LogonUser returns true for a wrong password
Asked Answered
D

1

4
bool bRet=LogonUser(strUserName, L"", strPassword, LOGON32_LOGON_TYPE_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, &phToken)     

bRet always returns true even if I enter a wrong password when there is no domain. Is there any work around like if I enter a valid password it returns true and false for a wrong password when there is no domain.

Depression answered 11/2, 2016 at 11:54 Comment(1)
yes it is a valid token.Depression
O
10

I assume that by LOGON32_LOGON_TYPE_NEW_CREDENTIALS you actually mean LOGON32_LOGON_NEW_CREDENTIALS. In which case the behaviour is exactly as would be expected. The documentation for that flag says:

This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identifier but uses different credentials for other network connections.

For local connections, the token that is returned is a clone of the current token. The credentials that you provided are only used for outbound connections. When you attempt such connections, the credentials will be checked at that point and you can expect failure then.

Oxyhydrogen answered 11/2, 2016 at 13:56 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.