Re: User account management and information functions usage with trusted domains



Rhett Gong [MSFT] wrote:
|>Can you use NetUserGetInfo(), NetUserGetGroups(), |>NetUserGetLocalGroups() cross-domain?

No, it returns NERR_UserNotFound but DsGetDcName does return
correctly information for dc.

Is it even possible to make those functions work cross-domain?

As a reminder, my original question (at the start of the thread):

---

Our product is used to authenticate and authorize users running
processes and terminals on Windows servers.

When logging in a user we perform account authorization checks with
information gotten with NetUserGetInfo(), NetUserGetGroups() and
NetUserGetLocalGroups(). With trusted domains, these functions don't
seem to work, even though I'm able to login to the Windows workstations
ok with trusted domain account.

 SJL2KD
- Windows 2000 Domain
- sjl2kd.ssh.com
- DC sjl2k.sjl2kd.ssh.com
- client machine Windows 2003 Server, sjlvpcws2003
- DNS handles both sjl2kd.ssh.com and sjl2k3d.ssh.com

SJL2K3D
- Windows 2003 Domain
- sjl2k3d.ssh.com
- forwarder to DNS in sjl2k.sjl2kd.ssh.com
- DC sjl2k3

Both domains have been setup to trust eachother.

I can login from the Windows login screen in sjlvpcws2003 with account
SJL2K3D/sjl.

When I use NetUserGetInfo(), I previously fetched the `servername' with
DsGetDcName() to get the DC to use. If I try to get the DC for SJL2K3D
in a server in SJL2K domain, I get ERROR_NO_SUCH_DOMAIN.

If, on the other hand, I use the domain controller of SJL2KD as
`servername', I only get ERROR_NO_SUCH_USER (I've tried username in
NetBIOS and DNS formats, i.e. SJL2K3D\sjl and sjl@xxxxxxxxxxxxxxx,
without success).

I need the user information structure to perform account validity
checks. Access token for the user is generated depending on
authentication method: we use LogonUser, SSPI, S4U and lastly if we
can't use the former, we use a custom authentication package to generate
the access token. I have yet to see an access token with trusted domain
logins :)
---

DsGetDcName() now works, but I get ERROR_ACCESS_DENIED from the domain controller of the trusted domain when trying to get the user info.

--
sjl@xxxxxxx
.



Relevant Pages