|
|
You're in the
dotnet security
group:LogonUser
dotnet security:
the KB article "How to validate Windows user rights in a Visual Basic .NET application" but the function returns the error message "A required privilege is not held by the client.". Please can you explain what this means and what
[quoted text, click to view]
On Tue, 20 Sep 2005 10:05:05 -0700, "Dick" <Richard.Giles@nospam.nospam> wrote: ¤ I'm trying to use the LogonUser function from "advapi32.dll" as described in ¤ the KB article "How to validate Windows user rights in a Visual Basic .NET ¤ application" but the function returns the error message "A required privilege ¤ is not held by the client.". Please can you explain what this means and what ¤ I need to do to get around it. Many thanks. Which version of Windows are you using? Paul ~~~~
Are you on Windows 2000? Under Win2K, LogonUser requires the caller to have
the TCB privilege (act as part of the operating system) which is only granted to the SYSTEM account by default. Switching to Windows Server 2003 is a great solution to this problem, but you might have to give the TCB privilege to the account in question if that is not an option. Unfortunately, this weakens the security of your app as this is a dangerous privilege to give out. Factoring this specific call into a COM object registered under COM+ with a special identity is one way to help mitigate that problem. Joe K. [quoted text, click to view] "Dick" <Richard.Giles@nospam.nospam> wrote in message news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... > I'm trying to use the LogonUser function from "advapi32.dll" as described > in > the KB article "How to validate Windows user rights in a Visual Basic .NET > application" but the function returns the error message "A required > privilege > is not held by the client.". Please can you explain what this means and > what > I need to do to get around it. Many thanks.
Windows 2000
[quoted text, click to view] "Paul Clement" wrote:
> On Tue, 20 Sep 2005 10:05:05 -0700, "Dick" <Richard.Giles@nospam.nospam> wrote: > > ¤ I'm trying to use the LogonUser function from "advapi32.dll" as described in > ¤ the KB article "How to validate Windows user rights in a Visual Basic .NET > ¤ application" but the function returns the error message "A required privilege > ¤ is not held by the client.". Please can you explain what this means and what > ¤ I need to do to get around it. Many thanks. > > Which version of Windows are you using? > > > Paul > ~~~~ > Microsoft MVP (Visual Basic)
Switching to W2003 or to COM+ or to any server-based solution isn't really an
option because the program is CPU intensive and therefore runs on 'n' number of W2K clients depending upon daily demand. And to be clear, I don't know that solving the LogonUser issue will fix my underlying problem anyway. Perhaps I should explain... I need to copy files to a network location which is not accessible by the logged on user's account. The location can be reached from Windows by typing in its UNC path and entering the user name and password of an account that does have access. i.e. Start>Run>"\\10.216.0.1\NameOfShare">OK and then in the "Enter Network Password" dialog Connect As="AuthorisedUsersName" and Password="AuthorisedUsersPassword">OK. All I want to do is make this connection programatically and avoid the need for the user to enter the details of the authorised account. Hope you can help! [quoted text, click to view] "Joe Kaplan (MVP - ADSI)" wrote:
> Are you on Windows 2000? Under Win2K, LogonUser requires the caller to have > the TCB privilege (act as part of the operating system) which is only > granted to the SYSTEM account by default. > > Switching to Windows Server 2003 is a great solution to this problem, but > you might have to give the TCB privilege to the account in question if that > is not an option. Unfortunately, this weakens the security of your app as > this is a dangerous privilege to give out. Factoring this specific call > into a COM object registered under COM+ with a special identity is one way > to help mitigate that problem. > > Joe K. > > "Dick" <Richard.Giles@nospam.nospam> wrote in message > news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... > > I'm trying to use the LogonUser function from "advapi32.dll" as described > > in > > the KB article "How to validate Windows user rights in a Visual Basic .NET > > application" but the function returns the error message "A required > > privilege > > is not held by the client.". Please can you explain what this means and > > what > > I need to do to get around it. Many thanks. > >
