LogonUser alternative for Win2000???

[Joe Mamma]

I cant use the simple p/invoke of LogonUser to authenticate an impersonation user in windows 2000.

One alternative is to p/invoke CreateProcessWithLogonW to shell off a hidden cmd.exe check and terminate, checking the error code if it fails. this though is not the most efficient manner of authentication. more of a kludge.

I have seen some SSPI authentication code in VC6 and some in VC7 for client/server remoting impersonation. extrememly unwieldly.

Anyone have any code for doing this???

 

[Divil]

I have used LogonUser to impersonate a user with success. Why do you say you cannot do this?

 

[Joe Mamma]

I have used LogonUser to impersonate a user with success. Why do you say you cannot do this?

LogonUser does not work in win 2k without overriding local security policy to allow the calling principle to act as part of the operating system.

Yah, I didntread the notes closely. deployed to a mixed win2k/xp society and boo-yah (my testers favorite exclamation when he breaks my code)

from the sdk:

Windows 2000: The process calling LogonUser requires the SE_TCB_NAME privilege. If the calling process does not have this privilege, LogonUser fails and GetLastError returns ERROR_PRIVILEGE_NOT_HELD. In some cases, the process that calls LogonUser must also have the SE_CHANGE_NOTIFY_NAME privilege enabled; otherwise, LogonUser fails and GetLastError returns ERROR_ACCESS_DENIED. This privilege is not required for the local system account or accounts that are members of the administrators group. By default, SE_CHANGE_NOTIFY_NAME is enabled for all users, but some administrators may disable it for everyone. For more information about privileges, see Privileges.