Re: Logon API on Windows 2000 with ASP.NET 1.1

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 04/17/04 

Date: Sat, 17 Apr 2004 12:19:59 -0500

You really really should be using the canonical example for calling
LogonUser via P/Invoke that MS published in the Framework SDK reference:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=true

Your's is much less robust.

Also remember, under Win2K, the current account running the LogonUser code
MUST have the "Act as part of the operating system" privilege to call
LogonUser. You state that your ASP.NET 1.0 code works and that it is
running as SYSTEM. You need to ensure that you have similar privileges for
the account executing the code in 1.1 as well.

Note that you generally don't want to be running as SYSTEM (or any account
with Act as part of the operating system), so it might be good to consider
using a different security model for what you are trying to accomplish. If
you can more to Win2K3 server, this privilege restriction is lifted, so
perhaps that is an easy path for you.

HTH,

Joe K.

"Rupreet Singh" <anonymous@discussions.microsoft.com> wrote in message
news:F33BD8F2-934D-42CA-9064-11D1904FF27B@microsoft.com...
> Hi!
> Here is the code i used for logging.
>
> [DllImport(@"C:\Windows\System32\ADVAPI32.DLL",SetLastError=true)]
> public static extern bool LogonUser(string lpszUsername, string
lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref
IntPtr phToken);
>
> const int LOGON32_LOGON_NETWORK = 3;
> const int LOGON32_PROVIDER_DEFAULT = 0;
>
> IntPtr token1 = IntPtr.Zero;
> bool LoggedOn =
LogonUser(Username,DomainName,Password,LOGON32_LOGON_NETWORK,LOGON32_PROVIDE
R_DEFAULT,ref token1);
>
> But as i told you before, for Windows 2000, i always get "false" with
ASP.NET 1.1 but "true" with ASP.NET 1.0 (with SYSTEM Account) with the right
credentials.
>
> Thanks
> Rupreet Singh
>

Relevant Pages

  • Re: impersonation fails on 2K server
    ... On W2K you need "Act as part of the Operating System" privilege to call ... Note that granting this level of privilege to a webserver identity is ... something you should consider with great care as it gives the account ... > details below and modify your configuration file appropriately. ...
    (microsoft.public.dotnet.framework)
  • Re: Impersonation and UNC network resources
    ... need the "Act as part of the operating system" privilege to call it under ... only the SYSTEM account has this. ... privilege to any account you want to, but be very careful about that as it ... Another option for you would be using impersonation with Kerberos delegation ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Using LogonUser API in ASP.net with an account other than ASPNet account
    ... I am trying to use the LogonUser API function from ASP.Net. ... on windows 2000 server. ... part of operating system" is permission is needed for using LogonUser ... When I give this permission to the asp.net account ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to use impersonation?
    ... Just to be clear, in Win2K you need a privilege, SE_TCB_NAME or "Act as Part ... of the Operating System", to call LogonUser. ... Giving this privilege to a different account is ...
    (microsoft.public.dotnet.security)
  • Re: Verify a Windows Account
    ... >> verify the user account and password is valid. ... I just tested it logging in to the local machine as ... in order to use the LogonUser() function the owner of the ... > box but to give other accounts such an elevated privilege is scary. ...
    (microsoft.public.dotnet.framework)