Ah, I see. LogonUser would probably work, but you will be restricted from
using that on 2K. I'm not exactly sure how Windows does this, but there is probably an API that you can use. You might look at WMI to see if it offers a wrapper or one of the Net* APIs. At worst you could shell out to the Net Use command. Note that a good hacker could probably recover the credentials you will be using to make this connection pretty easily since it is running on their machine, so be careful about how secure this needs to be. Joe K. [quoted text, click to view] "Dick" <Richard.Giles@nospam.nospam> wrote in message news:161D1021-3403-45AC-9C42-E4E2CAFA7637@microsoft.com... > Switching to W2003 or to COM+ or to any server-based solution isn't really > an > option because the program is CPU intensive and therefore runs on 'n' > number > of W2K clients depending upon daily demand. > > And to be clear, I don't know that solving the LogonUser issue will fix my > underlying problem anyway. Perhaps I should explain... > > I need to copy files to a network location which is not accessible by the > logged on user's account. The location can be reached from Windows by > typing > in its UNC path and entering the user name and password of an account that > does have access. i.e. Start>Run>"\\10.216.0.1\NameOfShare">OK and then in > the "Enter Network Password" dialog Connect As="AuthorisedUsersName" and > Password="AuthorisedUsersPassword">OK. All I want to do is make this > connection programatically and avoid the need for the user to enter the > details of the authorised account. > > Hope you can help! > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Are you on Windows 2000? Under Win2K, LogonUser requires the caller to >> have >> the TCB privilege (act as part of the operating system) which is only >> granted to the SYSTEM account by default. >> >> Switching to Windows Server 2003 is a great solution to this problem, but >> you might have to give the TCB privilege to the account in question if >> that >> is not an option. Unfortunately, this weakens the security of your app >> as >> this is a dangerous privilege to give out. Factoring this specific call >> into a COM object registered under COM+ with a special identity is one >> way >> to help mitigate that problem. >> >> Joe K. >> >> "Dick" <Richard.Giles@nospam.nospam> wrote in message >> news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... >> > I'm trying to use the LogonUser function from "advapi32.dll" as >> > described >> > in >> > the KB article "How to validate Windows user rights in a Visual Basic >> > .NET >> > application" but the function returns the error message "A required >> > privilege >> > is not held by the client.". Please can you explain what this means and >> > what >> > I need to do to get around it. Many thanks. >> >> >>
Hello Joe,
a good one?? you mean this extremely talented guys who know how to run reflector?? :) man, don't store passwords in you binaries... --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Ah, I see. LogonUser would probably work, but you will be restricted > from using that on 2K. I'm not exactly sure how Windows does this, > but there is probably an API that you can use. You might look at WMI > to see if it offers a wrapper or one of the Net* APIs. At worst you > could shell out to the Net Use command. > > Note that a good hacker could probably recover the credentials you > will be using to make this connection pretty easily since it is > running on their machine, so be careful about how secure this needs to > be. > > Joe K. > > "Dick" <Richard.Giles@nospam.nospam> wrote in message > news:161D1021-3403-45AC-9C42-E4E2CAFA7637@microsoft.com... > >> Switching