|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
LogonUserI'm trying to use the LogonUser function from "advapi32.dll" as described in
the KB article "How to validate Windows user rights in a Visual Basic .NET application" but the function returns the error message "A required privilege is not held by the client.". Please can you explain what this means and what I need to do to get around it. Many thanks. On Tue, 20 Sep 2005 10:05:05 -0700, "Dick" <Richard.Giles@nospam.nospam> wrote: ¤ I'm trying to use the LogonUser function from "advapi32.dll" as described in ¤ the KB article "How to validate Windows user rights in a Visual Basic .NET ¤ application" but the function returns the error message "A required privilege ¤ is not held by the client.". Please can you explain what this means and what ¤ I need to do to get around it. Many thanks. Which version of Windows are you using? Paul ~~~~ Microsoft MVP (Visual Basic) Windows 2000
Show quoteHide quote "Paul Clement" wrote: > On Tue, 20 Sep 2005 10:05:05 -0700, "Dick" <Richard.Giles@nospam.nospam> wrote: > > ¤ I'm trying to use the LogonUser function from "advapi32.dll" as described in > ¤ the KB article "How to validate Windows user rights in a Visual Basic .NET > ¤ application" but the function returns the error message "A required privilege > ¤ is not held by the client.". Please can you explain what this means and what > ¤ I need to do to get around it. Many thanks. > > Which version of Windows are you using? > > > Paul > ~~~~ > Microsoft MVP (Visual Basic) > Are you on Windows 2000? Under Win2K, LogonUser requires the caller to have
the TCB privilege (act as part of the operating system) which is only granted to the SYSTEM account by default. Switching to Windows Server 2003 is a great solution to this problem, but you might have to give the TCB privilege to the account in question if that is not an option. Unfortunately, this weakens the security of your app as this is a dangerous privilege to give out. Factoring this specific call into a COM object registered under COM+ with a special identity is one way to help mitigate that problem. Joe K. Show quoteHide quote "Dick" <Richard.Giles@nospam.nospam> wrote in message news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... > I'm trying to use the LogonUser function from "advapi32.dll" as described > in > the KB article "How to validate Windows user rights in a Visual Basic .NET > application" but the function returns the error message "A required > privilege > is not held by the client.". Please can you explain what this means and > what > I need to do to get around it. Many thanks. Switching to W2003 or to COM+ or to any server-based solution isn't really an
option because the program is CPU intensive and therefore runs on 'n' number of W2K clients depending upon daily demand. And to be clear, I don't know that solving the LogonUser issue will fix my underlying problem anyway. Perhaps I should explain... I need to copy files to a network location which is not accessible by the logged on user's account. The location can be reached from Windows by typing in its UNC path and entering the user name and password of an account that does have access. i.e. Start>Run>"\\10.216.0.1\NameOfShare">OK and then in the "Enter Network Password" dialog Connect As="AuthorisedUsersName" and Password="AuthorisedUsersPassword">OK. All I want to do is make this connection programatically and avoid the need for the user to enter the details of the authorised account. Hope you can help! Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > Are you on Windows 2000? Under Win2K, LogonUser requires the caller to have > the TCB privilege (act as part of the operating system) which is only > granted to the SYSTEM account by default. > > Switching to Windows Server 2003 is a great solution to this problem, but > you might have to give the TCB privilege to the account in question if that > is not an option. Unfortunately, this weakens the security of your app as > this is a dangerous privilege to give out. Factoring this specific call > into a COM object registered under COM+ with a special identity is one way > to help mitigate that problem. > > Joe K. > > "Dick" <Richard.Giles@nospam.nospam> wrote in message > news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... > > I'm trying to use the LogonUser function from "advapi32.dll" as described > > in > > the KB article "How to validate Windows user rights in a Visual Basic .NET > > application" but the function returns the error message "A required > > privilege > > is not held by the client.". Please can you explain what this means and > > what > > I need to do to get around it. Many thanks. > > > Ah, I see. LogonUser would probably work, but you will be restricted from
using that on 2K. I'm not exactly sure how Windows does this, but there is probably an API that you can use. You might look at WMI to see if it offers a wrapper or one of the Net* APIs. At worst you could shell out to the Net Use command. Note that a good hacker could probably recover the credentials you will be using to make this connection pretty easily since it is running on their machine, so be careful about how secure this needs to be. Joe K. Show quoteHide quote "Dick" <Richard.Giles@nospam.nospam> wrote in message news:161D1021-3403-45AC-9C42-E4E2CAFA7637@microsoft.com... > Switching to W2003 or to COM+ or to any server-based solution isn't really > an > option because the program is CPU intensive and therefore runs on 'n' > number > of W2K clients depending upon daily demand. > > And to be clear, I don't know that solving the LogonUser issue will fix my > underlying problem anyway. Perhaps I should explain... > > I need to copy files to a network location which is not accessible by the > logged on user's account. The location can be reached from Windows by > typing > in its UNC path and entering the user name and password of an account that > does have access. i.e. Start>Run>"\\10.216.0.1\NameOfShare">OK and then in > the "Enter Network Password" dialog Connect As="AuthorisedUsersName" and > Password="AuthorisedUsersPassword">OK. All I want to do is make this > connection programatically and avoid the need for the user to enter the > details of the authorised account. > > Hope you can help! > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Are you on Windows 2000? Under Win2K, LogonUser requires the caller to >> have >> the TCB privilege (act as part of the operating system) which is only >> granted to the SYSTEM account by default. >> >> Switching to Windows Server 2003 is a great solution to this problem, but >> you might have to give the TCB privilege to the account in question if >> that >> is not an option. Unfortunately, this weakens the security of your app >> as >> this is a dangerous privilege to give out. Factoring this specific call >> into a COM object registered under COM+ with a special identity is one >> way >> to help mitigate that problem. >> >> Joe K. >> >> "Dick" <Richard.Giles@nospam.nospam> wrote in message >> news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... >> > I'm trying to use the LogonUser function from "advapi32.dll" as >> > described >> > in >> > the KB article "How to validate Windows user rights in a Visual Basic >> > .NET >> > application" but the function returns the error message "A required >> > privilege >> > is not held by the client.". Please can you explain what this means and >> > what >> > I need to do to get around it. Many thanks. >> >> >> Hello Joe,
a good one?? you mean this extremely talented guys who know how to run reflector?? :) man, don't store passwords in you binaries...--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Ah, I see. LogonUser would probably work, but you will be restricted > from using that on 2K. I'm not exactly sure how Windows does this, > but there is probably an API that you can use. You might look at WMI > to see if it offers a wrapper or one of the Net* APIs. At worst you > could shell out to the Net Use command. > > Note that a good hacker could probably recover the credentials you > will be using to make this connection pretty easily since it is > running on their machine, so be careful about how secure this needs to > be. > > Joe K. > > "Dick" <Richard.Giles@nospam.nospam> wrote in message > news:161D1021-3403-45AC-9C42-E4E2CAFA7637@microsoft.com... > >> Switching to W2003 or to COM+ or to any server-based solution isn't >> really >> an >> option because the program is CPU intensive and therefore runs on 'n' >> number >> of W2K clients depending upon daily demand. >> And to be clear, I don't know that solving the LogonUser issue will >> fix my underlying problem anyway. Perhaps I should explain... >> >> I need to copy files to a network location which is not accessible by >> the >> logged on user's account. The location can be reached from Windows by >> typing >> in its UNC path and entering the user name and password of an account >> that >> does have access. i.e. Start>Run>"\\10.216.0.1\NameOfShare">OK and >> then in >> the "Enter Network Password" dialog Connect As="AuthorisedUsersName" >> and >> Password="AuthorisedUsersPassword">OK. All I want to do is make this >> connection programatically and avoid the need for the user to enter >> the >> details of the authorised account. >> Hope you can help! >> >> "Joe Kaplan (MVP - ADSI)" wrote: >> >>> Are you on Windows 2000? Under Win2K, LogonUser requires the caller >>> to >>> have >>> the TCB privilege (act as part of the operating system) which is >>> only >>> granted to the SYSTEM account by default. >>> Switching to Windows Server 2003 is a great solution to this >>> problem, but >>> you might have to give the TCB privilege to the account in question >>> if >>> that >>> is not an option. Unfortunately, this weakens the security of your >>> app >>> as >>> this is a dangerous privilege to give out. Factoring this specific >>> call >>> into a COM object registered under COM+ with a special identity is >>> one >>> way >>> to help mitigate that problem. >>> Joe K. >>> >>> "Dick" <Richard.Giles@nospam.nospam> wrote in message >>> news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... >>> >>>> I'm trying to use the LogonUser function from "advapi32.dll" as >>>> described >>>> in >>>> the KB article "How to validate Windows user rights in a Visual >>>> Basic >>>> .NET >>>> application" but the function returns the error message "A required >>>> privilege >>>> is not held by the client.". Please can you explain what this means >>>> and >>>> what >>>> I need to do to get around it. Many thanks. Hi Joe,
I'm having a strange issue with the logonuser. when I use this function to verify that the user effectively exist in my active directory, it return a true value even if the user does not exist. I have a different behavior on another server but I can't find why... They are all win2k servers and ran the process with the administrator user. Thanks for your help. Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > Are you on Windows 2000? Under Win2K, LogonUser requires the caller to have > the TCB privilege (act as part of the operating system) which is only > granted to the SYSTEM account by default. > > Switching to Windows Server 2003 is a great solution to this problem, but > you might have to give the TCB privilege to the account in question if that > is not an option. Unfortunately, this weakens the security of your app as > this is a dangerous privilege to give out. Factoring this specific call > into a COM object registered under COM+ with a special identity is one way > to help mitigate that problem. > > Joe K. > > "Dick" <Richard.Giles@nospam.nospam> wrote in message > news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... > > I'm trying to use the LogonUser function from "advapi32.dll" as described > > in > > the KB article "How to validate Windows user rights in a Visual Basic .NET > > application" but the function returns the error message "A required > > privilege > > is not held by the client.". Please can you explain what this means and > > what > > I need to do to get around it. Many thanks. > > > If you want to verify whether a specific AD contains a user, it would
probably be better to do an LDAP query to the DC in question. LogonUser should be used for authenticating users and generating a logon token. It is entirely possible for it to authenticate users from other domains if the correct trust relationships exist. It is not possible to call it correctly with invalid credentials and have it return a valid logon token though. Joe K. Show quoteHide quote "Stephane Gagne" <StephaneGa***@discussions.microsoft.com> wrote in message news:A2301AEE-AFE1-4555-B69F-D3C5D3CEAD34@microsoft.com... > Hi Joe, > > I'm having a strange issue with the logonuser. when I use this function > to > verify that the user effectively exist in my active directory, it return a > true value even if the user does not exist. I have a different behavior > on > another server but I can't find why... They are all win2k servers and ran > the process with the administrator user. > > Thanks for your help. > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Are you on Windows 2000? Under Win2K, LogonUser requires the caller to >> have >> the TCB privilege (act as part of the operating system) which is only >> granted to the SYSTEM account by default. >> >> Switching to Windows Server 2003 is a great solution to this problem, but >> you might have to give the TCB privilege to the account in question if >> that >> is not an option. Unfortunately, this weakens the security of your app >> as >> this is a dangerous privilege to give out. Factoring this specific call >> into a COM object registered under COM+ with a special identity is one >> way >> to help mitigate that problem. >> >> Joe K. >> >> "Dick" <Richard.Giles@nospam.nospam> wrote in message >> news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... >> > I'm trying to use the LogonUser function from "advapi32.dll" as >> > described >> > in >> > the KB article "How to validate Windows user rights in a Visual Basic >> > .NET >> > application" but the function returns the error message "A required >> > privilege >> > is not held by the client.". Please can you explain what this means and >> > what >> > I need to do to get around it. Many thanks. >> >> >> Hi Joe,
Thanks for your reply. The thing is I don't just want to confirm the user, I aslo want to make sure the user have the good password and domain. If the user or password is not good, I want to block the connection to our application but if a good token is returned, we drop the token and allow the user to log in our application. But I still don't understand why I have different results on differents servers.... Thanks. Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > If you want to verify whether a specific AD contains a user, it would > probably be better to do an LDAP query to the DC in question. > > LogonUser should be used for authenticating users and generating a logon > token. It is entirely possible for it to authenticate users from other > domains if the correct trust relationships exist. > > It is not possible to call it correctly with invalid credentials and have it > return a valid logon token though. > > Joe K. > > "Stephane Gagne" <StephaneGa***@discussions.microsoft.com> wrote in message > news:A2301AEE-AFE1-4555-B69F-D3C5D3CEAD34@microsoft.com... > > Hi Joe, > > > > I'm having a strange issue with the logonuser. when I use this function > > to > > verify that the user effectively exist in my active directory, it return a > > true value even if the user does not exist. I have a different behavior > > on > > another server but I can't find why... They are all win2k servers and ran > > the process with the administrator user. > > > > Thanks for your help. > > > > "Joe Kaplan (MVP - ADSI)" wrote: > > > >> Are you on Windows 2000? Under Win2K, LogonUser requires the caller to > >> have > >> the TCB privilege (act as part of the operating system) which is only > >> granted to the SYSTEM account by default. > >> > >> Switching to Windows Server 2003 is a great solution to this problem, but > >> you might have to give the TCB privilege to the account in question if > >> that > >> is not an option. Unfortunately, this weakens the security of your app > >> as > >> this is a dangerous privilege to give out. Factoring this specific call > >> into a COM object registered under COM+ with a special identity is one > >> way > >> to help mitigate that problem. > >> > >> Joe K. > >> > >> "Dick" <Richard.Giles@nospam.nospam> wrote in message > >> news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... > >> > I'm trying to use the LogonUser function from "advapi32.dll" as > >> > described > >> > in > >> > the KB article "How to validate Windows user rights in a Visual Basic > >> > .NET > >> > application" but the function returns the error message "A required > >> > privilege > >> > is not held by the client.". Please can you explain what this means and > >> > what > >> > I need to do to get around it. Many thanks. > >> > >> > >> > > > Hi Stepane,
Why don't you show us a code sample and point out where the trouble is? Also, Microsoft has a great sample on doing p/invoke of LogonUser in the ..NET Framework SDK in the documentation for the WindowsImpersonationContext class. If you aren't using that code, you probably should be. Joe K. Show quoteHide quote "Stephane Gagne" <StephaneGa***@discussions.microsoft.com> wrote in message news:E2847404-1E5B-44A6-AF64-32985DED4336@microsoft.com... > Hi Joe, > > Thanks for your reply. > > The thing is I don't just want to confirm the user, I aslo want to make > sure > the user have the good password and domain. If the user or password is > not > good, I want to block the connection to our application but if a good > token > is returned, we drop the token and allow the user to log in our > application. > > But I still don't understand why I have different results on differents > servers.... > > > Thanks. > > "Joe Kaplan (MVP - ADSI)" wrote: > Here's the code:
Private Declare Function LogonUser Lib "Advapi32" Alias "LogonUserA" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, lpSource As Any, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, Arguments As Long) As Long Private Const FORMAT_MESSAGE_FROM_SYSTEM = &H1000 Private Const LOGON32_PROVIDER_DEFAULT = 0& Private Const LOGON32_PROVIDER_WINNT35 = 1& Private Const LOGON32_LOGON_INTERACTIVE = 2& Private Const LOGON32_LOGON_NETWORK = 3& Private Const LOGON32_LOGON_BATCH = 4& Private Const LOGON32_LOGON_SERVICE = 5 Private Sub Command1_Click() On Error GoTo ProcError Dim lngToken As Long Dim lngLogonResult As Long Dim lngErrNo As Long Dim strErrMsg As String Dim lngErrMsgSize As Long lngToken = 0 lngLogonResult = LogonUser(User.Text, _ Domain.Text, _ Pwd.Text, _ LOGON32_LOGON_NETWORK, _ LOGON32_PROVIDER_DEFAULT, _ lngToken) If lngLogonResult = 0 Then lngErrNo = Err.LastDllError strErrMsg = Space(256) lngErrMsgSize = CStr(FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, _ 0, _ lngErrNo, _ 0, _ strErrMsg, _ 256, _ 0)) Dim ErrMsgDom As String ErrMsgDom = Trim(Replace(strErrMsg, CStr(Chr(0)), "")) ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(13)), "")) ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(10)), "")) & " Domain(" & strDomain & ")" MsgBox ErrMsgDom Else MsgBox "User logon Ok!" End If EndProc: If lngToken <> 0 Then CloseHandle lngToken End If Exit Sub ProcError: MsgBox "Function error: " & Err.Description Resume EndProc End Sub Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > Hi Stepane, > > Why don't you show us a code sample and point out where the trouble is? > > Also, Microsoft has a great sample on doing p/invoke of LogonUser in the > ..NET Framework SDK in the documentation for the WindowsImpersonationContext > class. If you aren't using that code, you probably should be. > > Joe K. > > "Stephane Gagne" <StephaneGa***@discussions.microsoft.com> wrote in message > news:E2847404-1E5B-44A6-AF64-32985DED4336@microsoft.com... > > Hi Joe, > > > > Thanks for your reply. > > > > The thing is I don't just want to confirm the user, I aslo want to make > > sure > > the user have the good password and domain. If the user or password is > > not > > good, I want to block the connection to our application but if a good > > token > > is returned, we drop the token and allow the user to log in our > > application. > > > > But I still don't understand why I have different results on differents > > servers.... > > > > > > Thanks. > > > > "Joe Kaplan (MVP - ADSI)" wrote: > > > > > Yes, I suggest you use Microsoft's reference implementation instead.
