Re: Copy files in network with authentication ??

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Tamas,
Inline.
Willy.

"Tamas Demjen" <tdemjen@xxxxxxxxx> wrote in message
news:us41%23QisFHA.2492@xxxxxxxxxxxxxxxxxxxxxxx
> Willy Denoyette [MVP] wrote:
>> The purpose of LogonUser is to obtain an access token specifying the
>> credentials of a valid local or domain (remote) account. If you specify a
>> remote users credentials, the token obtained can be used to impersonate
>> the current thread and access the remote resource. Now, if you use non
>> local user credentials, accesses to local FS objects will fail (unless
>> the remote user is a shadow account of a local account), this can be
>> solved by:
>> - specifying a domain user when calling LogonUser and granting this
>> doamin account access to the loacl FS resources, or,
>> - by specifying LOGON32_LOGON_NEW_CREDENTIALS as dwLogonType (W2K2 or
>> higher).
>>
>> Willy.
>
> Thanks Willy, this seems to be solving a 2-year-old problem to me. The
> following works nicely:
>
> HANDLE token;
> if(LogonUser(
> "Tamas", "\\\\RemoteComputer",
> "password",
> LOGON32_LOGON_NEW_CREDENTIALS,
> LOGON32_PROVIDER_DEFAULT,
> &token))
> {
> if(ImpersonateLoggedOnUser(token))
> {
> CopyFile("c:\\0.txt", "\\\\RemoteComputer\\Share\\0.txt",
> TRUE);
> RevertToSelf();
> }
> CloseHandle(token);
> }
>
> Does the LOGON32_LOGON_NEW_CREDENTIALS flag require the server to be W2k+,
> or the client (local) computer only?
>

The computer calling LogonUser() needs W2K or higer (that is all, OS that
run Kerberos security providers).

> I also tried this:
> BOOL res = LogonUser(
> "Tamas@RemoteComputer", NULL,
> "password",
> LOGON32_LOGON_NETWORK,
> LOGON32_PROVIDER_DEFAULT,
> &token);
>
> and res was TRUE and the token was valid, but after the
> ImpersonateLoggedOnUser call the remote FS was not accessible. Note that
> RemoteComputer is not a true domain, it's just another computer in a
> workgroup. I guess if I knew how to add access to the FS, that would work
> too. <sigh> I'd spent days without success before.
>

This is by design, the logontype LOGON32_LOGON_NETWORK returns an access
token that has NO network access.

> Anyway, LOGON32_LOGON_NEW_CREDENTIALS does the trick, but only on W2k+.
>
Yep, no need to map shares to local drives anymore, or to impersonate domain
accounts to access SQL server, just create a logon session with "split
identity" and you can access the server while keeping you local access token
to access local resources.

> Tom


.

Relevant Pages

  • Re: Problem establishing SSL connection in code-behind
    ... credentials and create a logon token for them that can be used to start ... Therefore, to authenticate AD users on the web server, the ... I don't understand why you need to log on to a remote machine. ... The Win32 LogonUser API is completely new to me. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: FileCopy to a shared folder
    ... Why then would LogonUser not recognise the password? ... >> handle logins to remote computers, ... if LogonUser succeeds you will get a token back that can be ... > used to impersonate the account when accessing the remote folder. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Copy files in network with authentication ??
    ... >> ImpersonateLoggedOnUser(); ... > LogonUser only logs you in to the local computer, and it can't be used to ... credentials of a valid local or domain (remote) account. ...
    (microsoft.public.dotnet.languages.vc)
  • Re: select directory on remote machine using WMI
    ... you may use this one to connect/access a remote share or drive. ... LogonUser through PInvoke specifying the credentials for which you want to ... and the drives, I get them with: ...
    (microsoft.public.dotnet.languages.csharp)
  • Programmatically creating a user account.
    ... account. ... I have looked at SSPI which specifically does not ... LogonUser also only seems to validate ... existing credentials. ...
    (microsoft.public.dotnet.framework.aspnet.security)