to W2003 or to COM+ or to any server-based solution isn't >> really >> an >> option because the program is CPU intensive and therefore runs on 'n' >> number >> of W2K clients depending upon daily demand. >> And to be clear, I don't know that solving the LogonUser issue will >> fix my underlying problem anyway. Perhaps I should explain... >> >> I need to copy files to a network location which is not accessible by >> the >> logged on user's account. The location can be reached from Windows by >> typing >> in its UNC path and entering the user name and password of an account >> that >> does have access. i.e. Start>Run>"\\10.216.0.1\NameOfShare">OK and >> then in >> the "Enter Network Password" dialog Connect As="AuthorisedUsersName" >> and >> Password="AuthorisedUsersPassword">OK. All I want to do is make this >> connection programatically and avoid the need for the user to enter >> the >> details of the authorised account. >> Hope you can help! >> >> "Joe Kaplan (MVP - ADSI)" wrote: >> >>> Are you on Windows 2000? Under Win2K, LogonUser requires the caller >>> to >>> have >>> the TCB privilege (act as part of the operating system) which is >>> only >>> granted to the SYSTEM account by default. >>> Switching to Windows Server 2003 is a great solution to this >>> problem, but >>> you might have to give the TCB privilege to the account in question >>> if >>> that >>> is not an option. Unfortunately, this weakens the security of your >>> app >>> as >>> this is a dangerous privilege to give out. Factoring this specific >>> call >>> into a COM object registered under COM+ with a special identity is >>> one >>> way >>> to help mitigate that problem. >>> Joe K. >>> >>> "Dick" <Richard.Giles@nospam.nospam> wrote in message >>> news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... >>> >>>> I'm trying to use the LogonUser function from "advapi32.dll" as >>>> described >>>> in >>>> the KB article "How to validate Windows user rights in a Visual >>>> Basic >>>> .NET >>>> application" but the function returns the error message "A required >>>> privilege >>>> is not held by the client.". Please can you explain what this means >>>> and >>>> what >>>> I need to do to get around it. Many thanks.
Hi Joe,
I'm having a strange issue with the logonuser. when I use this function to verify that the user effectively exist in my active directory, it return a true value even if the user does not exist. I have a different behavior on another server but I can't find why... They are all win2k servers and ran the process with the administrator user. Thanks for your help. [quoted text, click to view] "Joe Kaplan (MVP - ADSI)" wrote:
> Are you on Windows 2000? Under Win2K, LogonUser requires the caller to have > the TCB privilege (act as part of the operating system) which is only > granted to the SYSTEM account by default. > > Switching to Windows Server 2003 is a great solution to this problem, but > you might have to give the TCB privilege to the account in question if that > is not an option. Unfortunately, this weakens the security of your app as > this is a dangerous privilege to give out. Factoring this specific call > into a COM object registered under COM+ with a special identity is one way > to help mitigate that problem. > > Joe K. > > "Dick" <Richard.Giles@nospam.nospam> wrote in message > news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... > > I'm trying to use the LogonUser function from "advapi32.dll" as described > > in > > the KB article "How to validate Windows user rights in a Visual Basic .NET > > application" but the function returns the error message "A required > > privilege > > is not held by the client.". Please can you explain what this means and > > what > > I need to do to get around it. Many thanks. > >
If you want to verify whether a specific AD contains a user, it would