For example, you should be getting the token as an output parameter or use an IntPtr. You should also be closing the handle when you are done. It is better to use the Marshal class to get the last error, etc. Joe K. Show quoteHide quote "Stephane Gagne" <StephaneGa***@discussions.microsoft.com> wrote in message news:A0E3BDFA-D094-4E94-A73C-622A1215BEEB@microsoft.com... > Here's the code: > > Private Declare Function LogonUser Lib "Advapi32" Alias "LogonUserA" > (ByVal > lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As > String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken > As > Long) As Long > Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As > Long) > As Long > Private Declare Function FormatMessage Lib "kernel32" Alias > "FormatMessageA" > (ByVal dwFlags As Long, lpSource As Any, ByVal dwMessageId As Long, ByVal > dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, > Arguments As Long) As Long > > Private Const FORMAT_MESSAGE_FROM_SYSTEM = &H1000 > Private Const LOGON32_PROVIDER_DEFAULT = 0& > Private Const LOGON32_PROVIDER_WINNT35 = 1& > Private Const LOGON32_LOGON_INTERACTIVE = 2& > Private Const LOGON32_LOGON_NETWORK = 3& > Private Const LOGON32_LOGON_BATCH = 4& > Private Const LOGON32_LOGON_SERVICE = 5 > > Private Sub Command1_Click() > > On Error GoTo ProcError > Dim lngToken As Long > Dim lngLogonResult As Long > Dim lngErrNo As Long > Dim strErrMsg As String > Dim lngErrMsgSize As Long > > lngToken = 0 > lngLogonResult = LogonUser(User.Text, _ > Domain.Text, _ > Pwd.Text, _ > LOGON32_LOGON_NETWORK, _ > LOGON32_PROVIDER_DEFAULT, _ > lngToken) > If lngLogonResult = 0 Then > lngErrNo = Err.LastDllError > strErrMsg = Space(256) > lngErrMsgSize = CStr(FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, _ > 0, _ > lngErrNo, _ > 0, _ > strErrMsg, _ > 256, _ > 0)) > Dim ErrMsgDom As String > ErrMsgDom = Trim(Replace(strErrMsg, CStr(Chr(0)), "")) > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(13)), "")) > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(10)), "")) & " Domain(" > & > strDomain & ")" > MsgBox ErrMsgDom > Else > MsgBox "User logon Ok!" > End If > > EndProc: > If lngToken <> 0 Then > CloseHandle lngToken > End If > > Exit Sub > > ProcError: > MsgBox "Function error: " & Err.Description > Resume EndProc > > End Sub > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Hi Stepane, >> >> Why don't you show us a code sample and point out where the trouble is? >> >> Also, Microsoft has a great sample on doing p/invoke of LogonUser in the >> ..NET Framework SDK in the documentation for the >> WindowsImpersonationContext >> class. If you aren't using that code, you probably should be. >> >> Joe K. >> >> "Stephane Gagne" <StephaneGa***@discussions.microsoft.com> wrote in >> message >> news:E2847404-1E5B-44A6-AF64-32985DED4336@microsoft.com... >> > Hi Joe, >> > >> > Thanks for your reply. >> > >> > The thing is I don't just want to confirm the user, I aslo want to make >> > sure >> > the user have the good password and domain. If the user or password is >> > not >> > good, I want to block the connection to our application but if a good >> > token >> > is returned, we drop the token and allow the user to log in our >> > application. >> > >> > But I still don't understand why I have different results on differents >> > servers.... >> > >> > >> > Thanks. >> > >> > "Joe Kaplan (MVP - ADSI)" wrote: >> > >> >> >> Can you give me a link and is it something supported in Visial Studio 6 ?
