Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, September 24, 2019 2:04 PM
I have a CPP program to create a folder inside a shared folder in a server. The program uses ImpersonateLoggedOnUser function to impersonate as a user who has both folder and share permissions to the shared folder. The folder gets created when the executable file is run from the server where the shared folder is located, but when trying to run it from another domain computer, the process fails with error code 1326 (Logon failure- The username or password is incorrect). Tried lot of suggestions including synchronizing the time in both computers, but didn't work.
All replies (21)
Wednesday, September 25, 2019 8:02 AM
Hello,
Thank you for posting here.
If the issue still exist, could you please provide a simple demo or some key code, we'll reproduce your issue on our side and try to find a solution to resolve it.
Best Regards,
Suarez Zhou
Wednesday, September 25, 2019 1:37 PM
Thank you for your reply. I have included the code that I use below:
BOOL impersonation(LPTSTR userName,LPTSTR domainName,LPTSTR password)
{
BOOL val = true;
HANDLE lTokenHandle = NULL;
if(userName!=NULL){
wprintf(L"Impersonating as userName: %ws domainName: %ws\n",userName,domainName);
val = LogonUser(userName,domainName,password,LOGON32_LOGON_NEW_CREDENTIALS,LOGON32_PROVIDER_WINNT50,&lTokenHandle);
if(val){
val = ImpersonateLoggedOnUser(lTokenHandle);
if(!val){
printf("Error occured while impersonating :%x\n",GetLastError());
}
CloseHandle(lTokenHandle);
}
else{
printf("Error while using LogonUser :%x\n",GetLastError());
}
}
return val;
}
void main(){
CoInitialize(NULL);
DWORD hr;
USES_CONVERSION;
wchar_t strPath[100];
TCHAR strPass[30];
TCHAR strUser[30];
TCHAR strDomain[30];
LPTSTR password = strPass;
LPTSTR user = strUser;
LPTSTR domain = strDomain;
LPWSTR path = strPath;
printf("Enter the Username: ");
wscanf(L"%ls",user);
printf("Enter the password: ");
wscanf(L"%ls",password);
printf("Enter the domain: ");
wscanf(L"%ls",domain);
printf("Enter the folder path: ");
wscanf(L"%ls",path);
BOOL imp = impersonation(user,domain,password);
if(imp)
printf("Impersonation successful\n");
else
printf("Impersonation failed\n");
printf("DirectoryName is %ws\n",path);
BOOL ret = true;
ret = CreateDirectoryW(path, NULL);
if(ret){
printf("Directory Created Sucessfully\n");
}
else{
hr = GetLastError();
printf("Error in CreateDirectory,Code %d\n",hr);
}
CoUninitialize();
}
And path was specified in the format: \servername\share\folder
Wednesday, September 25, 2019 4:44 PM
If you logon to the domain computer as the target user can you successfully call CreateDirectoryW (i.e., without impersonation) to create the folder on the server ?
Thursday, September 26, 2019 3:38 AM
Yes, that is true. When the impersonate part was removed the Directory got created successfully. But still wanted to know why impersonate doesn't work.
Thursday, September 26, 2019 9:22 AM
Out of curiosity, please try this test -
Use LOGON32_LOGON_INTERACTIVE in the call to LogonUser instead of LOGON32_LOGON_NEW_CREDENTIALS.
Then does the CreateDirectoryW call succeed when impersonating?
Thursday, September 26, 2019 9:38 AM
Also, are you certain that you are authenticating in the same way when calling LogonUser compared to logging on interactively as the target user?
In other words, is it possible that LogonUser is authenticating as a local user and not as the domain user that has access to the share?
Thursday, September 26, 2019 1:48 PM
The impersonate fails in this case with the error code 1326 (Username and password is incorrect)
Thursday, September 26, 2019 1:53 PM
As far as my understanding goes LogonUser returns a handle that represents the user and ImpersonateAsLoggedOnUser helps impersonate that users' security context. So the security context should be that of the domain user since the user has no separate local context in Active Directory.
Thursday, September 26, 2019 1:54 PM
The impersonate fails in this case with the error code 1326 (Username and password is incorrect)
You mean that ImpersonateLoggedOnUser fails?
Thursday, September 26, 2019 2:38 PM
Please clarify -- when calling LogonUser with LOGON32_LOGON_INERACTIVE did the call fail with error code 1326?
Thursday, September 26, 2019 6:22 PM
When LogonUser is called with LOGON32_LOGON_NEW_CREDENTIALS it returns a token that is a clone of the current token. And, it does not authenticate the credential information (i.e., username, password) at the time of the call. That information would be authenticated at the time of an outgoing network call by the server receiving the call.
You can call LogonUser with LOGON32_LOGON_NEW_CREDENTIALS and invalid username/password information and the call will succeed and return a token. Impersonation with that token will succeed. However, the invalid username/password will cause errors when an outgoing network call results in the invalid credentials being used for authentication.
Friday, September 27, 2019 1:28 AM
Hello,
I think it work. I simulated his environment. The program returned error 1326 before the parameter was changed, and it work after changed.
Best Regards,
Suarez Zhou
Friday, September 27, 2019 3:46 AM
Once I changed the parameter to LOGON32_LOGON_INTERACTIVE, the LogonUser call failed with error 1326 (52e).
But the directory got created anyway because I had logged in as the user with permission to the share.
I am sure that there is no issue with the credentials since the same works at other parts of the program such as with ADsOpenObject() call. This call binds to the same server where I am trying to create the directory folder (and with the same credentials).
Just curious as to why CreateDirectory fails with LOGON32_LOGON_NEW_CREDENTIALS. Is there some GPO rights that I need to assign to this user?
(The LogonUser failure with LOGON32_LOGON_INTERACTIVE could be because the user does not have SE_INTERACTIVE_LOGON_NAME account right assigned and not because the credentials were wrong. The particular user is a member of the Admin Group)
Friday, September 27, 2019 9:05 AM
Once I changed the parameter to LOGON32_LOGON_INTERACTIVE, the LogonUser call failed with error 1326 (52e).
But the directory got created anyway because I had logged in as the user with permission to the share.
I am sure that there is no issue with the credentials since the same works at other parts of the program such as with ADsOpenObject() call. This call binds to the same server where I am trying to create the directory folder (and with the same credentials).
Just curious as to why CreateDirectory fails with LOGON32_LOGON_NEW_CREDENTIALS. Is there some GPO rights that I need to assign to this user?
(The LogonUser failure with LOGON32_LOGON_INTERACTIVE could be because the user does not have SE_INTERACTIVE_LOGON_NAME account right assigned and not because the credentials were wrong. The particular user is a member of the Admin Group)
Then try this test -
Logon to the domain computer as a use that does NOT have permission to the share or the folder.
Call LogonUser with LOGON32_LOGON_BATCH for the Admin group user. I assume that the Admin group user account still has the SE_BATCH_LOGON_NAME right.
Does this fail with error 1326?
Update --
BTW, when I call LogonUser with LOGON32_LOGON_INTERACTIVE for an Admin group member without SE_INTERACTIVE_LOGON_NAME the error code returned for the logon failure is 1385 (Logon failure: the user has not been granted the requested logon type at this computer.)
LogonUser succeeds for the same user for batch logon.
Friday, September 27, 2019 11:21 AM
Still getting 1326 for LogonUser but the CreateDirectory now fails with error code 5 (Access Denied)
Friday, September 27, 2019 11:36 AM
Still getting 1326 for LogonUser but the CreateDirectory now fails with error code 5 (Access Denied)
Well, as far as a I can tell LogonUser doesn't like the parameters being passed to it.
In what format are you specifying the username and the domain? Show an example of the text being used.
Friday, September 27, 2019 1:18 PM
For username I tried all 'name' , '[email protected]' and 'domain\name' formats.
The domain was given in the form - abc.com
Friday, September 27, 2019 1:24 PM
For username I tried both 'name' and '[email protected]' format.
The domain was given in the form - abc.com
Try calling LogonUser and pass lpszUsername as [email protected] and pass lpszDomain as NULL
Friday, September 27, 2019 1:47 PM
Try calling LogonUser and pass lpszUsername as [email protected] and pass lpszDomain as NULL
Still fails with same error code 52e
Friday, September 27, 2019 1:50 PM
I've run out of guesses. I cannot reproduce your problem on my own system.
Friday, September 27, 2019 5:14 PM
Last guess -- are you building for Unicode or MBCS? If you are building for MBCS the posted code will compile but produce erroneous results.