Is it possible to authenticate a user against an untrusted domain?



Hi,

I need to authenticate a user and then retrieve that users sid and any sids
for groups that the user is member of.

I can do this with trusted domains and the local machine by using the
following method:

* LogonUser to authenticate the user. This gives me back a user token if
authenticated.
* GetTokenInformation again to retrieve the token info
* LookupAccountSid to get the users sid.
* GetTokenInformation again to get group info
* LookupAccountSid to get the group(s) sid.

Now the problem occurs when there exists an untrusted domain. LogonUser will
only authenticate against the local machine or any trusted domains known to
the domain controller.

I have tried LogonUserEx with the LOGON32_LOGON_NEW_CREDENTIALS flag, but
this does impersonation. It always returns true and doesn't authenticate
immediately. My understanding is that the logged in user (of the machine)
simple has another token associated with it (hidden) that is used when
accessing network shares or remote resources.

So if I can't use LogonUser or LogonUserEx, what can I use?

No other operations are required. I have the username, password and the
domain (and machine ip) to authenticate against.

TIA.

.



Relevant Pages

  • Authenticate a user against an untrusted domain?
    ... I need to authenticate a user and then retrieve that users sid and any sids ... LogonUser to authenticate the user. ... LookupAccountSid to get the users sid. ...
    (microsoft.public.dotnet.security)
  • Re: Authenticate a user against an untrusted domain?
    ... I need to authenticate a user and then retrieve that users sid and any sids ... LogonUser to authenticate the user. ... GetTokenInformation to get the buffer size for the user info ... LookupAccountSid to get the users sid. ...
    (microsoft.public.dotnet.security)
  • Re: Active Directory
    ... "The LogonUser function attempts to log a user on to the local computer. ... servers to authenticate clear text passwords. ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: LogonUserA / Impersonation
    ... A successful attempt where I authenticate against a domain the system is ... domain the system executing the code is not a member of returns a 1. ... >> You can call LogonUser from a non domain member, ... > Craig must be running into some other issue. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: About twisted.mail.smtp.SMTPDeliveryError
    ... Is so, having username and password of smpt server,how to ... authenticate in Twisted Framework ... Are you doing this from your local machine? ... "It is easier to optimize correct code than to correct optimized code." ...
    (comp.lang.python)