MAPI and Windows Authentication (was: Re: MAPI and XP SP2 problems)

From: Hugh J. Hitch*** (info_at_NO_SPAMwebdimensions.org)
Date: 12/15/04 

Date: Tue, 14 Dec 2004 23:39:50 -0500

Hi Dmitry,

I wrote

>> we are trying to do exchange server over the
>> internet, so the machine that is trying to connect is not in the
>> domain asitwere, but a user somewhere on the internet who uses dns to
resolve
>> to the exchange server. So in fact no, the code is not running within the
>> credentials, unless they've been able somehow to create an account on
>> our exchange domain which has the exact same login and password as the
>> user on their local client machine. therefore... I would really like to
find
>> out how to do the authentication programatically.

you replied

>> Exchange provider uses the current process credentials. You can
>> impresonate that user using LogonUser/ImpersonateLoggedOnUser
>> functions first.

So I am trying to figure out why you suggested that as a solution. Can you
please clarify?

the only thing I can figure out is that you sort of assumed that there is a
user on the local machine that matches a user on the server. That is not
necessarily the case, but I am able to obtain the username and password for
the exchange computer account because their info is saved in our database,
and I can download that info (or any other username/login combination I
want) into my program which runs on the client machine (the user's local
computer). The user's machine does not belong to the domain... they are
basically remote internet users.. for example, they can logon to OWA with
the username and password from our exchange server account -- but that
login/pswd are not related to any account on their local machine, unless
they purposely chose the same username and password when they created their
account on our server -- but there's no guarantee that that's the case. In
fact in most cases, there will not be a corresponding acount on the user's
machine that matches an account on the server. They just have the username
and password from our server account and must authenticate somehow. That's
why I have to figure out how to authenticate to the server programatically,
so I can call MAPI functions and not get a log in screen again and again. I
don't care how to do it -- I could use credentials for an administrative
account on the server, the username and password from the user's exchange
account, whatever.

You see what happens is - my program downloads into the user's web browser
as an activeX control... creates a profile, then adds an MEMS service, then
configures the service with our server's name and the user's chosen
mailboxname which already exists on the server, then it calls
Session->SetDefaultStore to make the exchange account the default message
store, to leave all the mail on the server so they can connect from multiple
clients.

Remember we are doing this over the internet, not over a LAN where the
computer is logged onto the LAN domain. If I run the program on a computer
on which the interactive user has the same username and password as an
account on the exchange server, the program runs with no problem and no
forced authentication. If I run the program on a computer where the
interactive user's username and password do not correspond to any privileged
account on the exchange server, a login dialog pops up at
ConfigureMsgService and again at SetDefaultStore -- even though they are
both called from within the same thread, the same function even. I need to
figure out a way to get rid of the logins and just do it automatically
(programatically.) Will really, really appreciate any assistance with this.

