Is it possible to authenticate a user against an untrusted domain?


I need to authenticate a user and then retrieve that users sid and any sids
for groups that the user is member of.

I can do this with trusted domains and the local machine by using the
following method:

* LogonUser to authenticate the user. This gives me back a user token if
* GetTokenInformation again to retrieve the token info
* LookupAccountSid to get the users sid.
* GetTokenInformation again to get group info
* LookupAccountSid to get the group(s) sid.

Now the problem occurs when there exists an untrusted domain. LogonUser will
only authenticate against the local machine or any trusted domains known to
the domain controller.

I have tried LogonUserEx with the LOGON32_LOGON_NEW_CREDENTIALS flag, but
this does impersonation. It always returns true and doesn't authenticate
immediately. My understanding is that the logged in user (of the machine)
simple has another token associated with it (hidden) that is used when
accessing network shares or remote resources.

So if I can't use LogonUser or LogonUserEx, what can I use?

No other operations are required. I have the username, password and the
domain (and machine ip) to authenticate against.