Re: Win32 LogonUser()

From: deligentman (email@spam.com)
Date: 06/13/02 

From: "deligentman" <email@spam.com>
Date: Fri, 14 Jun 2002 00:09:39 +1000

Hi group

This is my personal experience and after doing so, read an article (sorry !
I can not find it now)
in win2k if you specify IIS to control IUserMachinename /anonymous account
and it is in guests group,
then logonuser api deosnot work if a web user imperonates
IUserMachinename/anonymous user account.

To make it work , put it in a privilidge group, change password sync options
in IIS and may be more other properties for IUserMachineName account. (still
the login will be treated as
a user logged on to the IIS box locally)

if I give more power to anonymous user then I will be a opening security
risk/hole in my site as we all knows.

thanks.
Del.

"Harout K" <haroutkat@hotmail.com> wrote in message
news:#OqYkcg4BHA.2716@tkmsftngp04...
> Hi all,
> For three days now I have been trying to use LogonUser() API to login
users
> and impersonate them but I keep getting an error after the method call.
> Error Code: 1314; "A required privilege is not held by the client";
however,
> I have assigned the required SE_TCB_NAME (i.e. "Act as part of the OS")
> privilege to the calling client but it keeps complaining.
> If you have successfully used LogonUser() in any language and/or platform
> please tell me how you did it.
> Any pointers/help would greatly be appreciated!
>
> Thank you very much!!!!!!
>
>
>
> Here is the snipped of code in C++ and C# (VS 7.0)
>
> [C++]
>
> HANDLE token;
>
> LogonUser("bobs", "LAPTOP", "bobs", LOGON32_LOGON_NETWORK,
> LOGON32_PROVIDER_DEFAULT, &token);
>
> DWORD error = GetLastError();
>
>
>
>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> ++++++++++++++
>
>
> [C#]
>
> [assembly:SecurityPermissionAttribute(SecurityAction.RequestMinimum,
> UnmanagedCode=true)]
> public class Class1
> {
> [DllImport("C:\\WINNT\\System32\\advapi32.dll")]
> public static extern bool LogonUser(String lpszUsername, String
> lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out
> int phToken);
>
> [DllImport("C:\\WINNT\\System32\\Kernel32.dll")]
> public static extern int GetLastError();
>
> public static void Main(string[] args)
> {
> int token;
>
> bool isLoggedin = LogonUser("bobs", "LAPTOP", "bobs", 3, 0, out
> token);
> int error = GetLastError();
> }
> }
>
>
>
>

Relevant Pages

  • Re: Win32 LogonUser()
    ... IUserMachinename/anonymous user account. ... in IIS and may be more other properties for IUserMachineName account. ... > For three days now I have been trying to use LogonUser() API to login ... > lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Win32 LogonUser()
    ... > IUserMachinename/anonymous user account. ... > in IIS and may be more other properties for IUserMachineName account. ... >> For three days now I have been trying to use LogonUser() API to login ... >> lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Win32 LogonUser()
    ... > IUserMachinename/anonymous user account. ... > in IIS and may be more other properties for IUserMachineName account. ... >> For three days now I have been trying to use LogonUser() API to login ... >> lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Thread Unable to Impersonate (Workaround)
    ... Your workaround is working cause the System account has extended privileges ... ASPX page is impersonating a token that is coming from a client. ... LogonUser is a very bad API to use since it requires a cleartext password. ...
    (microsoft.public.dotnet.framework.aspnet.security)