Re: MAPI and Windows Authentication (was: Re: MAPI and XP SP2 problems)

From: Hugh J. Hitch*** (info_at_NO_SPAMwebdimensions.org)
Date: 01/03/05 

Date: Sun, 2 Jan 2005 20:37:10 -0500

Hello Dmitri,

I tried using LogonUser/ImpersonateLoggedOnUser for this... what happens is
that you are dealing with a profile under a particular user's computer
account, then when you switch to the other user, the profiles from the first
user disappear and therefore you can no longer operate on them.

I actually have solved this problem by configuring the server with a VPN,
then programatically logging onto the VPN using the credentials of the
desired Exchange Server user. Works like a charm!

best,
Hugh

"Dmitry Streblechenko (MVP)" <dmitry@dimastr.com> wrote in message
news:#6eg5Qt4EHA.3388@TK2MSFTNGP15.phx.gbl...
> The reason I suggested using impersonation is because this is the only way
> to get rid of the logon dialog - when Exchange provider connects to the
> server, it queries the current process identity to figure out whether it
> matches the windows user associated with the mailbox that you are trying
to
> connect to or if the user has an explicit permission to access that
mailbox.
> If not, it pops up the logon dialog.
> If you use LogonUser/ImpersonateLoggedOnUser, you can pretend to be the
> owner of that mailbox. The user to be impersonated does not have to belong
> to the same domain as the currently logged on user, but obviously the
> computer must be able to connect to that domain to verify the login. You
> might have problem with the local permissions if the domain user is not
> listed in the local users list. You should be able to add the remote
domain
> user to the list of the local users programmatically.
> Exchange provider was designed to be used on the domain network, so you
are
> really stretching its capabilities. Did you try to use WebDAV? It looks
like
> a perfect fit for what you are trying to do.
>
> Dmitry Streblechenko (MVP)
> http://www.dimastr.com/
> OutlookSpy - Outlook, CDO
> and MAPI Developer Tool
>
>
> "Hugh J. Hitch***" <info@NO_SPAMwebdimensions.org> wrote in message
> news:3JKdnYclg46HXSLcRVn-jQ@speakeasy.net...
> > Hi Dmitry,
> >
> > I wrote
> >
> > >> we are trying to do exchange server over the
> > >> internet, so the machine that is trying to connect is not in the
> > >> domain asitwere, but a user somewhere on the internet who uses dns to
> > resolve
> > >> to the exchange server. So in fact no, the code is not running within
> the
> > >> credentials, unless they've been able somehow to create an account on
> > >> our exchange domain which has the exact same login and password as
the
> > >> user on their local client machine. therefore... I would really like
to
> > find
> > >> out how to do the authentication programatically.
> >
> > you replied
> >
> > >> Exchange provider uses the current process credentials. You can
> > >> impresonate that user using LogonUser/ImpersonateLoggedOnUser
> > >> functions first.
> >
> > So I am trying to figure out why you suggested that as a solution. Can
you
> > please clarify?
> >
> > the only thing I can figure out is that you sort of assumed that there
is
> a
> > user on the local machine that matches a user on the server. That is not
> > necessarily the case, but I am able to obtain the username and password
> for
> > the exchange computer account because their info is saved in our
database,
> > and I can download that info (or any other username/login combination I
> > want) into my program which runs on the client machine (the user's
local
> > computer). The user's machine does not belong to the domain... they are
> > basically remote internet users.. for example, they can logon to OWA
with
> > the username and password from our exchange server account -- but that
> > login/pswd are not related to any account on their local machine, unless
> > they purposely chose the same username and password when they created
> their
> > account on our server -- but there's no guarantee that that's the case.
In
> > fact in most cases, there will not be a corresponding acount on the
user's
> > machine that matches an account on the server. They just have the userna
me
> > and password from our server account and must authenticate somehow.
That's
> > why I have to figure out how to authenticate to the server
> programatically,
> > so I can call MAPI functions and not get a log in screen again and
again.
> I
> > don't care how to do it -- I could use credentials for an administrative
> > account on the server, the username and password from the user's
exchange
> > account, whatever.
> >
> > You see what happens is - my program downloads into the user's web
browser
> > as an activeX control... creates a profile, then adds an MEMS service,
> then
> > configures the service with our server's name and the user's chosen
> > mailboxname which already exists on the server, then it calls
> > Session->SetDefaultStore to make the exchange account the default
message
> > store, to leave all the mail on the server so they can connect from
> multiple
> > clients.
> >
> > Remember we are doing this over the internet, not over a LAN where the
> > computer is logged onto the LAN domain. If I run the program on a
computer
> > on which the interactive user has the same username and password as an
> > account on the exchange server, the program runs with no problem and no
> > forced authentication. If I run the program on a computer where the
> > interactive user's username and password do not correspond to any
> privileged
> > account on the exchange server, a login dialog pops up at
> > ConfigureMsgService and again at SetDefaultStore -- even though they are
> > both called from within the same thread, the same function even. I need
to
> > figure out a way to get rid of the logins and just do it automatically
> > (programatically.) Will really, really appreciate any assistance with
