Logging in to different domain using LogonUser API
Calling LogonUser before a Winforms application starts running. So if the credentials are correct the application starts and if they are wrong the application wont start. So this working fine with the user credentials for the domain my system belongs to. I was trying to make this work for a different user in a different domain by entering username in the format domain\username or username@domain. But its not working. Please suggest the right way to implement this.
Windows API - Win32
-
RLWA32 45,396 Reputation points
2024-03-20T09:53:55.0233333+00:00 When the call to LogonUser fails what does GetLastError() return? Also, the docs say "If you use the user principal name (UPN) format, User@DNSDomainName, the lpszDomain parameter must be NULL". Have you done this? Are you properly constructing the UPN formatted username?
-
Bhattacharjee, Aditya 0 Reputation points
2024-03-20T10:24:22.1733333+00:00 GetLastWin32Error() returns wrong username or password.
-
Bhattacharjee, Aditya 0 Reputation points
2024-03-20T10:25:55.7766667+00:00 GetLastWin32Error() returns wrong username or password
-
Bhattacharjee, Aditya 0 Reputation points
2024-03-20T10:30:53.4366667+00:00 using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Security.Permissions;
using Microsoft.Win32.SafeHandles;
using System.Runtime.ConstrainedExecution;
using System.Security;
namespace WinFormsApp1
{
internal static class Program { // Define the Windows LogonUser and CloseHandle functions. [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] internal static extern bool LogonUser(String username, String domain, string password, int logonType, int logonProvider, ref IntPtr token); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public extern static bool CloseHandle(IntPtr handle); // Define the required LogonUser enumerations. const int LOGON32_PROVIDER_DEFAULT = 0; const int LOGON32_LOGON_INTERACTIVE = 2; [STAThread] static void Main() { Console.Write("Please enter your domain: "); string domain = ""; // Ask the user for a user name. Console.Write("Please enter your user name: "); string username = "[email protected]"; // Ask the user for a password. Console.Write("Please enter your password: "); string passWord = "Password"; IntPtr tokenHandle = IntPtr.Zero; IntPtr passwordPtr = IntPtr.Zero; bool returnValue = false; int error = 0; returnValue = LogonUser(username, null, passWord, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref tokenHandle); if (!returnValue && tokenHandle == IntPtr.Zero) { error = Marshal.GetLastWin32Error(); } CloseHandle(tokenHandle); // Throw an exception if an error occurred. if (error != 0) { throw new System.ComponentModel.Win32Exception(error); } ApplicationConfiguration.Initialize(); Application.Run(new Form1()); } } ```}
-
RLWA32 45,396 Reputation points
2024-03-20T10:32:15.9933333+00:00 Assuming that you provide the correct password does LogonUser fail if you provide the username and domain separately in the lpszUsername and lpszDomain arguments?
Is it a correct assumption that the domain that your system belongs to and the other domain have the necessary relationship for LogonUser to succeed?
-
Bhattacharjee, Aditya 0 Reputation points
2024-03-20T11:04:30.4066667+00:00 Hey, I got a mail saying you replied half an hour back. But when I open this page to see your comment it's not visible
-
Bhattacharjee, Aditya 0 Reputation points
2024-03-20T11:07:21.9833333+00:00 Hi, its visible after my previous comment. Yes it fails when I provide username and domain separeately. And no I dont know how to setup the necessary relationship between the domain. Please guide me. Thanks
-
Xiaopo Yang - MSFT 12,726 Reputation points • Microsoft Vendor
2024-03-21T07:30:21.98+00:00 From my viewpoint, The LogonUser function cannot log a domain user on to the local computer which doesn't belong to that domain. How to log a user belonging to any one domain on to a local computer?
-
RLWA32 45,396 Reputation points
2024-03-21T07:51:20.8566667+00:00 I'm not a networking/Active Directory expert. However, my comment about domain relationships comes from How trust relationships work for forests in Active Directory.
The first paragraph says "Active Directory Domain Services (AD DS) provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must first check if the domain being requested by a user, computer, or service has a trust relationship with the domain of the requesting account."
-
Xiaopo Yang - MSFT 12,726 Reputation points • Microsoft Vendor
2024-03-27T05:36:43.8633333+00:00 @Bhattacharjee, Aditya, you may open an incident at https://developer.microsoft.com/en-us/windows/support/?tabs=Contact-us about this issue for a definite response.
-
Prem Jha 45 Reputation points
2024-09-27T08:28:42.1066667+00:00 @RLWA32 I am getting an error message with the message "Error: Error API =LogonUser, error code = 1326, message = the user name or password is incorrect.", while calling LogonUser Win32 API Function call even after passing the correct password which we used for the logging in to the new user.
In this case where we are created a new user and then tried installing the Windows Application using that new user created under but same Domain which belongs to Administrators group.We are facing this issue for the main production windows machine present in cloud but on the Test machine of vcenter we do not get this error
What could be the issue there? can there be an issue with the code as I simply called the below line of code for LogonUser function for credentials check. Or Do I need to make some configuration changes at the windows machine to make it work for the new user created.
Could you please help me out what could have possibly gone wrong? -
Prem Jha 45 Reputation points
2024-09-27T08:29:38.45+00:00 @RLWA32 I tried creating a new question but somehow it again and again remove the content due to some code of conduct for strange reasons.
-
RLWA32 45,396 Reputation points
2024-09-27T09:03:41.16+00:00 I tried creating a new question but somehow it again and again remove the content due to some code of conduct for strange reasons.
@Prem Jha, The Q&A site has had an ongoing problem with improper automatic deletion of user posts by filters. If your Questions, Comments or Answers have been automatically deleted for "Code of Conduct" violations you should report this using the Microsoft Q&A tag. For example, see https://learn.microsoft.com/en-us/answers/questions/2079228/this-content-has-been-deleted-due-to-a-violation-o
-
-
Prem Jha 45 Reputation points
2024-09-27T09:13:24.5533333+00:00 @RLWA32 My question is visible now. Below is the link can you please check and go through it once.
https://learn.microsoft.com/en-us/answers/questions/2081852/logonuser-win32-api-function-gives-error-of-incorr -
RLWA32 45,396 Reputation points
2024-09-27T10:24:24.2833333+00:00 @Prem Jha, I read your question and based on the description of the problem this does not appear to me to be a Windows API issue. There may be differences between your test environment and the environment of the server where LogonUser rejects the credentials.I suggest you add additional tags to your question as appropriate (e.g., Windows Server, Windows Server 2016, Windows Network, Active Directory, etc.) so that a broader audience views your question.
-
Prem Jha 45 Reputation points
2024-09-27T10:26:59.9666667+00:00 Ok I will add the suggested tags for making it visible to broader audience. Thanks!
Sign in to comment