Authenticate a user against an untrusted domain?


I need to authenticate a user and then retrieve that users sid and any sids
for groups that the user is member of.

I can do this with trusted domains and the local machine by using the
following method:

* LogonUser to authenticate the user. This gives me back a user token if
* GetTokenInformation to get the buffer size for the user info
* GetTokenInformation again to retrieve the token info
* LookupAccountSid to get the users sid.
* GetTokenInformation to get Tokengroups size
* GetTokenInformation again to get group info

Now the problem occurs when there exists an untrusted domain. LogonUser will
only authenticate against the local machine or any trusted domains known to
the domain controller.

I have tried LogonUserEx with the LOGON32_LOGON_NEW_CREDENTIALS flag, but
this does impersonation. It always returns true and doesn't authenticate
immediately. My understanding is that the logged in user (of the machine)
simple has another token associated with it (hidden) that is used when
accessing network shares or remote resources.

So if I can't use LogonUser or LogonUserEx, what can I use?


I want a method to authenticate and then retrieve the user sid and any group

No other operations are required. I have the username, password and the
domain (and machine ip) to authenticate against.