Impersonation Question

[Ryan]

I have 2 machines on the same lan. Neither one is on a domain. Lets call
them computer1 and computer2.

Computer1 has a user/password called Computer1User /Computer1Password


Using the LogonUser API in advapi32.dll, is it possible for computer2 to
impersonate the local user in computer1?

I am calling something like the following from computer2, which always
fails.

LogonUser("Computer1User", "Computer1", "Computer1Password",
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token)



Any Ideas? Is what I am asking even possible?

Thanks

 

[PlatinumBay]

Ryan,

See if these links explain what you are looking for. The concept in .NET is
called impersonation, and it involves using the System.Security.Principle
namespace and the WindowsIdentity class.

http://weblogs.asp.net/ralfw/archive/2003/11/24/39479.aspx
http://vbnotebook.jfrankcarr.com/vbnb_impersonation.htm
http://samples.gotdotnet.com/quickstart/howto/doc/security/WindowsIdentityCheck.aspx

Hope this helps,


Steve

 

[Steven Cheng[MSFT]]

Hi Ryan,

For LogonUser API, it can only take the following kind of accounts as input:

**a local account of the local machine

**a domain account of the domain this machine belong to

You can not call logonUser API against a local account on another remote
machine.

for your scenario, if the two machines are not in the same windows
domain(can not use domain account), you still have the following options:

1. create two duplicated account(with identical username, password ) on
both machines. Thus, you can call LogonUser api against
"computer1\username" on computer1, and when you access computer2, it will
autoamtically map your security context to "computer2\username" account

2. If what you want to access remotely is only NTFS fileshare, you can
create a mapped drive on computer1(linked to a share folder on computer2),
thus, you can provide the credential info(of an account on computer2) in
the mapped drive setting.

How do you think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Ryan]

Thanks Steven,
I had a feeling that was what you were going to say. Thanks for the info.

-Ryan