> this.
> >
> > thanks,
> > Hugh
> >
> >
> > "Dmitry Streblechenko (MVP)" <dmitry@dimastr.com> wrote in message
> > news:eflpGBh4EHA.2964@TK2MSFTNGP15.phx.gbl...
> > > LogonUser does not log to a remote computer - it allows you to log on
> > > locally as either a local user or as a domain user. Obviously it knows
> > > nothing about local users on other machines, but Exchange needs a
domain
> > > user anyway.
> > > These functions do not provide access to any other computers, they
just
> > > create a user token that can be used later (e.g. by the Exchange
> provider
> > > that picks up the process identity) to prove that you are really that
> > user.
> > >
> > > Dmitry Streblechenko (MVP)
> > > http://www.dimastr.com/
> > > OutlookSpy - Outlook, CDO
> > > and MAPI Developer Tool
> > >
> > >
> > > "Hugh J. Hitch***" <info@NO_SPAMwebdimensions.org> wrote in message
> > > news:EMWdnbWsjIcrdCPcRVn-2g@speakeasy.net...
> > > > Hi Dmitry,
> > > >
> > > > thanks for much for this idea... I am having problems with it
> though...
> > > > calling LogonUser I am not having any success... and MSDN says the
> > > > following -- "You cannot use LogonUser to log on to a remote
> computer".
> > > > unfortunately this is what I am trying to do... do I have to create
a
> > user
> > > > on the local machine that matches the user on the server, then
> > impersonate
> > > > the local user I've created? it's a bit confusing...
> > > >
> > > > can you provide some sample code or point me in the direction of how
> > > exactly
> > > > to use these functions to get access to the server? thanks so much.
> > > >
> > > > h
> > > >
> > > > "Dmitry Streblechenko (MVP)" <dmitry@dimastr.com> wrote in message
> > > > news:#1KnvNT4EHA.2676@TK2MSFTNGP12.phx.gbl...
> > > > > Exchange provider uses the current process credentials. You can
> > > > impresonate
> > > > > that user using LogonUser/ImpersonateLoggedOnUser functions first.
> > > > >
> > > > > Dmitry Streblechenko (MVP)
> > > > > http://www.dimastr.com/
> > > > > OutlookSpy - Outlook, CDO
> > > > > and MAPI Developer Tool
> > > > >
> > > > >
> > > > > "Hugh J. Hitch***" <info@NO_SPAMwebdimensions.org> wrote in
message
> > > > > news:dsidnYt3wLmbIiHcRVn-uQ@speakeasy.net...
> > > > > > well see the thing is, that we are trying to do exchange server
> over
> > > the
> > > > > > internet, so the machine that is trying to connect is not in the
> > > domain
> > > > > > asitwere, but a user somewhere on the internet who uses dns to
> > resolve
> > > > to
> > > > > > the exchange server. So in fact no, the code is not running
within
> > the
> > > > > > credentials, unless they've been able somehow to create an
account
> > on
> > > > our
> > > > > > exchange domain which has the exact same login and password as
the
> > > user
> > > > on
> > > > > > their local client machine. therefore... I would really like to
> find
> > > out
> > > > > how
> > > > > > to do the authentication programatically.
> > > > > >
> > > > > > thanks Dmitry :)
> > > > > >
> > > > > > "Dmitry Streblechenko (MVP)" <dmitry@dimastr.com> wrote in
message
> > > > > > news:edLFoP72EHA.1396@tk2msftngp13.phx.gbl...
> > > > > > > Is your code running using the same user credentials as the
user
> > > whose
> > > > > > > mailbox you are trying to open?
> > > > > > >
> > > > > > > Dmitry Streblechenko (MVP)
> > > > > > > http://www.dimastr.com/
> > > > > > > OutlookSpy - Outlook, CDO
> > > > > > > and MAPI Developer Tool
> > > > > > >
> > > > > > >
> > > > > > > "Hugh J. Hitch***" <info@NO_SPAMwebdimensions.org> wrote in
> > message
> > > > > > > news:AuednTnJMJZi-incRVn-qA@speakeasy.net...
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > I am finding that my MAPI program which manipulates profiles
> has
> > > > > > problems
> > > > > > > > when it runs on XP SP2... specifically, it continues to
throw
> up
> > > the
> > > > > > login
> > > > > > > > screen every time I try to run certain functions,
specifically
> > > > > > > > ConfigureMsgService() will not work without throwing up the
> > login
> > > > > > screen.
> > > > > > > I
> > > > > > > > must enter the correct login and password or else the
function
> > > > fails.
> > > > > > This
> > > > > > > > does not occur on any system other than Windows XP w/ SP2.
> > > > > > > >
> > > > > > > > example:
> > > > > > > >
> > > > > > > > 1) I create a profile using IProfAdmin->CreateProfile()
(works
> > > > fine.)
> > > > > > > > 2) I add a MSEMS service by using
> > > IMsgSvcAdmin->CreateMsgService().
> > > > > > works
> > > > > > > > fine.
> > > > > > > > 3) I attempt to configure the service with
> > > > > PR_PROFILE_UNRESOLVED_SERVER
> > > > > > > and
> > > > > > > > PR_PROFILE_UNRESOLVED_NAME -- it throws up the login screen
> and
> > > > > requires
> > > > > > > > that I login.
> > > > > > > >
> > > > > > > > does anyone know why this happens or why to get around it?
> I've
> > > > tried
> > > > > > > using
> > > > > > > > other code provided in the Platform SDK for logging onto a
> > server
> > > > > > > > programatically -- it uses LDAP -- I am able to log on
> > > > programatically
> > > > > > > with
> > > > > > > > this process, within the same procedure happening in the
above
> > > > > > example --
> > > > > > > > but it does not affect things, I am still asked for a login
&
> > > > password
> > > > > > > when
> > > > > > > > calling ConfigureMsgService(). Is there another way to log
> onto
> > > the
> > > > > > server
> > > > > > > > programatically so I am fully authorised?
> > > > > > > >
> > > > > > > > by the way I am using the XP SP2 platform SDK to build the
> code
> > > that
> > > > > is
> > > > > > > > supposed to run on SP2.
> > > > > > > >
> > > > > > > > thanks very much in advance for any assistance
> > > > > > > >
> > > > > > > > Hugh
> > > > > > > > hjh at webdimensions dot org
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>