By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,032 Members | 1,147 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,032 IT Pros & Developers. It's quick & easy.

LogonUser and Win2k

P: n/a
GAHHHHHHHHHHH!

Has anyone found a simple way around this issue? We have mostly XP machines, but there are many machines that are still win2k. I wrote a really nice authentication app that checks for proper windows authentication( I am not trying to impersonate or anything, I am just trying to make sure the user is who they are supposed to be) but it uses LogonUser which is broke with win2k (ie it fails no matter what).

So whose got the workaround? This is a windows application btw....

--
--Eric Cathell, MCSA
Nov 21 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Forget about it

I cannot remember how many times I have answered this question. If anyone done a little bit of searching you would know that you cannot use LogonUser API function on Windows 2000 without setting the SE_TCB_NAME (act as part of the operating system). The first person to find out how to do this will completely kill all security in Windows 2000. For this reason, Microsoft would not release this information

You can manually set 'Act as Part of the Operating System' by going into CONTROL PANEL/ADMIN TOLLS/LOCAL SECURITY POLICY/LOCAL POLICIES/USER RIGHTS ASSIGNMENT, double-click 'act as part od the operating system', click ADD & then add the user(s) you want to add

Then you will be able to use LogonUser API, which will then succeed & then you have a computer that can easily be hacked & your whole system lost

Me personally would never ever set act as part of the operating system. Just forget about it - its not worth it.

I hope this helps

Crouchie1998
BA (HONS) MCP MCSE
"ECathell" <ec******@nospam.com> wrote in message news:eS**************@TK2MSFTNGP14.phx.gbl...
GAHHHHHHHHHHH!

Has anyone found a simple way around this issue? We have mostly XP machines, but there are many machines that are still win2k. I wrote a really nice authentication app that checks for proper windows authentication( I am not trying to impersonate or anything, I am just trying to make sure the user is who they are supposed to be) but it uses LogonUser which is broke with win2k (ie it fails no matter what).

So whose got the workaround? This is a windows application btw....

--
--Eric Cathell, MCSA
Nov 21 '05 #2

P: n/a
Fine that is all well and good, but then how do I go about using windows authentication schemes in my applications? I don't want the user to impersonate anyone, but we are a multi domain environment here with trust relationships. All I want to do is make sure an authorized person is using my program, without having to maintain a database for usernames and passwords when we already have Active Directory.

--
--Eric Cathell, MCSA
"Crouchie1998" <cr**********@spamcop.net> wrote in message news:uA******************@TK2MSFTNGP10.phx.gbl...
Forget about it

I cannot remember how many times I have answered this question. If anyone done a little bit of searching you would know that you cannot use LogonUser API function on Windows 2000 without setting the SE_TCB_NAME (act as part of the operating system). The first person to find out how to do this will completely kill all security in Windows 2000. For this reason, Microsoft would not release this information

You can manually set 'Act as Part of the Operating System' by going into CONTROL PANEL/ADMIN TOLLS/LOCAL SECURITY POLICY/LOCAL POLICIES/USER RIGHTS ASSIGNMENT, double-click 'act as part od the operating system', click ADD & then add the user(s) you want to add

Then you will be able to use LogonUser API, which will then succeed & then you have a computer that can easily be hacked & your whole system lost

Me personally would never ever set act as part of the operating system. Just forget about it - its not worth it.

I hope this helps

Crouchie1998
BA (HONS) MCP MCSE
"ECathell" <ec******@nospam.com> wrote in message news:eS**************@TK2MSFTNGP14.phx.gbl...
GAHHHHHHHHHHH!

Has anyone found a simple way around this issue? We have mostly XP machines, but there are many machines that are still win2k. I wrote a really nice authentication app that checks for proper windows authentication( I am not trying to impersonate or anything, I am just trying to make sure the user is who they are supposed to be) but it uses LogonUser which is broke with win2k (ie it fails no matter what).

So whose got the workaround? This is a windows application btw....

--
--Eric Cathell, MCSA
Nov 21 '05 #3

P: n/a
LogonUser will work for Windows XP, but not Windows 2000

What I suggest you do is:

Create an XML file (encrypted) holding just the username/password, which is created in the APPLICATION DATA section & on first run, allow the user to be able to change password etc.

Because you will keep this file in the APPLICATION DATA section then the other user will not be able to gain access to the file.

The above idea was originally suggested by Duncan Mackenzie (MSDN Strategic Content Advisor) & it's also implemented in an example of the 101 coding examples I think.

I have used this method on many occasions & find it simple, yet very secure. Obviously, administrators will get access to the APPLICATION DATA sections for the individual users, but its not them who you need to worry about.

I hope this has helped

Crouchie1998
BA (HONS) MCP MCSE
Nov 21 '05 #4

P: n/a
Thanks for the response. It still wont help my situation though. It still requires access to the user domain credentials and possibly managing them. Its sad that we went through a lot of trouble to make our resource network a domain in order to implement trusts and not have to manage passwords of the user domain, and now I still may wind up having to do so.

--
--Eric Cathell, MCSA
"Crouchie1998" <cr**********@spamcop.net> wrote in message news:uw**************@tk2msftngp13.phx.gbl...
LogonUser will work for Windows XP, but not Windows 2000

What I suggest you do is:

Create an XML file (encrypted) holding just the username/password, which is created in the APPLICATION DATA section & on first run, allow the user to be able to change password etc.

Because you will keep this file in the APPLICATION DATA section then the other user will not be able to gain access to the file.

The above idea was originally suggested by Duncan Mackenzie (MSDN Strategic Content Advisor) & it's also implemented in an example of the 101 coding examples I think.

I have used this method on many occasions & find it simple, yet very secure. Obviously, administrators will get access to the APPLICATION DATA sections for the individual users, but its not them who you need to worry about.

I hope this has helped

Crouchie1998
BA (HONS) MCP MCSE
Nov 21 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.