Authenticating against network server using non-domain account

Martin Robins · Dec 16, 2005

I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

Nicholas Paldino [.NET/C# MVP] · Dec 16, 2005

Martin,

Have you tried using the machine name in the domain parameter?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

Martin Robins · Dec 16, 2005

I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

Martin,

Have you tried using the machine name in the domain parameter?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

Guest · Dec 16, 2005

P.S. I've looked at
WebConfigurationManager.GetWebApplication("system.net/mailSettings");

But I can never get that to return anything and the only example I can find
with it being used is with ConnectionStrings.

I would have thought this would have worked.

SmtpSection smtpSec =
WebConfigurationManager.GetWebApplicationSection("mailSettings") as
SmtpSection;

Debug.WriteLine(smtpSect.Network.UserName);

But smtpSec is always null

Willy Denoyette [MVP] · Dec 16, 2005

Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

Martin,

Have you tried using the machine name in the domain parameter?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

Martin Robins · Dec 16, 2005

IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new IntPtr(0);

bool result = advapi32.LogonUser(userName, domain, password, advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref tokenHandle);

LogonType.Interactive = 2, LogonProvider.Default = 0

Sorry; error code is 1326 - "Logon failure: unknown user name or bad password" even though the details are correct (I created the account specifically).

Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

Martin,

Have you tried using the machine name in the domain parameter?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

Joe Kaplan \(MVP - ADSI\) · Dec 16, 2005

Have you tried logging in with an account local to the server that has the same username and password as the user on the remote machine and impersonating that instead? My understanding is that this "trick" will work with NTLM in a situation where you can't use domain accounts/Kerberos.

Joe K.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new IntPtr(0);

bool result = advapi32.LogonUser(userName, domain, password, advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref tokenHandle);

LogonType.Interactive = 2, LogonProvider.Default = 0

Sorry; error code is 1326 - "Logon failure: unknown user name or bad password" even though the details are correct (I created the account specifically).

Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

Martin,

Have you tried using the machine name in the domain parameter?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

Willy Denoyette [MVP] · Dec 16, 2005

No, interactive will not work. you need to call LogonUser with LOGON32_LOGON_NEW_CREDENTIALS, this logon type returns an access token that will get used to access the network resource while cloning the access token of the current logon user and use this one to access local resources.
Note that this requires W2K or higher.

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new IntPtr(0);

bool result = advapi32.LogonUser(userName, domain, password, advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref tokenHandle);

LogonType.Interactive = 2, LogonProvider.Default = 0

Sorry; error code is 1326 - "Logon failure: unknown user name or bad password" even though the details are correct (I created the account specifically).

Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

Martin,

Have you tried using the machine name in the domain parameter?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

Willy Denoyette [MVP] · Dec 16, 2005

Joe,

This should do as well, but is not needed on W2K or higher (needs the kerberos provider). Much better is to use "split token identity", as provided by using LOGON32_LOGON_NEW_CREDENTIALS as logontype.

Willy.

Have you tried logging in with an account local to the server that has the same username and password as the user on the remote machine and impersonating that instead? My understanding is that this "trick" will work with NTLM in a situation where you can't use domain accounts/Kerberos.

Joe K.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new IntPtr(0);

bool result = advapi32.LogonUser(userName, domain, password, advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref tokenHandle);

LogonType.Interactive = 2, LogonProvider.Default = 0

Sorry; error code is 1326 - "Logon failure: unknown user name or bad password" even though the details are correct (I created the account specifically).

Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

Martin,

Have you tried using the machine name in the domain parameter?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

Joe Kaplan \(MVP - ADSI\) · Dec 16, 2005

Neato, thanks.

I'm still learning what all those flags do.

Joe K.

Joe,

This should do as well, but is not needed on W2K or higher (needs the kerberos provider). Much better is to use "split token identity", as provided by using LOGON32_LOGON_NEW_CREDENTIALS as logontype.

Willy.

Martin Robins · Dec 19, 2005

Thanks very much; that does exactly what I wanted.
No, interactive will not work. you need to call LogonUser with LOGON32_LOGON_NEW_CREDENTIALS, this logon type returns an access token that will get used to access the network resource while cloning the access token of the current logon user and use this one to access local resources.
Note that this requires W2K or higher.

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message IntPtr tokenHandle = new IntPtr(0), duplicateTokenHandle = new IntPtr(0);

bool result = advapi32.LogonUser(userName, domain, password, advapi32.LogonType.Interactive, advapi32.LogonProvider.Default, ref tokenHandle);

LogonType.Interactive = 2, LogonProvider.Default = 0

Sorry; error code is 1326 - "Logon failure: unknown user name or bad password" even though the details are correct (I created the account specifically).

Not accepted is a little vague isn't it? What is the return code of the LogonUser call? Some code would help also.
LogonUser doesn't "log on", it retuns an access token that can be used to access the remote server, so when you specify the credentials, as valid on a remote server, this server 'security system' returns a token that can be used to access the remote server when "impersonating".

Willy.

"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I have; it is not accepted.

LogonUser will only work when specifying the local machine name or a domain name that is valid for the local machine as you are effectively logging a new user onto that machine (and of course a local user on another machine would not be able to log onto the local machine).

Cheers.

Martin,

Have you tried using the machine name in the domain parameter?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)
"Martin Robins" <martin dot robins at technicaldirect dot co dot uk> wrote in message I need to access the scheduler service on a network computer in order to manipulate it remotely from .NET; I have all of the necessary code to perform the manipulation and it works - great - but I am having problems with authentication.

I have tried using LogonUser and this works fine with a domain account, however it is not possible to use this with an account that is defined only on the remote computer - it only works with local or domain accounts.

Any suggestions as to how I can authenticate my connection to the remote PC using a logon and password local to that machine?

Active Directory: Authenticating	6	May 18, 2009
LogonUser to remote machine fails with error 1326	4	Mar 24, 2009
Authenticating domain users	1	Mar 1, 2005
ActiveDirectory Authenticating WinForms	1	Sep 2, 2008
Impersonation for accessing network resources?	8	Dec 14, 2005
Cannot Logon to Domain	1	Feb 7, 2007
Failed Logon Events [Event ID 4625; Logon Type 8; Procss Name: w3wp; Process: Advapi]	1	Feb 29, 2012
LogonUser works only after installing SQL Server 2000	6	Dec 27, 2006

Authenticating against network server using non-domain account

Martin Robins

Nicholas Paldino [.NET/C# MVP]

Martin Robins

Guest

Willy Denoyette [MVP]

Martin Robins

Joe Kaplan \(MVP - ADSI\)

Willy Denoyette [MVP]

Willy Denoyette [MVP]

Joe Kaplan \(MVP - ADSI\)

Martin Robins

Ask a Question

Similar Threads