How does LogonUser API work to prevent impersonating users?
From: Brian E (brian_anon_at_hotmail.com)
Date: 08/11/04
- Next message: Danny van Kasteel: "Re: Using asymmetric encryption for large amounts of data..."
- Previous message: Valery Pryamikov: "Re: EventLogTraceListener Security Exception"
- Next in thread: Rob Teixeira [MVP]: "Re: How does LogonUser API work to prevent impersonating users?"
- Reply: Rob Teixeira [MVP]: "Re: How does LogonUser API work to prevent impersonating users?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 11 Aug 2004 05:07:44 -0700
I am trying to understand how the LogonUser API works.
I would like to utilize the credentials of the currently logged on
user as the basis for authenticating access to a client-server
application. Currently, the application only forwards the user name
of the currently logged on user.
Since we use a standard naming convention for usernames I can easily
impersonate another user. I could install a standalone system and
create a local user account that matches the username of the
application administrator. When I start the client it forwards the
Windows username of the currently logged on user to the application.
Access is then granted.
Obviously I do not know the Windows password for the application
administrator but have been able to get access.
How does LogonUser API work to prevent this situation (i.e. creating a
similar account on another machine)?
Regards,
Brian_anon@hotmail.com
- Next message: Danny van Kasteel: "Re: Using asymmetric encryption for large amounts of data..."
- Previous message: Valery Pryamikov: "Re: EventLogTraceListener Security Exception"
- Next in thread: Rob Teixeira [MVP]: "Re: How does LogonUser API work to prevent impersonating users?"
- Reply: Rob Teixeira [MVP]: "Re: How does LogonUser API work to prevent impersonating users?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
