Re: LogonUser fails across different domains

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 01/29/04 

Date: Wed, 28 Jan 2004 20:26:45 -0800

You shouldn't be able to log on as a user from an untrusted domain (except
as guest). And you shouldn't need to do an impersonate to access files on a
different server.
You should be able to log on as DomainA\UserA, "net use" (Or NetUseAdd or
WNetAddConnection2/3 APIs) to some other machine in DomainB as DomainB\UserB
and access files there.

Is that what you wanted or am I missing something?

I wonder if you're really meaning to ask about the Cred* APIs. . . 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Prasanna Padmanabhan" <prasannap@citrix.nospam.com.> wrote in message
news:OyyO1kh5DHA.3548@TK2MSFTNGP11.phx.gbl...
> LogonUser() fails if the user (specified as parameter) is in a domain
> different from that with which the executing process is running as.
> For example, if the process that is executing LogonUser is running as
> DomainA\UserA and if I want to LogonUser as DomainB\UserA it fails (unless
> DomainA and DomainB have some sort of trust relationship).
>
> My question is this:-
> ---------------------
>
> Can one of you gurus please tell me what is the workaround for this is?
That
> is how can I get a user's token from LogonUser if the domains are
different.
> My intention is to get the user's token from the LogonUser call and make
my
> executing process run as that user (impersonation), and then use that
> "impersonated user" to access remote file shares (that are on a different
> domain).
>
> I did several google searches and all of them agree that LogonUser does
not
> work across different untrusted domains, but they don't offer a solution.
>
> Thanks a lot!
> Prasanna
>
>

Relevant Pages

  • Re: Remote call to COM impersonating another user
    ... When I call LogonUser, it fails, I think because the domain I need to log ... the local domain it works fine - I become the other user when I impersonate ... This can be done by calling "CoInitializeSecurity" using PInvoke, ... IntPtr asAuthSvc, ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Remote call to COM impersonating another user
    ... When I call LogonUser, it fails, I think because the domain I need to log ... that sends this information to the server and tells it to do this? ... type when calling LogonUser, before calling Impersonate. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Running sysinternals PSPASSWD.exe from local system account
    ... skip over eveything except the local computer? ... Call LogonUser and impersonate, ... Its stdout and stderr can be captured: ...
    (microsoft.public.win2000.security)
  • Impersonation and UNC network resources
    ... network folder and b) an VFP8 OleDB connection. ... if I set up ASP.NET to impersonate the user, I have no problems, providing I ... don't cause ASP.NET to recompile the ASPX files. ... LogonUser() succeeds, but the directory code: ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • LogonUser fails across different domains
    ... LogonUser() fails if the user is in a domain ... different from that with which the executing process is running as. ... "impersonated user" to access remote file shares (that are on a different ...
    (microsoft.public.platformsdk.security)