probably be better to do an LDAP query to the DC in question. LogonUser should be used for authenticating users and generating a logon token. It is entirely possible for it to authenticate users from other domains if the correct trust relationships exist. It is not possible to call it correctly with invalid credentials and have it return a valid logon token though. Joe K. [quoted text, click to view] "Stephane Gagne" <StephaneGagne@discussions.microsoft.com> wrote in message news:A2301AEE-AFE1-4555-B69F-D3C5D3CEAD34@microsoft.com... > Hi Joe, > > I'm having a strange issue with the logonuser. when I use this function > to > verify that the user effectively exist in my active directory, it return a > true value even if the user does not exist. I have a different behavior > on > another server but I can't find why... They are all win2k servers and ran > the process with the administrator user. > > Thanks for your help. > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Are you on Windows 2000? Under Win2K, LogonUser requires the caller to >> have >> the TCB privilege (act as part of the operating system) which is only >> granted to the SYSTEM account by default. >> >> Switching to Windows Server 2003 is a great solution to this problem, but >> you might have to give the TCB privilege to the account in question if >> that >> is not an option. Unfortunately, this weakens the security of your app >> as >> this is a dangerous privilege to give out. Factoring this specific call >> into a COM object registered under COM+ with a special identity is one >> way >> to help mitigate that problem. >> >> Joe K. >> >> "Dick" <Richard.Giles@nospam.nospam> wrote in message >> news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... >> > I'm trying to use the LogonUser function from "advapi32.dll" as >> > described >> > in >> > the KB article "How to validate Windows user rights in a Visual Basic >> > .NET >> > application" but the function returns the error message "A required >> > privilege >> > is not held by the client.". Please can you explain what this means and >> > what >> > I need to do to get around it. Many thanks. >> >> >>
Hi Joe,
Thanks for your reply. The thing is I don't just want to confirm the user, I aslo want to make sure the user have the good password and domain. If the user or password is not good, I want to block the connection to our application but if a good token is returned, we drop the token and allow the user to log in our application. But I still don't understand why I have different results on differents servers.... Thanks. [quoted text, click to view] "Joe Kaplan (MVP - ADSI)" wrote:
> If you want to verify whether a specific AD contains a user, it would > probably be better to do an LDAP query to the DC in question. > > LogonUser should be used for authenticating users and generating a logon > token. It is entirely possible for it to authenticate users from other > domains if the correct trust relationships exist. > > It is not possible to call it correctly with invalid credentials and have it > return a valid logon token though. > > Joe K. > > "Stephane Gagne" <StephaneGagne@discussions.microsoft.com> wrote in message > news:A2301AEE-AFE1-4555-B69F-D3C5D3CEAD34@microsoft.com... > > Hi Joe, > > > > I'm having a strange issue with the logonuser. when I use this function > > to > > verify that the user effectively exist in my active directory, it return a > > true value even if the user does not exist. I have a different behavior > > on > > another server but I can't find why... They are all win2k servers and ran > > the process with the administrator user. > > > > Thanks for your help. > > > > "Joe Kaplan (MVP - ADSI)" wrote: > > > >> Are you on Windows 2000? Under Win2K, LogonUser requires the caller to > >> have > >> the TCB privilege (act as part of the operating system) which is only > >> granted to the SYSTEM account by default. > >> > >> Switching to Windows Server 2003 is a great solution to this problem, but > >> you might have to give the TCB privilege to the account in question if > >> that > >> is not an option. Unfortunately, this weakens the security of your app > >> as > >> this is a dangerous privilege to give out. Factoring this specific call > >> into a COM object registered under COM+ with a special identity is one > >> way > >> to help mitigate that problem. > >> > >> Joe K. > >> > >> "Dick" <Richard.Giles@nospam.nospam> wrote in message > >> news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com... > >> > I'm trying to use the LogonUser function from "advapi32.dll" as > >> > described > >> > in > >> > the KB article "How to validate Windows user rights in a Visual Basic > >> > .NET > >> > application" but the function returns the error message "A required > >> > privilege > >> > is not held by the client.". Please can you explain what this means and > >> > what > >> > I need to do to get around it. Many thanks. > >> > >> > >> > >
