how to pass nt password ?

[James]

I succesfully pass username , domain and password via this function (taken
from MSDN)

Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
lpszUsername As [String], _

ByVal lpszDomain As [String], ByVal lpszPassword As [String], _

ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _

ByRef phToken As IntPtr) As Boolean

Dim returnValue As Boolean = LogonUser(username, domain, pwd,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, tokenHandle)

The above assumes that in the application, user will be required to enter
username, domain and password via keyboard

However i do NOT want the application to ASK user for the username,domain
and password. Instead the application shld use the current user context
since users already logon to a operating system eg XP.

i can extract username and domain using the WindowsIdentity.Name Property
which give it as domain\nt id, and then i pass to above function in
username, domain.

How do i extract password ? I know password cannot be seen, but at least
what can i do to pass the current password arguments into the above
function - logonuser ?

 

[Micky]

I succesfully pass username , domain and password via this function (taken from MSDN)

Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As [String], _

ByVal lpszDomain As [String], ByVal lpszPassword As [String], _

ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _

ByRef phToken As IntPtr) As Boolean

Dim returnValue As Boolean = LogonUser(username, domain, pwd, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
tokenHandle)

The above assumes that in the application, user will be required to enter username, domain and password via keyboard

However i do NOT want the application to ASK user for the username,domain and password. Instead the application shld
use the current user context since users already logon to a operating system eg XP.

i can extract username and domain using the WindowsIdentity.Name Property which give it as domain\nt id, and then i
pass to above function in username, domain.

How do i extract password ? I know password cannot be seen, but at least what can i do to pass the current password
arguments into the above function - logonuser ?

The user is already logged on, so why would you want them to logon to
your program using the self same credentials? Your program should
simply run in user context (indeed, it should be tested on an account
with the minimum credentials required to operate). If your program
requires elevated privileges then the USER must provide the required
credentials, NOT your program. Bypassing the built-in security (such
as it is) is not an option if you want your application to remain compliant.

 

[Mattias Sjögren]

James,

Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
lpszUsername As [String], _

You don't need to excape String with square brackets.

However i do NOT want the application to ASK user for the username,domain
and password. Instead the application shld use the current user context
since users already logon to a operating system eg XP.

Can't you just open the existing token then?

How do i extract password ?

You can't do that. Imagine the security problem if you could.


Mattias

 

[James]

Perhaps i will explain more.

I run this service monitor application as a thread. Put as eg.

a) i logon in xp, run the service locally on xp1 local machine.
b) my application will read a list of machines files eg xp1, xp2, xp3, etc
c) the service application will generate thread pools every x seconds and
reach out to other machines having similar services and check whether it is
started.
d) if not started on machine xp2 or xp3, it will attempt to start on remote
machines.
e) to start service on remote machines, it needs to impersonate. Thus i used
the function - logonuser described below.
f) the logonuser fucntion requires username, domain and password. I can
extract username and domain, but i want my password which i logon on xp1 to
impersonate on xp2 or xp3 to start the xp2 or xp2 services.

Hope this explains why i want to pass my "password" onto other machines to
impersonate.

U see, all msdn documentations expect user to enter username, domain and
password to impersonate. I can do it at my application, but because it is
running as a service, it shld NOT ask user for password.

I succesfully pass username , domain and password via this function (taken
from MSDN)

Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
lpszUsername As [String], _

ByVal lpszDomain As [String], ByVal lpszPassword As [String], _

ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _

ByRef phToken As IntPtr) As Boolean

Dim returnValue As Boolean = LogonUser(username, domain, pwd,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, tokenHandle)

The above assumes that in the application, user will be required to enter
username, domain and password via keyboard

However i do NOT want the application to ASK user for the username,domain
and password. Instead the application shld use the current user context
since users already logon to a operating system eg XP.

i can extract username and domain using the WindowsIdentity.Name Property
which give it as domain\nt id, and then i pass to above function in
username, domain.

How do i extract password ? I know password cannot be seen, but at least
what can i do to pass the current password arguments into the above
function - logonuser ?

The user is already logged on, so why would you want them to logon to
your program using the self same credentials? Your program should
simply run in user context (indeed, it should be tested on an account
with the minimum credentials required to operate). If your program
requires elevated privileges then the USER must provide the required
credentials, NOT your program. Bypassing the built-in security (such
as it is) is not an option if you want your application to remain
compliant.

 

[Micky]

Perhaps i will explain more.

I run this service monitor application as a thread. Put as eg.

a) i logon in xp, run the service locally on xp1 local machine.
b) my application will read a list of machines files eg xp1, xp2, xp3, etc
c) the service application will generate thread pools every x seconds and reach out to other machines having similar
services and check whether it is started.
d) if not started on machine xp2 or xp3, it will attempt to start on remote machines.
e) to start service on remote machines, it needs to impersonate. Thus i used the function - logonuser described below.
f) the logonuser fucntion requires username, domain and password. I can extract username and domain, but i want my
password which i logon on xp1 to impersonate on xp2 or xp3 to start the xp2 or xp2 services.

Hope this explains why i want to pass my "password" onto other machines to impersonate.

U see, all msdn documentations expect user to enter username, domain and password to impersonate. I can do it at my
application, but because it is running as a service, it shld NOT ask user for password.

You didn't mention anything about a service in your OP. That's a different
breed of canine altogether.

Services can have their own credentials. You simply create an account for
your service, with the required credentials, as a post-installation process.
So long as the account exists on the local machine, the service can login.
And provided the credentials are sufficient to control remote machine
services, that's all you need.

For security, the password should be generated randomly (so even you--
the developer--won't know what it is). The password should then be
encrypted and cached in the local machine registry. Remember to use
SecureZeroMemory to clear the password from memory. If the
password should become corrupt, the service administrator should
be given the means to delete the old account and create a new one
in its place.

Once that's done, only the service itself will know its own password,
and only service administrators should be able to run the service itself.

That's the only way to do it without asking the user to supply a
password. A password would only be required if the service is run
under impersonation (with Run As...).

The only other way to do it is to ask the user to enter the impersonation
credentials one time only and immediately cache the details in encrypted
form. However that poses a severe security breach, since any user can
then run the service using elevated credentials. A big no-no!