LogonUser() Works Under NT4.0, Fails Under Win2K -- inetserver asp components

Egbert Nierop (MVP for IIS)
12/27/2003 9:15:14 AM

[quoted text, click to view]

Is that privilige as the kb mentions given? "Act as part of the operating
system" to the IWAM user account?
Note that the code shown in KB is incomplete, basically it works but it is
not robust enough :)

It should like like

' varUser MUST contain an email address for an LDAP database
Public Function LogonUser(ByRef varUserUPN As Variant, ByRef varPassword As
Variant) As Boolean
Dim er As Long

Dim blnRevertDone As Boolean
Const ERROR_LOGON_FAILURE = 1326
If VarType(varUserUPN) <> vbString Then
er = E_INVALIDARG
GoTo exiterr2
End If

' if we were already logged on first log off. Otherwise we would have a
handle leak
' but this check is in fact a 'fool' proof test in case some one would
forget to
' program a logoff statement

'get the current context security. For instance IUSR_xxxx could be in
the context here
Internal_LogOf
If UserSec.OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE,
API_FALSE, usrHandlePrevious) = API_FALSE Then

If GetLastError = ERROR_NO_TOKEN Then

If UserSec.OpenProcessToken(GetCurrentProcess,
TOKEN_IMPERSONATE, usrHandlePrevious) = API_FALSE Then

GoTo ExitErr
End If
Else
GoTo ExitErr
End If
End If

'jump to System authority to be able to call logonuser
'otherwise we would have insufficients rights to call this function

' WRONG assertion. RevertToSelf won't run to TCB if the website
' runs out of process
' therefore an admin should give IWAM_xxx the 'act as part of the OS'
right
' to check a login account...

If RevertToSelf = 0 Then
GoTo ExitErr
End If

blnRevertDone = True
'The IWAM_USER must have 'act as part of the OS' right to call this
function!
If UserSec.LogonUser(varUserUPN, ByVal 0&, varPassword,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_WINNT50, usrHandle) = 0 Then
'there are too many errors to know about bad logins like
' account expired, locked etc
GoTo ExitErr
End If

If UserSec.ImpersonateLoggedOnUser(usrHandle) = 0 Then
GoTo ExitErr
End If

blnLoggedOn = True
LogonUser = blnLoggedOn

oVarDict.Item("___lgd") = blnLoggedOn
'we need to remember the credentials to logon at the other client's
protected ASP pages
oVarDict.Item("___usr") = varUserUPN
oVarDict.Item("___pwd") = varPassword

Exit Function

ExitErr:
er = GetLastError
exiterr2:

If blnRevertDone Then
UserSec.ImpersonateLoggedOnUser usrHandlePrevious
CloseHandle usrHandlePrevious
usrHandlePrevious = 0
End If
If er Then RaiseError 0, er

End Function

'if the cache is on than we must delete an element from the cache array
' but this host can't close the handles for the other hosts
' our garbage collector should do this...
Public Function LogOff() As Boolean

Internal_LogOf
oVarDict.Remove "___usr"
oVarDict.Remove "___pwd"
oVarDict.Remove "___lgd"
If usrHandle Then
CloseHandle usrHandle
usrHandle = 0
End If

End Function

Private Function Internal_LogOf() As Boolean
Dim er As Long
If usrHandle = 0 Then Exit Function
Internal_LogOf = True

If CloseHandle(usrHandle) = 0 Then
usrHandle = 0
GoTo ExitErr
End If
usrHandle = 0
' blnLoggedOff = True

'get our original context back!
' If we would not do that there would be a security hole since it runs
in NT Authority context
If usrHandlePrevious Then
'RevertToSelf
UserSec.ImpersonateLoggedOnUser usrHandlePrevious
If CloseHandle(usrHandlePrevious) = 0 Then
GoTo ExitErr
End If
usrHandlePrevious = 0
End If
Exit Function

ExitErr:

er = GetLastError
Internal_LogOf = False
RaiseError 0, er

End Function
--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

inetserver asp components : LogonUser() Works Under NT4.0, Fails Under Win2K