Hi Stepane,
Why don't you show us a code sample and point out where the trouble is? Also, Microsoft has a great sample on doing p/invoke of LogonUser in the ..NET Framework SDK in the documentation for the WindowsImpersonationContext class. If you aren't using that code, you probably should be. Joe K. [quoted text, click to view] "Stephane Gagne" <StephaneGagne@discussions.microsoft.com> wrote in message news:E2847404-1E5B-44A6-AF64-32985DED4336@microsoft.com... > Hi Joe, > > Thanks for your reply. > > The thing is I don't just want to confirm the user, I aslo want to make > sure > the user have the good password and domain. If the user or password is > not > good, I want to block the connection to our application but if a good > token > is returned, we drop the token and allow the user to log in our > application. > > But I still don't understand why I have different results on differents > servers.... > > > Thanks. > > "Joe Kaplan (MVP - ADSI)" wrote: >
Here's the code:
Private Declare Function LogonUser Lib "Advapi32" Alias "LogonUserA" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, lpSource As Any, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, Arguments As Long) As Long Private Const FORMAT_MESSAGE_FROM_SYSTEM = &H1000 Private Const LOGON32_PROVIDER_DEFAULT = 0& Private Const LOGON32_PROVIDER_WINNT35 = 1& Private Const LOGON32_LOGON_INTERACTIVE = 2& Private Const LOGON32_LOGON_NETWORK = 3& Private Const LOGON32_LOGON_BATCH = 4& Private Const LOGON32_LOGON_SERVICE = 5 Private Sub Command1_Click() On Error GoTo ProcError Dim lngToken As Long Dim lngLogonResult As Long Dim lngErrNo As Long Dim strErrMsg As String Dim lngErrMsgSize As Long lngToken = 0 lngLogonResult = LogonUser(User.Text, _ Domain.Text, _ Pwd.Text, _ LOGON32_LOGON_NETWORK, _ LOGON32_PROVIDER_DEFAULT, _ lngToken) If lngLogonResult = 0 Then lngErrNo = Err.LastDllError strErrMsg = Space(256) lngErrMsgSize = CStr(FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, _ 0, _ lngErrNo, _ 0, _ strErrMsg, _ 256, _ 0)) Dim ErrMsgDom As String ErrMsgDom = Trim(Replace(strErrMsg, CStr(Chr(0)), "")) ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(13)), "")) ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(10)), "")) & " Domain(" & strDomain & ")" MsgBox ErrMsgDom Else MsgBox "User logon Ok!" End If EndProc: If lngToken <> 0 Then CloseHandle lngToken End If Exit Sub ProcError: MsgBox "Function error: " & Err.Description Resume EndProc End Sub [quoted text, click to view] "Joe Kaplan (MVP - ADSI)" wrote:
> Hi Stepane, > > Why don't you show us a code sample and point out where the trouble is? > > Also, Microsoft has a great sample on doing p/invoke of LogonUser in the > ..NET Framework SDK in the documentation for the WindowsImpersonationContext > class. If you aren't using that code, you probably should be. > > Joe K. > > "Stephane Gagne" <StephaneGagne@discussions.microsoft.com> wrote in message > news:E2847404-1E5B-44A6-AF64-32985DED4336@microsoft.com... > > Hi Joe, > > > > Thanks for your reply. > > > > The thing is I don't just want to confirm the user, I aslo want to make > > sure > > the user have the good password and domain. If the user or password is > > not > > good, I want to block the connection to our application but if a good > > token > > is returned, we drop the token and allow the user to log in our > > application. > > > > But I still don't understand why I have different results on differents > > servers.... > > > > > > Thanks. > > > > "Joe Kaplan (MVP - ADSI)" wrote: > > > >
Can you give me a link and is it something supported in Visial Studio 6 ?
