GAHHHHHHHHHHH!
Has anyone found a simple way around this issue? We have mostly XP machines, but there are many machines that are still win2k. I wrote a really nice authentication app that checks for proper windows authentication( I am not trying to impersonate or anything, I am just trying to make sure the user is who they are supposed to be) but it uses LogonUser which is broke with win2k (ie it fails no matter what).
So whose got the workaround? This is a windows application btw....
--
--Eric Cathell, MCSA 4 1537
Forget about it
I cannot remember how many times I have answered this question. If anyone done a little bit of searching you would know that you cannot use LogonUser API function on Windows 2000 without setting the SE_TCB_NAME (act as part of the operating system). The first person to find out how to do this will completely kill all security in Windows 2000. For this reason, Microsoft would not release this information
You can manually set 'Act as Part of the Operating System' by going into CONTROL PANEL/ADMIN TOLLS/LOCAL SECURITY POLICY/LOCAL POLICIES/USER RIGHTS ASSIGNMENT, double-click 'act as part od the operating system', click ADD & then add the user(s) you want to add
Then you will be able to use LogonUser API, which will then succeed & then you have a computer that can easily be hacked & your whole system lost
Me personally would never ever set act as part of the operating system. Just forget about it - its not worth it.
I hope this helps
Crouchie1998
BA (HONS) MCP MCSE
"ECathell" <ec******@nospam.com> wrote in message news:eS**************@TK2MSFTNGP14.phx.gbl...
GAHHHHHHHHHHH!
Has anyone found a simple way around this issue? We have mostly XP machines, but there are many machines that are still win2k. I wrote a really nice authentication app that checks for proper windows authentication( I am not trying to impersonate or anything, I am just trying to make sure the user is who they are supposed to be) but it uses LogonUser which is broke with win2k (ie it fails no matter what).
So whose got the workaround? This is a windows application btw....
--
--Eric Cathell, MCSA
Fine that is all well and good, but then how do I go about using windows authentication schemes in my applications? I don't want the user to impersonate anyone, but we are a multi domain environment here with trust relationships. All I want to do is make sure an authorized person is using my program, without having to maintain a database for usernames and passwords when we already have Active Directory.
--
--Eric Cathell, MCSA
"Crouchie1998" <cr**********@spamcop.net> wrote in message news:uA******************@TK2MSFTNGP10.phx.gbl...
Forget about it
I cannot remember how many times I have answered this question. If anyone done a little bit of searching you would know that you cannot use LogonUser API function on Windows 2000 without setting the SE_TCB_NAME (act as part of the operating system). The first person to find out how to do this will completely kill all security in Windows 2000. For this reason, Microsoft would not release this information
You can manually set 'Act as Part of the Operating System' by going into CONTROL PANEL/ADMIN TOLLS/LOCAL SECURITY POLICY/LOCAL POLICIES/USER RIGHTS ASSIGNMENT, double-click 'act as part od the operating system', click ADD & then add the user(s) you want to add
Then you will be able to use LogonUser API, which will then succeed & then you have a computer that can easily be hacked & your whole system lost
Me personally would never ever set act as part of the operating system. Just forget about it - its not worth it.
I hope this helps
Crouchie1998
BA (HONS) MCP MCSE
"ECathell" <ec******@nospam.com> wrote in message news:eS**************@TK2MSFTNGP14.phx.gbl...
GAHHHHHHHHHHH!
Has anyone found a simple way around this issue? We have mostly XP machines, but there are many machines that are still win2k. I wrote a really nice authentication app that checks for proper windows authentication( I am not trying to impersonate or anything, I am just trying to make sure the user is who they are supposed to be) but it uses LogonUser which is broke with win2k (ie it fails no matter what).
So whose got the workaround? This is a windows application btw....
--
--Eric Cathell, MCSA
LogonUser will work for Windows XP, but not Windows 2000
What I suggest you do is:
Create an XML file (encrypted) holding just the username/password, which is created in the APPLICATION DATA section & on first run, allow the user to be able to change password etc.
Because you will keep this file in the APPLICATION DATA section then the other user will not be able to gain access to the file.
The above idea was originally suggested by Duncan Mackenzie (MSDN Strategic Content Advisor) & it's also implemented in an example of the 101 coding examples I think.
I have used this method on many occasions & find it simple, yet very secure. Obviously, administrators will get access to the APPLICATION DATA sections for the individual users, but its not them who you need to worry about.
I hope this has helped
Crouchie1998
BA (HONS) MCP MCSE
Thanks for the response. It still wont help my situation though. It still requires access to the user domain credentials and possibly managing them. Its sad that we went through a lot of trouble to make our resource network a domain in order to implement trusts and not have to manage passwords of the user domain, and now I still may wind up having to do so.
--
--Eric Cathell, MCSA
"Crouchie1998" <cr**********@spamcop.net> wrote in message news:uw**************@tk2msftngp13.phx.gbl...
LogonUser will work for Windows XP, but not Windows 2000
What I suggest you do is:
Create an XML file (encrypted) holding just the username/password, which is created in the APPLICATION DATA section & on first run, allow the user to be able to change password etc.
Because you will keep this file in the APPLICATION DATA section then the other user will not be able to gain access to the file.
The above idea was originally suggested by Duncan Mackenzie (MSDN Strategic Content Advisor) & it's also implemented in an example of the 101 coding examples I think.
I have used this method on many occasions & find it simple, yet very secure. Obviously, administrators will get access to the APPLICATION DATA sections for the individual users, but its not them who you need to worry about.
I hope this has helped
Crouchie1998
BA (HONS) MCP MCSE This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Mike |
last post by:
Any help would be greatly appreciated.
Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
SP5), and deployed...
|
by: Nimi |
last post by:
When I run my application , the LogonUser method fails the exception is
"LogonUser failed with error code :1314".
I know the error is because of some privileges .
I am using Windows 2000 sp4. I...
|
by: Rich |
last post by:
I am running IIS6 on a Win2k3 server.
I have an ASP.Net app (C#) that a user logs into and then I use
LogonUser to validate them and log them onto the server. I have
Windows Authentication ONLY...
|
by: Zeno Lee |
last post by:
I'm trying to authenticate a user against a windows network. I want it to
work across any kind of windows network from NT 4.0 up to Windows 2003 ADS.
So far I've been using DirectoryEntry and...
|
by: Dan |
last post by:
All,
I am attempting to use the LogonUser API in an
application. However, everytime I attempt to validate an
account using this I get an error. The code is 1421 which
has a description of...
|
by: BLiTZWiNG |
last post by:
Having a few strage behaviours with this function, mainly in that when I try
to logon to another computer with a different name/pass to the current user
of the local machine, it tries to...
|
by: schaf |
last post by:
Hi NG !
I used the examples on the internet to create a Impersonate class which
allows me to log on as another user. After logged on as the new user I
could access files on a remote computer,...
|
by: Sajid |
last post by:
I use LogonUser for user authentication against AD. When I run this in XP is
works fine. But it gives me a Win32 Error 1314 (ERROR_PRIVILEGE_NOT_HELD) in
Win 2000. Any idea why and how do I solve...
|
by: nild |
last post by:
Hello
i have a strange problem. I'm using LogonUser to impersonate the user
under which my program must run. On Win XP or Server 2003 it works. But
on 2000 it doesn't. So i found out, to set...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |