LogonUser using LOGON32_LOGON_NEW_CREDENTIALS works against remote untrusted domain machine

Asked 26/5, 2010 at 20:6 Answered 10/2, 2016 at 23:52

So between the two machines, there is no trust - they are in different domains.

I've successfully connected to the remote machine using LogonUser API using logon type, LOGON32_LOGON_NEW_CREDENTIALS. I am able to retrieve the content of a directory using the UNC share, and create a file stream to "download" the file. So far so good.

The only issue is that it seems, LogonUser fails unless there is an already open session. Let me clarify that.

I found that the ASP.NET MVC page was not working this morning, specifically the page that retrieves the file list from this remote machine using LogonUser. I look at the log and I see in the stacktrace, System.IO.__Error.WinIOError above Directory.GetFiles call. I then remoted into the web server and tried to open the remote folder in the explorer using the same login/password used by the web site. It went through and I could see the files. I opened up the command prompt, type in net use, and I see that there is an open connection to the remote machine. Then I went back to the page and suddenly the page is working again.

So, at this point, I am not exactly sure if the LogonUser is working as expected or not. If the call requires that a network connection opened first by other means, then this is certainly not satisfactory.

Does anyone know what may be happening or suggest a workaround?

Radiophone answered 26/5, 2010 at 20:6 Comment(2)

Are you also using ImpersonateLoggedOnUser after the LogonUser call? – Jordan 8/11, 2012 at 2:7

See [here][1] for a possible explanation... [1]: https://mcmap.net/q/765696/-getting-the-current-username-when-impersonated – Jordan 8/11, 2012 at 2:9

I am not sure that I understand why you use LogonUser. This function help you if you want to do some job on the local machine with another user credentials, but it helps not to establish a remote connection to another computer.

If you want to get some information from the remote computer independent on existing trust between to the computer you should use WNet or Net (Network Management) functions to establish a new connection to the remote computer. So you should use WNetAddConnection2 (see http://msdn.microsoft.com/en-us/library/aa385413%28VS.85%29.aspx) or NetUseAdd (http://msdn.microsoft.com/en-us/library/aa370645%28VS.85%29.aspx) functions. This function will makes remote login on the destination computer and establish a new session (exact what net use \\computer\share /u:domain\user password do). You can don't map a new connection to a local drive. To do so you should fill lpLocalName with NULL in the struct NETRESOURCE. As a lpUsername and lpPassword you should give any values which understand the destination computer. You can also use ipc$ as a destination share name, then you just establish a session to the computer and nothing more. After that you can use any other functions to access the remote share, directory or files. To close the session you should use WNetCancelConnection2 or NetUseDel.

Unwise answered 26/5, 2010 at 21:45 Comment(4)

Thanks. Actually I've been looking at WNetAddConnection2 and have a working implementation. The only concern is, since this is an ASP.NET app (read: long-running), will creating this network connection (aka net use) have any adverse effects? Can you think of one? – Radiophone 27/5, 2010 at 14:59

Oh, also, any idea why LogonUser works in certain conditions I stated in my original question? – Radiophone 27/5, 2010 at 15:11

I suppose that your ASP.NET MVC application used a session which have established somebody else. – Unwise 27/5, 2010 at 15:23

I don't see that your application are long running. You can open a new session to the server (second computer) every time when you need it and close after all work is done. If another session from the same user account (ASP.NET application pool account) already exist, this will be shared. If you don't close a connection for a long time, it will be must be automatically reestablished so you don't have to do anything. The same effect you have if you make a connection to a server and don't transfer any data for a long time. So I am waiting no problem. – Unwise 27/5, 2010 at 15:30

-1

This is how you LogonUser to a remote computer. Make sure that you're using LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50. Then impersonate the token. You should be able to do a lot of remote things this way without WNetAddConnection2. WNetAddConnection2 is not very good because the connection can be destroyed by a lot of things. LogonUser will also make the appropriate connection when needed by several api calls.

PXERR impersonate_user(LPCWSTR lpszUserName, LPCWSTR lpszDomain, LPCWSTR lpszPassword)
{
    HANDLE token;

    if(!LogonUserW(lpszUserName, lpszDomain, lpszPassword, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, &token))
    {
        return PXERR_IMPERSONATION_FAILURE;
    }

    if(!ImpersonateLoggedOnUser(token))
    {
        CloseHandle(token);
        RevertToSelf();
        return PXERR_IMPERSONATION_FAILURE;
    }

    CloseHandle(token);

    return PXERR_SUCCESS;
}

Maiduguri answered 10/2, 2016 at 23:52 Comment(1)

You can't use LogonUser to connect to a remote computer. "The LogonUser function attempts to log a user on to the local computer. The local computer is the computer from which LogonUser was called. You cannot use LogonUser to log on to a remote computer." learn.microsoft.com/en-us/windows/win32/api/winbase/… – Jess 18/7 at 8:39

Recommended topics

Hot tags