P
PCzzz
Guest
Hi, not sure of the correct place to post..
I'm attempting a Login Form for a win form app and it needs to only allow domain users in a certain group.
On using the API LogonUser for advapi32.dll either I'm not getting the flags right or something else wierd is happening.
When used on a domain computer the paramaters of login type (INTERACTIVE,NETWORK,BATCH,NEW_CREDENTIALS) all appear to work fine.
When used on a Workgroup computer eg: in workgroup "WORKGROUP" on the same network as the domain but isn't on the domain, it doesn't work in any combination I try. It also has an glitch (though I believe this is a policy or something) that if the account you use eg: MyDomain\User1 exists as MyComputer\User1 it returns MyComputer\User1 regardless of specifying the Domain in the Call as "MyDomain".
This computer can communication with the domain shares etc as I can copy and interact with them - therefore I would expect to able to login to the domain if available. It might seem strange to attempt this, but basically due to support contracts issues.
Heres some code:
Public Class WinSecurity
Private Declare Auto Function LogonUser Lib "advapi32.dll" (
ByVal lpszUsername As String,
ByVal lpszDomain As String,
ByVal lpszPassword As String,
ByVal dwLogonType As Integer,
ByVal dwLogonProvider As Integer,
ByRef phToken As IntPtr) As Boolean
Private Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Boolean
Public Const LOGON32_LOGON_INTERACTIVE As Long = 2
Public Const LOGON32_LOGON_NETWORK As Long = 3
Public Const LOGON32_LOGON_BATCH As Long = 4
Public Const LOGON32_LOGON_SERVICE As Long = 5
Public Const LOGON32_LOGON_CLEARTEXT As Long = 8
Public Const LOGON32_LOGON_NEW_CREDENTIALS As Long = 9
Public Const LOGON32_PROVIDER_DEFAULT As Long = 0
Public Const LOGON32_PROVIDER_WINNT50 As Long = 3
Public Const LOGON32_PROVIDER_WINNT40 As Long = 2
Public Const LOGON32_PROVIDER_WINNT35 As Long = 1
Public Shared Function checkUserLogin(ByVal LoginCode As String, ByVal Password As String, ByVal Domain As String, Login As Long, Provider As Long) As WindowsIdentity
Dim token As IntPtr
LogonUser(LoginCode, Domain, Password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, token)
If (token.ToInt32 > 0) Then
Dim newId As New WindowsIdentity(token)
Track.LogDEBUG(String.Format("Attempto PASS: {0}, Auth: {1}, method: {2}, Provider: {3}", newId.Name, newId.Token, Login, Provider))
CloseHandle(token)
Else
Track.LogDEBUG(String.Format("Attempto FAIL: {0}, Auth: {1}, method: {2}, Provider: {3}", LoginCode, Domain, Login, Provider))
End If
End Function
End Class
''Calling Code
dim sDomain as string = "MyDomain"
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_INTERACTIVE, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_NETWORK, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_BATCH, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_NEW_CREDENTIALS, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_INTERACTIVE, WinSecurity.LOGON32_PROVIDER_DEFAULT)
Note: I have changed the names for privacy reasons.
My Results on the WorkGroup Computer - Local User Active:
Attempto PASS: MyComputer\User1, Auth: 1088, method: 2, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1100, method: 3, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1060, method: 4, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1108, method: 9, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1076, method: 2, Provider: 0
Results on WorkGroup Computer - Local User Disabled/doesn't exits:
Attempto FAIL: User1, Auth: MyDomain, method: 2, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 3, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 4, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 9, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 2, Provider: 0
Results on Domain Computer
Attempto PASS: MyDomain\User1, Auth: 1340, method: 2, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1724, method: 3, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1736, method: 4, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1648, method: 9, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1744, method: 2, Provider: 0
Please let me know if this is by design or I'm missing something.
Obviously I don't have a Trust setup to this Computer, but assuming this should still work if I can browse to network shares?
