Using LogonUser with a LOCAL ACCOUNT which belongs to a remote machine.

Using LogonUser with a LOCAL ACCOUNT which belongs to a remote machine.: Posted by Pascal on June 4th, 2004; Hello everyone,

I need to authenticate to a stand alone remote machine using a local
account. My plan was simple:

1. / Call LogonUser with credentials of the local account from the
remote machine (i.e.: Administrator) and get a token handle.
2. / Call ImpersonateLoggedOnUser with the token to have my thread
authenticated.
3. / Do what I have to do with the remote machine.

This seemed simple enough, but ... as usual ... when you think you are
going to spend 5 minutes doing something it becomes a 2 days ordeal.
Here is the problem:

I can't seem to be able to use LogonUser with credentials which belong
to a remote local account database. If my machine has an identical
local account/password as the remote machine, it works (even though I
still impersonate as my machine's local account), but I can't use
credential of an account if I don't have the same on my machine.

For instance, I am trying to authenticate to remote machine called:
MAC01. MAC01 has a local account called ADMIN01, and my machine
doesn't have that account locally.

I have tried the following:

LogonUser( "MAC01\ADMIN01", // Username
"MAC01", // Domain (Authority)
"LePassword", // Password
LOGON32_LOGON_NETWORK_CLEARTEXT,
LOGON32_PROVIDER_DEFAULT)

LogonUser( "ADMIN01",
"MAC01",
"LePassword",
LOGON32_LOGON_NETWORK_CLEARTEXT,
LOGON32_PROVIDER_DEFAULT)

LogonUser( "MAC01\ADMIN01",
"",
"LePassword",
LOGON32_LOGON_NETWORK_CLEARTEXT,
LOGON32_PROVIDER_DEFAULT)

LogonUser( "MAC01\ADMIN01",
NULL,
"LePassword",
LOGON32_LOGON_NETWORK_CLEARTEXT,
LOGON32_PROVIDER_DEFAULT)

They all fail with "Logon failure: unknown user name or bad
password.".

Now, Win2K/WinXP do not have that problem. If you try to open a remote
machine's share which requires credentials, you can enter any local
account you wish and it works as expected. I understand I can use the
WNetAddConnection2 with an IPC$ share to do the same thing, but this
has a lot of draw backs (the entire system gets authenticated for one,
ERROR_ALREADY_ASSIGNED for two). So I would rather limit my
impersonation to a single thread or process.

What I am missing?
Thank you.; Posted by Alex Fedotov on June 5th, 2004; Pascal wrote:

This will not work. You cannot create a token for an account on another
machine.

What you can do is to call LogonUser with LOGON32_LOGON_NEW_CREDENTIALS flag
to create a new logon session (and a token) for the current local account.
That will allow you to use WNetAddConnection2 with an IPC$ share while
avoiding conflicts with other connections already open to this machine.

-- Alex Fedotov

Similar Posts

Cannot see local printers on remote machine (Working Remotely) by Bill
Add Remote User Account To Local Group in a Workgroup (Networking) by MATT
Can I make a local XP account a domain account ? (Microsoft Windows) by Nick
re:read does anyone know what isp this belongs to you know the pop3 account i think i thought it belonged to bt ? i dont if your know please reply back here (Computers & Technology) by Colin Robinson
LogonUser and remote change of password? (Development Resources) by Sten Westerback

Internet Office and Resources