Why doesn't LogonUser(...) work for domain accounts?

Asked 20/9, 2011 at 16:53 Answered 29/8, 2017 at 19:1

windows security winapi active-directory impersonation

I've been trying to use LogonUser(...) to get an access token for a user account, as in this MSDN sample.

// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domainName, Console.ReadLine(),
    LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
    out safeTokenHandle);

When I run the sample (with Administrator privileges) it works fine when given a domain of . and a local user account name and password, but no matter what I do I get error code 1326 (Logon failure: unknown user name or bad password) if I try to use a domain account. I get the same result if I enter garbage for the domain, which makes me wonder if it's actually contacting the DC at all.

What could be stopping this from working?

Mandeville answered 20/9, 2011 at 16:53 Comment(7)

That could be due to a bunch of things unfortunately. Is the machine connected to the domain? Is the domain user allowed to log onto that machine? Are DNS settings configured correctly? (I did see a Citrix article that suggested that this could be an issue.). The following article has some info on what is happening when you enter garbage for the domain - groups.google.com/group/… – Disease 20/9, 2011 at 17:2

Have you validated that this works without the Console.ReadLine() call (e.g. supplying a password as a string directly)? – Pashalik 20/9, 2011 at 20:10

It makes no difference where the password comes from - it's a string when it gets passed to LogonUser. – Mandeville 20/9, 2011 at 20:23

To check that the connection to the domain is OK, try logging on interactively as the domain user. Have you double-checked that you are passing the correct domain name? Have you tried the fully-qualified domain name? – Stratopause 20/9, 2011 at 20:28

I guess it could be due to missing SE_TCB_NAME privilege. You can test (if domain policy allows) by adding the domain account to 'act as part of the operating system' in 'local security policy' - 'local policies' - 'user rights'. – Speller 20/9, 2011 at 23:17

The first thing I would try is to try to logon using the domain user name and password to make sure your provided username and password can really logon first. – Dreamworld 21/9, 2011 at 5:16

Thanks for all of the suggestions - there are plenty of pits to fall into with this stuff, none of them the Pit of Success! – Mandeville 21/9, 2011 at 9:54

In my case the issue, similar to the question asker, was that the account I was trying to authenticate to was in a domain that my current machine did not belong to. Unlike the original poster, my machine should not and could not be part of this other domain. I wanted the login to perform action on a resource on this domain though.

The answer was the following

bool success = LogonUser(
                userName,
                domain,
                password,
                (int)LOGON32_LOGON_NEW_CREDENTIALS, //9
                (int)LOGON32_PROVIDER_DEFAULT, //0
                out userToken);

with the following constants defined:

public const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
public const int LOGON32_PROVIDER_DEFAULT = 0;

Hopefully this will help others who are lost in a similar situation.

Edit: As mentioned in the comments below, this logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identifier but uses different credentials for other network connections. As a result of that fact, "success" will return true even if the password is bad. You will need an additional check beyond "success" to confirm that the credentials are actually good.

This was not a concern in my initial use case as we used the current network user's credential in another function to pull the plaintext password from secure storage. So it would have never been wrong unless there was an inconsistency between that system and active directory in which case we had bigger problems.

Nippy answered 29/8, 2017 at 19:1 Comment(2)

this will return success = 1 even if the password is invalid – Cabal 26/2, 2020 at 10:36

Per the answer to this question ( #35339156 ), "The credentials that you provided are only used for outbound connections. When you attempt such connections, the credentials will be checked at that point and you can expect failure then.". So that is expected behavior, and you will need to do additional checking to see if the credential is useful. – Nippy 13/3, 2020 at 19:7

In my case it was the fact that, although I was logged in to my computer as a domain user, my computer was not itself part of the domain. Once added to the domain the sample started to work.

Mandeville answered 21/9, 2011 at 9:53 Comment(1)

How do you log in to your computer as a domain user when it is not joined to a domain? – Iaria 4/6, 2013 at 7:28

Use DOMAIN\LOGIN with an empty domainname for that case...

Butyrin answered 20/9, 2011 at 17:1 Comment(1)

I get the same error for both DOMAIN\USERNAME and USERNAME@DOMAIN with a null domain name passed to LogonUser. – Mandeville 20/9, 2011 at 18:11

Recommended topics

Hot tags