Re: Authenticating against network server using non-domain account
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 16 Dec 2005 12:25:35 -0800
if you use
LOGON32_LOGON_NEW_CREDENTIALS = 9,
in LogonUser - the credentials will only get verified if you use a network resource -
this is the same as runas /netonly
this could do what you want.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
uk>> wrote in message news:e7dADQmAGHA.3352@xxxxxxxxxxxxxxxxxxxxxxxHave you tried logging in with an account local to the server that has the same username and password as the user on the remote machine and impersonating that instead? My understanding is that this "trick" will work with NTLM in a situation where you can't use domain accounts/Kerberos.
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:eysELimAGHA.3184@xxxxxxxxxxxxxxxxxxxxxxx IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new IntPtr(0); bool result = advapi32.LogonUser(userName, domain, password, advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref tokenHandle);
LogonType.Interactive = 2, LogonProvider.Default = 0
Sorry; error code is 1326 - "Logon failure: unknown user name or bad password" even though the details are correct (I created the account specifically).
"Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx> wrote in message news:OxcgIbmAGHA.4004@xxxxxxxxxxxxxxxxxxxxxxx Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also. LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".
"Martin Robins" <martin dot robins at technicaldirect dot co dot
I have; it is not accepted. LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).
"Nicholas Paldino [.NET/C# MVP]" <mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:ufuP8IlAGHA.2704@xxxxxxxxxxxxxxxxxxxxxxx Martin, Have you tried using the machine name in the domain parameter?
-- - Nicholas Paldino [.NET/C# MVP] - mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx "Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message news:e9Ma45kAGHA.2788@xxxxxxxxxxxxxxxxxxxxxxx I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.
I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.
Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?