Cheers
Paul
Continue reading...
I'm attempting a Login Form for a win form app and it needs to only allow domain users in a certain group.
On using the API LogonUser for advapi32.dll either I'm not getting the flags right or something else wierd is happening.
When used on a domain computer the paramaters of login type (INTERACTIVE,NETWORK,BATCH,NEW_CREDENTIALS) all appear to work fine.
When used on a Workgroup computer eg: in workgroup "WORKGROUP" on the same network as the domain but isn't on the domain, it doesn't work in any combination I try. It also has an glitch (though I believe this is a policy or something) that if the account you use eg: MyDomain\User1 exists as MyComputer\User1 it returns MyComputer\User1 regardless of specifying the Domain in the Call as "MyDomain".
This computer can communication with the domain shares etc as I can copy and interact with them - therefore I would expect to able to login to the domain if available. It might seem strange to attempt this, but basically due to support contracts issues.
Heres some code:
Public Class WinSecurity
Private Declare Auto Function LogonUser Lib "advapi32.dll" (
ByVal lpszUsername As String,
ByVal lpszDomain As String,
ByVal lpszPassword As String,
ByVal dwLogonType As Integer,
ByVal dwLogonProvider As Integer,
ByRef phToken As IntPtr) As Boolean
Private Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Boolean
Public Const LOGON32_LOGON_INTERACTIVE As Long = 2
Public Const LOGON32_LOGON_NETWORK As Long = 3
Public Const LOGON32_LOGON_BATCH As Long = 4
Public Const LOGON32_LOGON_SERVICE As Long = 5
Public Const LOGON32_LOGON_CLEARTEXT As Long = 8
Public Const LOGON32_LOGON_NEW_CREDENTIALS As Long = 9
Public Const LOGON32_PROVIDER_DEFAULT As Long = 0
Public Const LOGON32_PROVIDER_WINNT50 As Long = 3
Public Const LOGON32_PROVIDER_WINNT40 As Long = 2
Public Const LOGON32_PROVIDER_WINNT35 As Long = 1
Public Shared Function checkUserLogin(ByVal LoginCode As String, ByVal Password As String, ByVal Domain As String, Login As Long, Provider As Long) As WindowsIdentity
Dim token As IntPtr
LogonUser(LoginCode, Domain, Password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, token)
If (token.ToInt32 > 0) Then
Dim newId As New WindowsIdentity(token)
Track.LogDEBUG(String.Format("Attempto PASS: {0}, Auth: {1}, method: {2}, Provider: {3}", newId.Name, newId.Token, Login, Provider))
CloseHandle(token)
Else
Track.LogDEBUG(String.Format("Attempto FAIL: {0}, Auth: {1}, method: {2}, Provider: {3}", LoginCode, Domain, Login, Provider))
End If
End Function
End Class
''Calling Code
dim sDomain as string = "MyDomain"
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_INTERACTIVE, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_NETWORK, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_BATCH, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_NEW_CREDENTIALS, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_INTERACTIVE, WinSecurity.LOGON32_PROVIDER_DEFAULT)
Note: I have changed the names for privacy reasons.
My Results on the WorkGroup Computer - Local User Active:
Attempto PASS: MyComputer\User1, Auth: 1088, method: 2, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1100, method: 3, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1060, method: 4, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1108, method: 9, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1076, method: 2, Provider: 0
Results on WorkGroup Computer - Local User Disabled/doesn't exits:
Attempto FAIL: User1, Auth: MyDomain, method: 2, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 3, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 4, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 9, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 2, Provider: 0
Results on Domain Computer
Attempto PASS: MyDomain\User1, Auth: 1340, method: 2, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1724, method: 3, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1736, method: 4, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1648, method: 9, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1744, method: 2, Provider: 0
Please let me know if this is by design or I'm missing something.
Obviously I don't have a Trust setup to this Computer, but assuming this should still work if I can browse to network shares?
Cheers
Paul
Continue reading...