Thanks. [quoted text, click to view] "Joe Kaplan (MVP - ADSI)" wrote:
> Yes, I suggest you use Microsoft's reference implementation instead. > > For example, you should be getting the token as an output parameter or use > an IntPtr. You should also be closing the handle when you are done. It is > better to use the Marshal class to get the last error, etc. > > Joe K. > > "Stephane Gagne" <StephaneGagne@discussions.microsoft.com> wrote in message > news:A0E3BDFA-D094-4E94-A73C-622A1215BEEB@microsoft.com... > > Here's the code: > > > > Private Declare Function LogonUser Lib "Advapi32" Alias "LogonUserA" > > (ByVal > > lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As > > String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken > > As > > Long) As Long > > Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As > > Long) > > As Long > > Private Declare Function FormatMessage Lib "kernel32" Alias > > "FormatMessageA" > > (ByVal dwFlags As Long, lpSource As Any, ByVal dwMessageId As Long, ByVal > > dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, > > Arguments As Long) As Long > > > > Private Const FORMAT_MESSAGE_FROM_SYSTEM = &H1000 > > Private Const LOGON32_PROVIDER_DEFAULT = 0& > > Private Const LOGON32_PROVIDER_WINNT35 = 1& > > Private Const LOGON32_LOGON_INTERACTIVE = 2& > > Private Const LOGON32_LOGON_NETWORK = 3& > > Private Const LOGON32_LOGON_BATCH = 4& > > Private Const LOGON32_LOGON_SERVICE = 5 > > > > Private Sub Command1_Click() > > > > On Error GoTo ProcError > > Dim lngToken As Long > > Dim lngLogonResult As Long > > Dim lngErrNo As Long > > Dim strErrMsg As String > > Dim lngErrMsgSize As Long > > > > lngToken = 0 > > lngLogonResult = LogonUser(User.Text, _ > > Domain.Text, _ > > Pwd.Text, _ > > LOGON32_LOGON_NETWORK, _ > > LOGON32_PROVIDER_DEFAULT, _ > > lngToken) > > If lngLogonResult = 0 Then > > lngErrNo = Err.LastDllError > > strErrMsg = Space(256) > > lngErrMsgSize = CStr(FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, _ > > 0, _ > > lngErrNo, _ > > 0, _ > > strErrMsg, _ > > 256, _ > > 0)) > > Dim ErrMsgDom As String > > ErrMsgDom = Trim(Replace(strErrMsg, CStr(Chr(0)), "")) > > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(13)), "")) > > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(10)), "")) & " Domain(" > > & > > strDomain & ")" > > MsgBox ErrMsgDom > > Else > > MsgBox "User logon Ok!" > > End If > > > > EndProc: > > If lngToken <> 0 Then > > CloseHandle lngToken > > End If > > > > Exit Sub > > > > ProcError: > > MsgBox "Function error: " & Err.Description > > Resume EndProc > > > > End Sub > > > > "Joe Kaplan (MVP - ADSI)" wrote: > > > >> Hi Stepane, > >> > >> Why don't you show us a code sample and point out where the trouble is? > >> > >> Also, Microsoft has a great sample on doing p/invoke of LogonUser in the > >> ..NET Framework SDK in the documentation for the > >> WindowsImpersonationContext > >> class. If you aren't using that code, you probably should be. > >> > >> Joe K. > >> > >> "Stephane Gagne" <StephaneGagne@discussions.microsoft.com> wrote in > >> message > >> news:E2847404-1E5B-44A6-AF64-32985DED4336@microsoft.com... > >> > Hi Joe, > >> > > >> > Thanks for your reply. > >> > > >> > The thing is I don't just want to confirm the user, I aslo want to make > >> > sure > >> > the user have the good password and domain. If the user or password is > >> > not > >> > good, I want to block the connection to our application but if a good > >> > token > >> > is returned, we drop the token and allow the user to log in our > >> > application. > >> > > >> > But I still don't understand why I have different results on differents > >> > servers.... > >> > > >> > > >> > Thanks. > >> > > >> > "Joe Kaplan (MVP - ADSI)" wrote: > >> > > >> > >> > >> > >
Yes, I suggest you use Microsoft's reference implementation instead.
