Re: LogonUser

Hi Joe,

Thanks for your reply.

The thing is I don't just want to confirm the user, I aslo want to make sure
the user have the good password and domain. If the user or password is not
good, I want to block the connection to our application but if a good token
is returned, we drop the token and allow the user to log in our application.

But I still don't understand why I have different results on differents
servers....


Thanks.

"Joe Kaplan (MVP - ADSI)" wrote:

> If you want to verify whether a specific AD contains a user, it would
> probably be better to do an LDAP query to the DC in question.
>
> LogonUser should be used for authenticating users and generating a logon
> token. It is entirely possible for it to authenticate users from other
> domains if the correct trust relationships exist.
>
> It is not possible to call it correctly with invalid credentials and have it
> return a valid logon token though.
>
> Joe K.
>
> "Stephane Gagne" <StephaneGagne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:A2301AEE-AFE1-4555-B69F-D3C5D3CEAD34@xxxxxxxxxxxxxxxx
> > Hi Joe,
> >
> > I'm having a strange issue with the logonuser. when I use this function
> > to
> > verify that the user effectively exist in my active directory, it return a
> > true value even if the user does not exist. I have a different behavior
> > on
> > another server but I can't find why... They are all win2k servers and ran
> > the process with the administrator user.
> >
> > Thanks for your help.
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> Are you on Windows 2000? Under Win2K, LogonUser requires the caller to
> >> have
> >> the TCB privilege (act as part of the operating system) which is only
> >> granted to the SYSTEM account by default.
> >>
> >> Switching to Windows Server 2003 is a great solution to this problem, but
> >> you might have to give the TCB privilege to the account in question if
> >> that
> >> is not an option. Unfortunately, this weakens the security of your app
> >> as
> >> this is a dangerous privilege to give out. Factoring this specific call
> >> into a COM object registered under COM+ with a special identity is one
> >> way
> >> to help mitigate that problem.
> >>
> >> Joe K.
> >>
> >> "***" <Richard.Giles@xxxxxxxxxxxxx> wrote in message
> >> news:2EA28A4D-4319-4F46-B071-0D4503F902BA@xxxxxxxxxxxxxxxx
> >> > I'm trying to use the LogonUser function from "advapi32.dll" as
> >> > described
> >> > in
> >> > the KB article "How to validate Windows user rights in a Visual Basic
> >> > .NET
> >> > application" but the function returns the error message "A required
> >> > privilege
> >> > is not held by the client.". Please can you explain what this means and
> >> > what
> >> > I need to do to get around it. Many thanks.
> >>
> >>
> >>
>
>
>
.

Quantcast