thanks,
Hugh

"Dmitry Streblechenko (MVP)" <dmitry@dimastr.com> wrote in message
news:eflpGBh4EHA.2964@TK2MSFTNGP15.phx.gbl...
> LogonUser does not log to a remote computer - it allows you to log on
> locally as either a local user or as a domain user. Obviously it knows
> nothing about local users on other machines, but Exchange needs a domain
> user anyway.
> These functions do not provide access to any other computers, they just
> create a user token that can be used later (e.g. by the Exchange provider
> that picks up the process identity) to prove that you are really that
user.
>
> Dmitry Streblechenko (MVP)
> http://www.dimastr.com/
> OutlookSpy - Outlook, CDO
> and MAPI Developer Tool
>
>
> "Hugh J. Hitch***" <info@NO_SPAMwebdimensions.org> wrote in message
> news:EMWdnbWsjIcrdCPcRVn-2g@speakeasy.net...
> > Hi Dmitry,
> >
> > thanks for much for this idea... I am having problems with it though...
> > calling LogonUser I am not having any success... and MSDN says the
> > following -- "You cannot use LogonUser to log on to a remote computer".
> > unfortunately this is what I am trying to do... do I have to create a
user
> > on the local machine that matches the user on the server, then
impersonate
> > the local user I've created? it's a bit confusing...
> >
> > can you provide some sample code or point me in the direction of how
> exactly
> > to use these functions to get access to the server? thanks so much.
> >
> > h
> >
> > "Dmitry Streblechenko (MVP)" <dmitry@dimastr.com> wrote in message
> > news:#1KnvNT4EHA.2676@TK2MSFTNGP12.phx.gbl...
> > > Exchange provider uses the current process credentials. You can
> > impresonate
> > > that user using LogonUser/ImpersonateLoggedOnUser functions first.
> > >
> > > Dmitry Streblechenko (MVP)
> > > http://www.dimastr.com/
> > > OutlookSpy - Outlook, CDO
> > > and MAPI Developer Tool
> > >
> > >
> > > "Hugh J. Hitch***" <info@NO_SPAMwebdimensions.org> wrote in message
> > > news:dsidnYt3wLmbIiHcRVn-uQ@speakeasy.net...
> > > > well see the thing is, that we are trying to do exchange server over
> the
> > > > internet, so the machine that is trying to connect is not in the
> domain
> > > > asitwere, but a user somewhere on the internet who uses dns to
resolve
> > to
> > > > the exchange server. So in fact no, the code is not running within
the
> > > > credentials, unless they've been able somehow to create an account
on
> > our
> > > > exchange domain which has the exact same login and password as the
> user
> > on
> > > > their local client machine. therefore... I would really like to find
> out
> > > how
> > > > to do the authentication programatically.
> > > >
> > > > thanks Dmitry :)
> > > >
> > > > "Dmitry Streblechenko (MVP)" <dmitry@dimastr.com> wrote in message
> > > > news:edLFoP72EHA.1396@tk2msftngp13.phx.gbl...
> > > > > Is your code running using the same user credentials as the user
> whose
> > > > > mailbox you are trying to open?
> > > > >
> > > > > Dmitry Streblechenko (MVP)
> > > > > http://www.dimastr.com/
> > > > > OutlookSpy - Outlook, CDO
> > > > > and MAPI Developer Tool
> > > > >
> > > > >
> > > > > "Hugh J. Hitch***" <info@NO_SPAMwebdimensions.org> wrote in
message
> > > > > news:AuednTnJMJZi-incRVn-qA@speakeasy.net...
> > > > > > Hi all,
> > > > > >
> > > > > > I am finding that my MAPI program which manipulates profiles has
> > > > problems
> > > > > > when it runs on XP SP2... specifically, it continues to throw up
> the
> > > > login
> > > > > > screen every time I try to run certain functions, specifically
> > > > > > ConfigureMsgService() will not work without throwing up the
login
> > > > screen.
> > > > > I
> > > > > > must enter the correct login and password or else the function
> > fails.
> > > > This
> > > > > > does not occur on any system other than Windows XP w/ SP2.
> > > > > >
> > > > > > example:
> > > > > >
> > > > > > 1) I create a profile using IProfAdmin->CreateProfile() (works
> > fine.)
> > > > > > 2) I add a MSEMS service by using
> IMsgSvcAdmin->CreateMsgService().
> > > > works
> > > > > > fine.
> > > > > > 3) I attempt to configure the service with
> > > PR_PROFILE_UNRESOLVED_SERVER
> > > > > and
> > > > > > PR_PROFILE_UNRESOLVED_NAME -- it throws up the login screen and
> > > requires
> > > > > > that I login.
> > > > > >
> > > > > > does anyone know why this happens or why to get around it? I've
> > tried
> > > > > using
> > > > > > other code provided in the Platform SDK for logging onto a
server
> > > > > > programatically -- it uses LDAP -- I am able to log on
> > programatically
> > > > > with
> > > > > > this process, within the same procedure happening in the above
> > > > example --
> > > > > > but it does not affect things, I am still asked for a login &
> > password
> > > > > when
> > > > > > calling ConfigureMsgService(). Is there another way to log onto
> the
> > > > server
> > > > > > programatically so I am fully authorised?
> > > > > >
> > > > > > by the way I am using the XP SP2 platform SDK to build the code
> that
> > > is
> > > > > > supposed to run on SP2.
> > > > > >
> > > > > > thanks very much in advance for any assistance
> > > > > >
> > > > > > Hugh
> > > > > > hjh at webdimensions dot org
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>