Re: "LsaLogonUser" method to log a user on to the local computer using Kerberos ticket

From: DaveMo <david.mowers@xxxxxxxxx>
Date: 18 May 2007 07:44:29 -0700

On May 16, 10:58 pm, MADHUKAR ROCKER <earthlyh...@xxxxxxxxx> wrote:

Hello,

In windows we have "LogonUser" function which attempts to log a user
on to the local computer.
We specify the user with a user name and domain and authenticate the
user with a plaintext password.
If the function succeeds, you receive a handle to a token that
represents the logged-on user.
You can then use this token handle to impersonate the specified
user.

Is there any Windows API to LogonUser/impersonate user using Kerberos
ticket without providing password?
This is required for Single Sign-on feature.

I came across one Windows API "LsaLogonUser" which takes Kerberos
ticket.
But i am not sure whether this is the right API to use.

Can i use "LsaLogonUser" method to log a user on to the local computer
using Kerberos ticket?

Does anyone have sample code for "LsaLogonUser" method?

Thanks
MADHUKAR

Yes, assuming Windows 2003 or better. Google "S4U Kerberos" and you'll
find references to "Protocol Transition". This is a way to generate a
Kerb ticket for a user without their password. You use KERB_S4U_LOGON
with LsaLogonUser.

HTH,
Dave

.

Follow-Ups:
- Re: "LsaLogonUser" method to log a user on to the local computer using Kerberos ticket
  - From: MADHUKAR ROCKER

References:
- "LsaLogonUser" method to log a user on to the local computer using Kerberos ticket
  - From: MADHUKAR ROCKER

Prev by Date: RE: Programmical Ctrl alt del in Vista Home
Next by Date: RE: Finding Certificates for decryption
Previous by thread: "LsaLogonUser" method to log a user on to the local computer using Kerberos ticket
Next by thread: Re: "LsaLogonUser" method to log a user on to the local computer using Kerberos ticket
Index(es):
- Date
- Thread

Relevant Pages

Re: Windows Clients Wont Do Kerberos
... Kerberos when accessing services? ... Are the users logged on to Windows with Domain credentials? ... SSPI ticket cache. ... I have confirmed with a packet capture that the client never tries ...
(comp.protocols.kerberos)
Re: Authenticating LDAP connection with current windows users credentials?
... setup and theory behind an ldap ... The Kerberos only works with ADS right now but that is sufficient for your situation. ... when the user has logged in interactively and therefore has a valid Kerberos ticket cached in Windows logon credential cache. ... CallbackHandler callbackHandler = new KerbCallback; ...
(comp.lang.java.programmer)
Re: UserName and Kerberos tokens at the same time
... > What makes me feeling a bit strange is that the WSE 3.0 Kerberos demo also ... Are you logon the computer as a domain user when running the ... I have tried it on a Windows 2003 server as well and there I get the ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: Avoid sending current credentials automatically over the network
... Windows has SSP's for Kerberos, NTLM, and Schannel. ... Windows will try to use the "most secure" first, ... Cenzic Hailstorm finds vulnerabilities fast. ...
(Pen-Test)
problem with 2003 krb and mit krb integration with mozilla thunderbirdon a multiple realm scenario
... I'm trying to log in on cyrus imap running on a Linux box, ... from a Windows XP Pro workstation logged on a Windows 2003 DC using a ... Log on Windows 2003 DC using my MIT Kerberos. ... On the 1st and 2nd tests I got a TGS ticket ...
(comp.protocols.kerberos)