Re: Using LoginUser for Authentication

From: Scott Allen (bitmask_at_[nospam)
Date: 03/15/04 

Date: Sun, 14 Mar 2004 20:46:47 -0500

This is sort of a problem on windows 2000, because LogonUser only
works if you have SeTcbPrivilege set or are running as SYSTEM - both
options unfortunately bad from a security standpoint. The good news is
in XP and Windows 2003 you don't need the higher priviledge level -
but it doesn't sound like this helps you any.

There is a work around using an SSPI handshake. I know Keith Brown has
some C++ code to do this on the developmentor.com website.
Unfortunately, the logon session you start will not have any network
credentials for the user - so I'm not sure this will work for you
either.

What you might consider is using SSPI to authenticate the user's
credentials, and once you see the user can be authenticated then you
can impersonate another domain account from web.config (specify a
username and password) and let these credentails give you the
authorization to copy files across the network.

Let me know if you could use some more details or URLs. HTH, 

--
Scott
http://www.OdeToCode.com
On Sun, 14 Mar 2004 13:26:59 -0800, "Dan"
<anonymous@discussions.microsoft.com> wrote:
>We  are writing a component in VB.net that is supposed to 
>authenticate a predetermined user (using the user name, 
>password and 
>domain) and then copy a file to a file share (using a 
>mapped drive or UNC path).
>
>This component will be called from an IIS process (either 
>IIS 4, 5 or 6).
>
>The general code structure is as follows:
>
>Call RevertToSelf()
>Call LogonUser() to obtain a token
>Call ImpersonateLoggedOnUser()
>Copy the file over
>.....
>
>Sounds pretty simple, right?
>
>We have the most difficult time getting past LogonUser(). 
>We invariably get an error 1314: "A required privilege is 
>not held by the client".
>
>We get this error even though we attempt to run the 
>program as a standalone executable outside of IIS and 
>using Administrator user accounts. 
>
>One solution we saw was to provide "Act as part of the OS 
>privileges" to the user account in question. Even if this 
>works, we cannot do that for security reasons.
>
>Does anyone have any idea what we could be doing wrong?
>
>Thanks in advance for any assistance.

Relevant Pages

  • RE: NT to 2003 wierdness
    ... The following errors may occur in Windows NT when connecting to a Windows ... Server Manager: ... those user accounts in the servers group. ... NT will use the secure channel account password against to authenticate ...
    (microsoft.public.windows.server.migration)
  • Re: LDAP and Single Sign On
    ... LDAP is a directory access protocol, why use it to authenticate. ... storing your user accounts and you are using Windows and unix clients, ...
    (microsoft.public.win2000.security)
  • Windows 9x clients authentication
    ... on a network with a windows 2000 advanced server domain is there a way not ... to allow windows 95,98 and ME clients to authenticate or log on to the ... user accounts or computer accounts) which meens if a user has a dual boot ...
    (microsoft.public.win2000.security)
  • Re: impersonation in vb.net
    ... As the documentation for LogonUser states, ... (act as part of the operating system) ... under Windows 2000. ... Public Declare Auto Function CloseHandle Lib "kernel32.dll" _ ...
    (microsoft.public.dotnet.security)
  • Re: LogonUser failed with error code : 1314 [After explicitly giving T
    ... You need to call LogonUser to create a token that you can use to create the ... WindowsIdentity.GetCurrentreturns the name of the anonymous user. ... Doing ACLs on the file system so that you can write to specific locations is ... I cannot recommend enough to read Keith Brown's Windows ...
    (microsoft.public.dotnet.security)