Re: CreateProcessWithLogonW on Server 2003

From: Yu Chen [MS] (yuchen_at_online.microsoft.com)
Date: 07/13/04

Next message: Dmitriy Golubev: "Questions about GINA & Kerberos interoperability"

Previous message: Jayant Sane: "Certs added w/ CertAddCertificateContextToStore dont show up"
In reply to: Vincent Finn: "Re: CreateProcessWithLogonW on Server 2003"
Next in thread: Vincent Finn: "Re: CreateProcessWithLogonW on Server 2003"
Reply: Vincent Finn: "Re: CreateProcessWithLogonW on Server 2003"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 12 Jul 2004 19:14:09 -0700

When LogonUser failed, what error code did GetLastError return? I bet it's
ERROR_LOGON_TYPE_NOT_GRANTED. By default the SeBatchLogon right is not
granted to any account. If you need to use the batch logon type, you have to
grant the SeBatchLogon right to the account.

-- 
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Vincent Finn" <1@2.com> wrote in message
news:k6b5f0hrhc4mklv513pv4sc2gn5vusuu3c@4ax.com...
> On Wed, 7 Jul 2004 16:46:42 -0700, "Yu Chen [MS]"
> <yuchen@online.microsoft.com> wrote:
>
> >That's a known issue in Windows Server 2003 - the CreateProcessWithLogonW
> >API is changed to better handle the new process' use of desktop by
utilizing
> >"Logon Sid" in the caller's token. However the local system token (under
> >which your service is running) doesn't have a "Logon sid" so the API
failed
> >when caller is local system.
> >
> >If the caller is local system, you can use LogonUser and
CreateProcessAsUser
> >to achieve the same thing.
>
> That sorted it, thanks.
>
> LogonUser only seems to work if I use 'LOGON32_LOGON_INTERACTIVE'
> rather than 'LOGON32_LOGON_BATCH'
>
> any idea why that might be?
>
> Vin

Next message: Dmitriy Golubev: "Questions about GINA & Kerberos interoperability"

Previous message: Jayant Sane: "Certs added w/ CertAddCertificateContextToStore dont show up"
In reply to: Vincent Finn: "Re: CreateProcessWithLogonW on Server 2003"
Next in thread: Vincent Finn: "Re: CreateProcessWithLogonW on Server 2003"
Reply: Vincent Finn: "Re: CreateProcessWithLogonW on Server 2003"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: How to avoid an "access denied" when setting PriorityClass
... I don't believe that "logonuser" can help with this (what's the Local System ... runs under a user account, and that user is the one assocaited with the ... Impersonate method (the documentation for the Impersonate method should have ...
(microsoft.public.dotnet.languages.csharp)
Re: Thread Unable to Impersonate (Workaround)
... Your workaround is working cause the System account has extended privileges ... ASPX page is impersonating a token that is coming from a client. ... LogonUser is a very bad API to use since it requires a cleartext password. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Win32 LogonUser()
... > IUserMachinename/anonymous user account. ... > in IIS and may be more other properties for IUserMachineName account. ... >> For three days now I have been trying to use LogonUser() API to login ... >> lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Win32 LogonUser()
... IUserMachinename/anonymous user account. ... in IIS and may be more other properties for IUserMachineName account. ... > For three days now I have been trying to use LogonUser() API to login ... > lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Win32 LogonUser()
... > IUserMachinename/anonymous user account. ... > in IIS and may be more other properties for IUserMachineName account. ... >> For three days now I have been trying to use LogonUser() API to login ... >> lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ...
(microsoft.public.dotnet.framework.aspnet.security)