Joe Mamma Posted October 6, 2004 Posted October 6, 2004 I can't use the simple p/invoke of LogonUser to authenticate an impersonation user in windows 2000. One alternative is to p/invoke CreateProcessWithLogonW to shell off a hidden cmd.exe check and terminate, checking the error code if it fails. this though is not the most efficient manner of authentication. more of a kludge. I have seen some SSPI authentication code in VC6 and some in VC7 for client/server remoting impersonation. extrememly unwieldly. Anyone have any code for doing this??? Quote Joe Mamma Amendment 4: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Amendment 9: The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
*Gurus* divil Posted October 6, 2004 *Gurus* Posted October 6, 2004 I have used LogonUser to impersonate a user with success. Why do you say you cannot do this? Quote MVP, Visual Developer - .NET Now you see why evil will always triumph - because good is dumb. My free .NET Windows Forms Controls and Articles
Joe Mamma Posted October 7, 2004 Author Posted October 7, 2004 I have used LogonUser to impersonate a user with success. Why do you say you cannot do this?LogonUser does not work in win 2k without overriding local security policy to allow the calling principle to act as part of the operating system. Yah, I didntread the notes closely. deployed to a mixed win2k/xp society and 'boo-yah' (my testers favorite exclamation when he breaks my code) from the sdk: Windows 2000: The process calling LogonUser requires the SE_TCB_NAME privilege. If the calling process does not have this privilege, LogonUser fails and GetLastError returns ERROR_PRIVILEGE_NOT_HELD. In some cases, the process that calls LogonUser must also have the SE_CHANGE_NOTIFY_NAME privilege enabled; otherwise, LogonUser fails and GetLastError returns ERROR_ACCESS_DENIED. This privilege is not required for the local system account or accounts that are members of the administrators group. By default, SE_CHANGE_NOTIFY_NAME is enabled for all users, but some administrators may disable it for everyone. For more information about privileges, see Privileges. Quote Joe Mamma Amendment 4: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Amendment 9: The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
Recommended Posts