For example, you should be getting the token as an output parameter or use an IntPtr. You should also be closing the handle when you are done. It is better to use the Marshal class to get the last error, etc. Joe K. [quoted text, click to view] "Stephane Gagne" <StephaneGagne@discussions.microsoft.com> wrote in message news:A0E3BDFA-D094-4E94-A73C-622A1215BEEB@microsoft.com... > Here's the code: > > Private Declare Function LogonUser Lib "Advapi32" Alias "LogonUserA" > (ByVal > lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As > String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken > As > Long) As Long > Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As > Long) > As Long > Private Declare Function FormatMessage Lib "kernel32" Alias > "FormatMessageA" > (ByVal dwFlags As Long, lpSource As Any, ByVal dwMessageId As Long, ByVal > dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, > Arguments As Long) As Long > > Private Const FORMAT_MESSAGE_FROM_SYSTEM = &H1000 > Private Const LOGON32_PROVIDER_DEFAULT = 0& > Private Const LOGON32_PROVIDER_WINNT35 = 1& > Private Const LOGON32_LOGON_INTERACTIVE = 2& > Private Const LOGON32_LOGON_NETWORK = 3& > Private Const LOGON32_LOGON_BATCH = 4& > Private Const LOGON32_LOGON_SERVICE = 5 > > Private Sub Command1_Click() > > On Error GoTo ProcError > Dim lngToken As Long > Dim lngLogonResult As Long > Dim lngErrNo As Long > Dim strErrMsg As String > Dim lngErrMsgSize As Long > > lngToken = 0 > lngLogonResult = LogonUser(User.Text, _ > Domain.Text, _ > Pwd.Text, _ > LOGON32_LOGON_NETWORK, _ > LOGON32_PROVIDER_DEFAULT, _ > lngToken) > If lngLogonResult = 0 Then > lngErrNo = Err.LastDllError > strErrMsg = Space(256) > lngErrMsgSize = CStr(FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, _ > 0, _ > lngErrNo, _ > 0, _ > strErrMsg, _ > 256, _ > 0)) > Dim ErrMsgDom As String > ErrMsgDom = Trim(Replace(strErrMsg, CStr(Chr(0)), "")) > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(13)), "")) > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(10)), "")) & " Domain(" > & > strDomain & ")" > MsgBox ErrMsgDom > Else > MsgBox "User logon Ok!" > End If > > EndProc: > If lngToken <> 0 Then > CloseHandle lngToken > End If > > Exit Sub > > ProcError: > MsgBox "Function error: " & Err.Description > Resume EndProc > > End Sub > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Hi Stepane, >> >> Why don't you show us a code sample and point out where the trouble is? >> >> Also, Microsoft has a great sample on doing p/invoke of LogonUser in the >> ..NET Framework SDK in the documentation for the >> WindowsImpersonationContext >> class. If you aren't using that code, you probably should be. >> >> Joe K. >> >> "Stephane Gagne" <StephaneGagne@discussions.microsoft.com> wrote in >> message >> news:E2847404-1E5B-44A6-AF64-32985DED4336@microsoft.com... >> > Hi Joe, >> > >> > Thanks for your reply. >> > >> > The thing is I don't just want to confirm the user, I aslo want to make >> > sure >> > the user have the good password and domain. If the user or password is >> > not >> > good, I want to block the connection to our application but if a good >> > token >> > is returned, we drop the token and allow the user to log in our >> > application. >> > >> > But I still don't understand why I have different results on differents >> > servers.... >> > >> > >> > Thanks. >> > >> > "Joe Kaplan (MVP - ADSI)" wrote: >> > >> >> >>