Thanks. Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > Yes, I suggest you use Microsoft's reference implementation instead. > > For example, you should be getting the token as an output parameter or use > an IntPtr. You should also be closing the handle when you are done. It is > better to use the Marshal class to get the last error, etc. > > Joe K. > > "Stephane Gagne" <StephaneGa***@discussions.microsoft.com> wrote in message > news:A0E3BDFA-D094-4E94-A73C-622A1215BEEB@microsoft.com... > > Here's the code: > > > > Private Declare Function LogonUser Lib "Advapi32" Alias "LogonUserA" > > (ByVal > > lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As > > String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken > > As > > Long) As Long > > Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As > > Long) > > As Long > > Private Declare Function FormatMessage Lib "kernel32" Alias > > "FormatMessageA" > > (ByVal dwFlags As Long, lpSource As Any, ByVal dwMessageId As Long, ByVal > > dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, > > Arguments As Long) As Long > > > > Private Const FORMAT_MESSAGE_FROM_SYSTEM = &H1000 > > Private Const LOGON32_PROVIDER_DEFAULT = 0& > > Private Const LOGON32_PROVIDER_WINNT35 = 1& > > Private Const LOGON32_LOGON_INTERACTIVE = 2& > > Private Const LOGON32_LOGON_NETWORK = 3& > > Private Const LOGON32_LOGON_BATCH = 4& > > Private Const LOGON32_LOGON_SERVICE = 5 > > > > Private Sub Command1_Click() > > > > On Error GoTo ProcError > > Dim lngToken As Long > > Dim lngLogonResult As Long > > Dim lngErrNo As Long > > Dim strErrMsg As String > > Dim lngErrMsgSize As Long > > > > lngToken = 0 > > lngLogonResult = LogonUser(User.Text, _ > > Domain.Text, _ > > Pwd.Text, _ > > LOGON32_LOGON_NETWORK, _ > > LOGON32_PROVIDER_DEFAULT, _ > > lngToken) > > If lngLogonResult = 0 Then > > lngErrNo = Err.LastDllError > > strErrMsg = Space(256) > > lngErrMsgSize = CStr(FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, _ > > 0, _ > > lngErrNo, _ > > 0, _ > > strErrMsg, _ > > 256, _ > > 0)) > > Dim ErrMsgDom As String > > ErrMsgDom = Trim(Replace(strErrMsg, CStr(Chr(0)), "")) > > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(13)), "")) > > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(10)), "")) & " Domain(" > > & > > strDomain & ")" > > MsgBox ErrMsgDom > > Else > > MsgBox "User logon Ok!" > > End If > > > > EndProc: > > If lngToken <> 0 Then > > CloseHandle lngToken > > End If > > > > Exit Sub > > > > ProcError: > > MsgBox "Function error: " & Err.Description > > Resume EndProc > > > > End Sub > > > > "Joe Kaplan (MVP - ADSI)" wrote: > > > >> Hi Stepane, > >> > >> Why don't you show us a code sample and point out where the trouble is? > >> > >> Also, Microsoft has a great sample on doing p/invoke of LogonUser in the > >> ..NET Framework SDK in the documentation for the > >> WindowsImpersonationContext > >> class. If you aren't using that code, you probably should be. > >> > >> Joe K. > >> > >> "Stephane Gagne" <StephaneGa***@discussions.microsoft.com> wrote in > >> message > >> news:E2847404-1E5B-44A6-AF64-32985DED4336@microsoft.com... > >> > Hi Joe, > >> > > >> > Thanks for your reply. > >> > > >> > The thing is I don't just want to confirm the user, I aslo want to make > >> > sure > >> > the user have the good password and domain. If the user or password is > >> > not > >> > good, I want to block the connection to our application but if a good > >> > token > >> > is returned, we drop the token and allow the user to log in our > >> > application. > >> > > >> > But I still don't understand why I have different results on differents > >> > servers.... > >> > > >> > > >> > Thanks. > >> > > >> > "Joe Kaplan (MVP - ADSI)" wrote: > >> > > >> > >> > >> > > > Here is the sample I was referring to:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=true I'm not sure I understand why Visual Studio 6 sample is relevant to a discussion on a .NET newsgroup though. Joe K. Show quoteHide quote "Stephane Gagne" <StephaneGa***@discussions.microsoft.com> wrote in message news:F64EDBC5-1917-49A5-A726-9BD0EEE251B2@microsoft.com... > Can you give me a link and is it something supported in Visial Studio 6 ? > > Thanks. > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Yes, I suggest you use Microsoft's reference implementation instead. >> >> For example, you should be getting the token as an output parameter or >> use >> an IntPtr. You should also be closing the handle when you are done. It >> is >> better to use the Marshal class to get the last error, etc. >> >> Joe K. >> >> "Stephane Gagne" <StephaneGa***@discussions.microsoft.com> wrote in >> message >> news:A0E3BDFA-D094-4E94-A73C-622A1215BEEB@microsoft.com... >> > Here's the code: >> > >> > Private Declare Function LogonUser Lib "Advapi32" Alias "LogonUserA" >> > (ByVal >> > lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword >> > As >> > String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, >> > phToken >> > As >> > Long) As Long >> > Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As >> > Long) >> > As Long >> > Private Declare Function FormatMessage Lib "kernel32" Alias >> > "FormatMessageA" >> > (ByVal dwFlags As Long, lpSource As Any, ByVal dwMessageId As Long, >> > ByVal >> > dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, >> > Arguments As Long) As Long >> > >> > Private Const FORMAT_MESSAGE_FROM_SYSTEM = &H1000 >> > Private Const LOGON32_PROVIDER_DEFAULT = 0& >> > Private Const LOGON32_PROVIDER_WINNT35 = 1& >> > Private Const LOGON32_LOGON_INTERACTIVE = 2& >> > Private Const LOGON32_LOGON_NETWORK = 3& >> > Private Const LOGON32_LOGON_BATCH = 4& >> > Private Const LOGON32_LOGON_SERVICE = 5 >> > >> > Private Sub Command1_Click() >> > >> > On Error GoTo ProcError >> > Dim lngToken As Long >> > Dim lngLogonResult As Long >> > Dim lngErrNo As Long >> > Dim strErrMsg As String >> > Dim lngErrMsgSize As Long >> > >> > lngToken = 0 >> > lngLogonResult = LogonUser(User.Text, _ >> > Domain.Text, _ >> > Pwd.Text, _ >> > LOGON32_LOGON_NETWORK, _ >> > LOGON32_PROVIDER_DEFAULT, _ >> > lngToken) >> > If lngLogonResult = 0 Then >> > lngErrNo = Err.LastDllError >> > strErrMsg = Space(256) >> > lngErrMsgSize = CStr(FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, _ >> > 0, _ >> > lngErrNo, _ >> > 0, _ >> > strErrMsg, _ >> > 256, _ >> > 0)) >> > Dim ErrMsgDom As String >> > ErrMsgDom = Trim(Replace(strErrMsg, CStr(Chr(0)), "")) >> > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(13)), "")) >> > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(10)), "")) & " >> > Domain(" >> > & >> > strDomain & ")" >> > MsgBox ErrMsgDom >> > Else >> > MsgBox "User logon Ok!" >> > End If >> > >> > EndProc: >> > If lngToken <> 0 Then >> > CloseHandle lngToken >> > End If >> > >> > Exit Sub >> > >> > ProcError: >> > MsgBox "Function error: " & Err.Description >> > Resume EndProc >> > >> > End Sub >> > >> > "Joe Kaplan (MVP - ADSI)" wrote: >> > >> >> Hi Stepane, >> >> >> >> Why don't you show us a code sample and point out where the trouble >> >> is? >> >> >> >> Also, Microsoft has a great sample on doing p/invoke of LogonUser in >> >> the >> >> ..NET Framework SDK in the documentation for the >> >> WindowsImpersonationContext >> >> class. If you aren't using that code, you probably should be. >> >> >> >> Joe K. >> >> >> >> "Stephane Gagne" <StephaneGa***@discussions.microsoft.com> wrote in >> >> message >> >> news:E2847404-1E5B-44A6-AF64-32985DED4336@microsoft.com... >> >> > Hi Joe, >> >> > >> >> > Thanks for your reply. >> >> > >> >> > The thing is I don't just want to confirm the user, I aslo want to >> >> > make >> >> > sure >> >> > the user have the good password and domain. If the user or password >> >> > is >> >> > not >> >> > good, I want to block the connection to our application but if a >> >> > good >> >> > token >> >> > is returned, we drop the token and allow the user to log in our >> >> > application. >> >> > >> >> > But I still don't understand why I have different results on >> >> > differents >> >> > servers.... >> >> > >> >> > >> >> > Thanks. >> >> > >> >> > "Joe Kaplan (MVP - ADSI)" wrote: >> >> > >> >> >> >> >> >> >> >> >> 
Other interesting topics
Can i run more then one session on the computer?
Importance of salt xml based AzMan and ActiveDirectory Is WindowsPrincipal is Remotable ? Unable to run c++ .net executable from a network drive hooked to server data size and RSA encryption Delegation across trusted domains Windows Security pops up when executing javascript in an asp.net p Problems trying to write to Custom Eventlog how to get the number of milliseconds between two System.DateTime objects |
|||||||||||||||||||||||
