Re: Authenticating against network server using non-domain account



Hello Joe,

if you use

LOGON32_LOGON_NEW_CREDENTIALS = 9,

in LogonUser - the credentials will only get verified if you use a network resource -

this is the same as runas /netonly

this could do what you want.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Have you tried logging in with an account local to the server that has
the same username and password as the user on the remote machine and
impersonating that instead?  My understanding is that this "trick"
will work with NTLM in a situation where you can't use domain
accounts/Kerberos.

Joe K.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk>
wrote in message news:eysELimAGHA.3184@xxxxxxxxxxxxxxxxxxxxxxx
IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new
IntPtr(0);
bool result = advapi32.LogonUser(userName, domain, password,
advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref
tokenHandle);

LogonType.Interactive = 2, LogonProvider.Default = 0

Sorry; error code is 1326 - "Logon failure: unknown user name or bad
password" even though the details are correct (I created the account
specifically).

"Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx> wrote in
message news:OxcgIbmAGHA.4004@xxxxxxxxxxxxxxxxxxxxxxx
Not accepted is a little vague isn't it? What is the return code
of
the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be
used to access the remote server, so when you specify the credentials,
as valid on a remote server,  this server 'security system' returns a
token that can be used to access the remote server when
"impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot

uk>> wrote in message news:e7dADQmAGHA.3352@xxxxxxxxxxxxxxxxxxxxxxx
uk>>
I have; it is not accepted.
LogonUser will only work when specifying the local machine name
or a domain name that is valid for the local machine as you are
effectively logging a new user onto that machine (and of course a
local user on another machine would not be able to log onto the local
machine).

Cheers.

"Nicholas Paldino [.NET/C# MVP]"
<mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ufuP8IlAGHA.2704@xxxxxxxxxxxxxxxxxxxxxxx
Martin,
Have you tried using the machine name in the domain
parameter?

--
- Nicholas Paldino [.NET/C# MVP]
- mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx
"Martin Robins" <martin dot robins at technicaldirect dot co
dot uk> wrote in message news:e9Ma45kAGHA.2788@xxxxxxxxxxxxxxxxxxxxxxx
I need to access the scheduler service on a network computer
in order to manipulate it remotely from .NET; I have all of the
necessary code to perform the manipulation and it works - great - but
I am having problems with authentication.

I have tried using LogonUser and this works fine with a
domain account, however it is not possible to use this with an account
that is defined only on the remote computer - it only works with local
or domain accounts.

Any suggestions as to how I can authenticate my connection
to the remote PC using a logon and password local to that machine?



.