How to use LogonUser in C++ ?

Hello,

I’m trying to write a c++ program in where I want to check whether a given
username and password exists in the network.
If the user exists in the Windows and the password is correct then I have to
return a positive value, if the user exists but the password is not correct
then I have to return a negative value.
I know that I can use LogonUser to check this, but until now I haven’t
succeeded to do this correctly.
Can someone explain me all the steps I have to perform or maybe give me an
example on how to do this ?

Thank you


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> I know that I can use LogonUser to check this, but until now I haven’t

Yes, the only documented way.

succeeded to do this correctly.

Your code must run under account having “Act as part of operating system”
privilege.
Otherwise, LogonUser will not work.

Max


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

This is my code so far, but it doesn’t seem to work. Anyone know what I am
doing wrong ? I act as a part of the operating system.

int main(int argc, char* argv)
{
AnsiString loUser;
AnsiString loPasw;
bool result;
loUser=AnsiString(argv[1]);
loPasw=AnsiString(argv[2]);

LPSTR lpszUsername=loUser.c_str();
LPSTR lpszDomain=NULL;
LPSTR lpszPassword=loPasw.c_str();
DWORD dwLogonType=LOGON32_LOGON_INTERACTIVE;
DWORD dwLogonProvider=LOGON32_PROVIDER_DEFAULT;
PHANDLE phToken;

result=LogonUser(lpszUsername, lpszDomain, lpszPassword, dwLogonType,
dwLogonProvider, phToken);
if (result==0)
{
cout << “niet ok”;
}
else
{
cout << “ok”;
//cout << result;
}

string test;
cin >> test;
return 0;
}


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

First of all, I think your code is fine. Assuming it’s not a bonehead error
like typing in the wrong username or password, this should work. If there’s
a problem, it’s probably with the privilege level of the account that you
are using to run the LogonUser API, and/or the account you are trying to
login to itself.

The program that runs this code must be running on a thread which already
has the “Act as Part of the Operating System” privilege. By default, this
privilege is granted to just one Account - the SYSTEM account (no, the
Administrator account doesn’t get this privilege by default). This means
that your process must be running as the special NT SYSTEM account. The most
common way to do that is to run your process as an NT service. Unless you
take special action to do otherwise, an NT Service will run under the local
machine’s SYSTEM account.

An easier alternative than creating a great big service is to just grant the
“act as part of the OS” privilege to your interactive login account (the
account that you’re running this program from, not the one that you’re
trying to login to) using USRMGR (NT4), or “Local Security Policy” (Win2k).
Be sure to log off and then log on again before you try this code.
Privileges are looked up at logon time and then cached by your Local
Security Authority (LSA) and so when you grant it, the LSA doens’t realize
you have it until you force it to go look by logging in again. (I wasted 2
hours on that one).

Also, since your logon type is LOGON32_LOGON_INTERACTIVE, the account which
you’re attempting to log on programmatically must have the “Logon
Interactively” privilege. If you instead use the LOGON32_LOGON_NETWORK logon
type, then the right privilege to grant is “Logon as a Service”.

To adjust security privileges on Win2k do: Start | Settings | Control Panel
| Administrative Tools | Local Security Policy | Security Settings | Local
Policies | User Rights Assignment

Find the “Log On Locally” privilege and open that up. Make sure the account
you’re trying to login programmatically is included in a group that’s in
this list.

Note that Win2k has a way for a Domain Admin to “override” whatever
privilege you’d like to assign, with whatever privilege that they prefer
(this is the “effective policy setting” column in that dialog box). So if
your dev machine participates in a domain, you’ll probably need to spend
some time getting to know your Admin, or setting up your own little private
domain (which is what I did).

I’ve been studying Keith Brown’s “Programming Windows Security” book and if
you don’t have a copy, run out right now and get one. It’s the best
reference on how this crap works that I’ve found.

ERX

PS: Here is code which I know successfully works. It’s not that different
from your code which leads me to believe that you simply need to adjust
privileges and use the right account names / passwords. I explicitly
specified the Domain Name, and I used the WINNT40 logon provider, but I
really don’t think these are the problem.

TCHAR * tstrUserName = “MyAccountName” ;
TCHAR * tstrDomain = “MYDOMAIN” ;
TCHAR * tstrPassword = “whatever” ;
DWORD dwLogonType = LOGON32_LOGON_NETWORK ;
DWORD dwLogonProvider = LOGON32_PROVIDER_WINNT40 ;
HANDLE hToken = NULL ;

if (!LogonUser (tstrUserName, tstrDomain, tstrPassword, dwLogonType,
dwLogonProvider, &hToken)) {
// nonzero is failure, so let’s see what went wrong
DWORD dwErr = GetLastError () ;
}

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@adtechno.be
Sent: Wednesday, June 06, 2001 12:00 AM
To: NT Developers Interest List
Subject: [ntdev] Re: How to use LogonUser in C++ ?

This is my code so far, but it doesn’t seem to work. Anyone
know what I am
doing wrong ? I act as a part of the operating system.

int main(int argc, char* argv)
{
AnsiString loUser;
AnsiString loPasw;
bool result;
loUser=AnsiString(argv[1]);
loPasw=AnsiString(argv[2]);

LPSTR lpszUsername=loUser.c_str();
LPSTR lpszDomain=NULL;
LPSTR lpszPassword=loPasw.c_str();
DWORD dwLogonType=LOGON32_LOGON_INTERACTIVE;
DWORD dwLogonProvider=LOGON32_PROVIDER_DEFAULT;
PHANDLE phToken;

result=LogonUser(lpszUsername, lpszDomain,
lpszPassword, dwLogonType,
dwLogonProvider, phToken);
if (result==0)
{
cout << “niet ok”;
}
else
{
cout << “ok”;
//cout << result;
}

string test;
cin >> test;
return 0;
}


You are currently subscribed to ntdev as: xxxxx@spinnakernet.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Thank you very much for your help!
I followed all the steps and it works now!

Thanks
Lina Romanelli


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com