Here is the sample I was referring to:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=true I'm not sure I understand why Visual Studio 6 sample is relevant to a discussion on a .NET newsgroup though. Joe K. [quoted text, click to view] "Stephane Gagne" <StephaneGagne@discussions.microsoft.com> wrote in message news:F64EDBC5-1917-49A5-A726-9BD0EEE251B2@microsoft.com... > Can you give me a link and is it something supported in Visial Studio 6 ? > > Thanks. > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Yes, I suggest you use Microsoft's reference implementation instead. >> >> For example, you should be getting the token as an output parameter or >> use >> an IntPtr. You should also be closing the handle when you are done. It >> is >> better to use the Marshal class to get the last error, etc. >> >> Joe K. >> >> "Stephane Gagne" <StephaneGagne@discussions.microsoft.com> wrote in >> message >> news:A0E3BDFA-D094-4E94-A73C-622A1215BEEB@microsoft.com... >> > Here's the code: >> > >> > Private Declare Function LogonUser Lib "Advapi32" Alias "LogonUserA" >> > (ByVal >> > lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword >> > As >> > String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, >> > phToken >> > As >> > Long) As Long >> > Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As >> > Long) >> > As Long >> > Private Declare Function FormatMessage Lib "kernel32" Alias >> > "FormatMessageA" >> > (ByVal dwFlags As Long, lpSource As Any, ByVal dwMessageId As Long, >> > ByVal >> > dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, >> > Arguments As Long) As Long >> > >> > Private Const FORMAT_MESSAGE_FROM_SYSTEM = &H1000 >> > Private Const LOGON32_PROVIDER_DEFAULT = 0& >> > Private Const LOGON32_PROVIDER_WINNT35 = 1& >> > Private Const LOGON32_LOGON_INTERACTIVE = 2& >> > Private Const LOGON32_LOGON_NETWORK = 3& >> > Private Const LOGON32_LOGON_BATCH = 4& >> > Private Const LOGON32_LOGON_SERVICE = 5 >> > >> > Private Sub Command1_Click() >> > >> > On Error GoTo ProcError >> > Dim lngToken As Long >> > Dim lngLogonResult As Long >> > Dim lngErrNo As Long >> > Dim strErrMsg As String >> > Dim lngErrMsgSize As Long >> > >> > lngToken = 0 >> > lngLogonResult = LogonUser(User.Text, _ >> > Domain.Text, _ >> > Pwd.Text, _ >> > LOGON32_LOGON_NETWORK, _ >> > LOGON32_PROVIDER_DEFAULT, _ >> > lngToken) >> > If lngLogonResult = 0 Then >> > lngErrNo = Err.LastDllError >> > strErrMsg = Space(256) >> > lngErrMsgSize = CStr(FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, _ >> > 0, _ >> > lngErrNo, _ >> > 0, _ >> > strErrMsg, _ >> > 256, _ >> > 0)) >> > Dim ErrMsgDom As String >> > ErrMsgDom = Trim(Replace(strErrMsg, CStr(Chr(0)), "")) >> > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(13)), "")) >> > ErrMsgDom = Trim(Replace(ErrMsgDom, CStr(Chr(10)), "")) & " >> > Domain(" >> > & >> > strDomain & ")" >> > MsgBox ErrMsgDom >> > Else >> > MsgBox "User logon Ok!" >> > End If >> > >> > EndProc: >> > If lngToken <> 0 Then >> > CloseHandle lngToken >> > End If >> > >> > Exit Sub >> > >> > ProcError: >> > MsgBox "Function error: " & Err.Description >> > Resume EndProc >> > >> > End Sub >> > >> > "Joe Kaplan (MVP - ADSI)" wrote: >> > >> >> Hi Stepane, >> >> >> >> Why don't you show us a code sample and point out where the trouble >> >> is? >> >> >> >> Also, Microsoft has a great sample on doing p/invoke of LogonUser in >> >> the >> >> ..NET Framework SDK in the documentation for the >> >> WindowsImpersonationContext >> >> class. If you aren't using that code, you probably should be. >> >> >> >> Joe K. >> >> >> >> "Stephane Gagne" <StephaneGagne@discussions.microsoft.com> wrote in >> >> message >> >> news:E2847404-1E5B-44A6-AF64-32985DED4336@microsoft.com... >> >> > Hi Joe, >> >> > >> >> > Thanks for your reply. >> >> > >> >> > The thing is I don't just want to confirm the user, I aslo want to >> >> > make >> >> > sure >> >> > the user have the good password and domain. If the user or password >> >> > is >> >> > not >> >> > good, I want to block the connection to our application but if a >> >> > good >> >> > token >> >> > is returned, we drop the token and allow the user to log in our >> >> > application. >> >> > >> >> > But I still don't understand why I have different results on >> >> > differents >> >> > servers.... >> >> > >> >> > >> >> > Thanks. >> >> > >> >> > "Joe Kaplan (MVP - ADSI)" wrote: >> >> > >> >> >> >> >> >> >> >> >>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |