the remote user is a shadow account of a local account), this can be
solved by:
- specifying a domain user when calling LogonUser and granting this
doamin account access to the loacl FS resources, or,
- by specifying LOGON32_LOGON_NEW_CREDENTIALS as dwLogonType (W2K2 or
higher).

Willy.
Thanks Willy, this seems to be solving a 2-year-old problem to me. The
following works nicely:

HANDLE token;
if(LogonUser(
"Tamas", "\\\\RemoteComputer",
"password",
LOGON32_LOGON_NEW_CREDENTIALS,
LOGON32_PROVIDER_DEFAULT,
&token))
{
if(ImpersonateLoggedOnUser(token))
{
CopyFile("c:\\0.txt", "\\\\RemoteComputer\\Share\\0.txt",
TRUE);
RevertToSelf();
}
CloseHandle(token);
}

Does the LOGON32_LOGON_NEW_CREDENTIALS flag require the server to be W2k+,
or the client (local) computer only?


The computer calling LogonUser() needs W2K or higer (that is all, OS that
run Kerberos security providers).
I also tried this:
BOOL res = LogonUser(
"Tamas@RemoteComputer", NULL,
"password",
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&token);

and res was TRUE and the token was valid, but after the
ImpersonateLoggedOnUser call the remote FS was not accessible. Note that
RemoteComputer is not a true domain, it's just another computer in a
workgroup. I guess if I knew how to add access to the FS, that would work
too. <sigh> I'd spent days without success before.

This is by design, the logontype LOGON32_LOGON_NETWORK returns an access
token that has NO network access.
Anyway, LOGON32_LOGON_NEW_CREDENTIALS does the trick, but only on W2k+.
Yep, no need to map shares to local drives anymore, or to impersonate domain
accounts to access SQL server, just create a logon session with "split
identity" and you can access the server while keeping you local access token
to access local resources.
Tom

Nov 17 '05 #6
Willy Denoyette [MVP] wrote:
This is by design, the logontype LOGON32_LOGON_NETWORK returns an access
token that has NO network access.
Thanks again. LOGON32_LOGON_NEW_CREDENTIALS is my only choice, as every
other logintype fails to authenitcate the remote-only user (returns
ERROR_LOGON_FAILURE). It's alright, because the app in question is
always runnin on XP. The remote computer we connect to may be running
some older Windows, but we alway call LogonUser from an XP box.
Yep, no need to map shares to local drives anymore


That's exactly what I wanted, because mapping a UNC share enables a
system-wide access, which is a potential security threat. I only want an
application-wide CopyFile. It's so much safer now.

If I had to implement this with OSes older than W2k, it seems I would
have no choice but to map the share (or implement a TCP/IP based secure
server to send files).

Tom
Nov 17 '05 #7
"Tamas Demjen" <td*****@yahoo.com> wrote in message
news:ub**************@TK2MSFTNGP12.phx.gbl...
William DePalo [MVP VC++] wrote:
Does anyone know how to copy files inside network from mashine one to
mashine2
if the mashine2 requires user/pass authentication ??

If it is one of NT/2K/XP/2K+3 that you are talking about you should be
able to use this sequence

LogonUser();
ImpersonateLoggedOnUser();
CopyFile();
RevertToSelf();
CloseHandle(); // on the token returned by LogonUser()


LogonUser only logs you in to the local computer, and it can't be used to
log on to a remote computer.


I guess that depends on what you mean by "log on to a remote computer".

I can tell you that, just as the docs specify, if on a machine in a domain,
you specify the credentials of a domain user, then you can certainly get a
token and use it to impersonate that user.

And of course, you can also use the function to get a token representing a
user local to the machine.

Regards,
Will

Nov 17 '05 #8
William DePalo [MVP VC++] wrote:
I guess that depends on what you mean by "log on to a remote computer".

I can tell you that, just as the docs specify, if on a machine in a domain,
you specify the credentials of a domain user, then you can certainly get a
token and use it to impersonate that user.

And of course, you can also use the function to get a token representing a
user local to the machine.


My conclusion is that LOGON32_LOGON_NEW_CREDENTIALS seems to be the only
way to go when the local machine is not in a domain, or when it is in a
different domain than the remote machine. It works now (I posted the
sample code earlier).

LOGON32_LOGON_NEW_CREDENTIALS is not required to impersonate users on
the local machine, or on a remote machine in the same domain as the
local one.

It seems to me that LogonUser was originally designed to support
impersonation of local and domain users, and later (in W2k) MS has
introduced the LOGON32_LOGON_NEW_CREDENTIALS logontype to support
foreign domains and machines not in a domain.

Tom
Nov 17 '05 #9
"Tamas Demjen" <td*****@yahoo.com> wrote in message
news:u0**************@tk2msftngp13.phx.gbl...
LOGON32_LOGON_NEW_CREDENTIALS is not required to impersonate users on the
local machine, or on a remote machine in the same domain as the local one.

It seems to me that LogonUser was originally designed to support
impersonation of local and domain users, and later (in W2k) MS has
introduced the LOGON32_LOGON_NEW_CREDENTIALS logontype to support foreign
domains and machines not in a domain.


Perhaps. But the docs seem clear:

<quote>
Windows 2000/XP: This logon type allows the caller to clone its current
token and specify new credentials for outbound connections. The new logon
session has the same local identify, but uses different credentials for
other network connections.
This logon type is supported only by the LOGON32_PROVIDER_WINNT50 logon
provider
</quote>

Unlike the other options, this one allows for a "split personality" with one
set of credentials for local use and another for remote.

Regards,
Will


Nov 17 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: Markus Weber | last post by:
Hallo! I have created an VB-ActiveX-Componente that copy files on network. This works on one my development computer when I install application on other IIS servers (files to copy on same server...
2
by: Christopher Jedlicka | last post by:
I am trying to write a script that will access files on another computer on the network but in a seperate domain. In order to access the files, I need to first authenticate to the other domain as...
0
by: Tess | last post by:
Hi, Long time reader, first time poster... Any help is appreciated. I have a few questions regarding Winform controls embedded within an html page. For more info please see the appendix. Now,...
29
by: Frank Millman | last post by:
Hi all I am writing a multi-user accounting/business system. Data is stored in a database (PostgreSQL on Linux, SQL Server on Windows). I have written a Python program to run on the client,...
8
by: John K. | last post by:
Hi I was wondering if it's possible to use the WebRequest class to access a file on windows shared folder with authentication? If yes, what would the syntax be? I've tried to look this up in the...
11
by: Andre | last post by:
Hi, I have ASP.NET application running on standalone (not part of the domain) Windows 2003. I use forms authentication for my application. The problem I have is that I need to create and read...
1
by: UJ | last post by:
My client has a product that downloads files from it's web server. It then will display these on a local machine. Problem is that this is on the customer's network which means, depending on the...
1
by: cylix2000 | last post by:
I have write a asp that need to copy network file from file server to web server. I try it in webserver is everything alright. When I try in other machine, error on the filepath is not found. I...
3
by: =?Utf-8?B?U2Vhbk1hYw==?= | last post by:
How do I programmatically copy files across a network (from a local workstation to another local workstation on the network) using visual basic 2005? In other words, when in explorer and you enter...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.