Logon API on Windows 2000 with ASP.NET 1.1

Discussion in 'ASP .Net Security' started by Rupreet Singh, Apr 16, 2004.

  1. Hi Everyone
    I’m working Windows 2000 Professional with IIS 5.0 and Framework 1.1.
    In my current project, I had to use Windows Authentication. The problem is that even if I use right credentials, the LogonUser Function (P/Invoke) always return false. But if I uninstall ASP.NET 1.1 and then try to log on using LogonUser Function, it returns true for right credentials (with ASP.NET 1.0) . Also If I use the same code (with ASP.NET 1.1) on Windows XP machine or Windows 2003 Server machine, it works fine. It’s just giving me problem on Windows 2000 Professional with ASP.NET 1.1. For testing, I also changed the machine.config file and set the “username†as “SYSTEM†but the problem persists.

    Can any one tell me the reason for this and the workaround for this

    Thanks
    Rupreet Singh
     
    Rupreet Singh, Apr 16, 2004
    #1
    1. Advertising

  2. Rupreet Singh

    jzhu Guest

    It's due to how to use LogonUser correctly. The API needs "Act as part of operating system" privilege on W2K, but not on XP and Win2003. This explains why you succeed on the two later OSs. For the other behavior, ASP.NET work process is tightened under 1.1 so that it no long runs under the System account. The new ASPNET account doesn't have the privilege, so LogonUser will fail.

    To solve you problem, if you have to call LogonUser, configure ASP.NET with an account that has the privilege, or run it with an account that can do what you are trying to do with the LogonUser account. Delegation can also be explored. There are many articles on how to set up ASP.NET.
     
    jzhu, Apr 16, 2004
    #2
    1. Advertising

  3. Hi!
    Thanks for your reply
    I have already tried with that. I had given ASPNET account high privilege and also added it to "act as part of Operating System", but i still not able to log on. I also tried with setting username="DomainName/DomainAdminUsername" password="DomainAdminPassword" in machine.config , but still i could not log on. Also i gave permission to IUser and IWAM User high previlige ..but all in vain.

    Any more pointers on it would be appreciated.

    Thanks in Advance

    Rupreet Sing
     
    Rupreet Singh, Apr 16, 2004
    #3
  4. Perhaps is the logon type you are using. If you show the code that has this
    problem it might help.

    --
    Hernan de Lahitte
    Lagash Systems S.A.
    http://weblogs.asp.net/hernandl


    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Rupreet Singh" <> wrote in message
    news:...
    > Hi!
    > Thanks for your reply.
    > I have already tried with that. I had given ASPNET account high

    privilege and also added it to "act as part of Operating System", but i
    still not able to log on. I also tried with setting
    username="DomainName/DomainAdminUsername" password="DomainAdminPassword" in
    machine.config , but still i could not log on. Also i gave permission to
    IUser and IWAM User high previlige ..but all in vain.
    >
    > Any more pointers on it would be appreciated.
    >
    > Thanks in Advance.
    >
    > Rupreet Singh
    >
    >
     
    Hernan de Lahitte, Apr 16, 2004
    #4
  5. Hi
    Here is the code i used for logging.

    [DllImport(@"C:\Windows\System32\ADVAPI32.DLL",SetLastError=true)
    public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

    const int LOGON32_LOGON_NETWORK = 3
    const int LOGON32_PROVIDER_DEFAULT = 0

    IntPtr token1 = IntPtr.Zero
    bool LoggedOn = LogonUser(Username,DomainName,Password,LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT,ref token1)

    But as i told you before, for Windows 2000, i always get "false" with ASP.NET 1.1 but "true" with ASP.NET 1.0 (with SYSTEM Account) with the right credentials

    Thank
    Rupreet Sing
     
    Rupreet Singh, Apr 17, 2004
    #5
  6. You really really should be using the canonical example for calling
    LogonUser via P/Invoke that MS published in the Framework SDK reference:

    http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true

    Your's is much less robust.

    Also remember, under Win2K, the current account running the LogonUser code
    MUST have the "Act as part of the operating system" privilege to call
    LogonUser. You state that your ASP.NET 1.0 code works and that it is
    running as SYSTEM. You need to ensure that you have similar privileges for
    the account executing the code in 1.1 as well.

    Note that you generally don't want to be running as SYSTEM (or any account
    with Act as part of the operating system), so it might be good to consider
    using a different security model for what you are trying to accomplish. If
    you can more to Win2K3 server, this privilege restriction is lifted, so
    perhaps that is an easy path for you.

    HTH,

    Joe K.

    "Rupreet Singh" <> wrote in message
    news:...
    > Hi!
    > Here is the code i used for logging.
    >
    > [DllImport(@"C:\Windows\System32\ADVAPI32.DLL",SetLastError=true)]
    > public static extern bool LogonUser(string lpszUsername, string

    lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref
    IntPtr phToken);
    >
    > const int LOGON32_LOGON_NETWORK = 3;
    > const int LOGON32_PROVIDER_DEFAULT = 0;
    >
    > IntPtr token1 = IntPtr.Zero;
    > bool LoggedOn =

    LogonUser(Username,DomainName,Password,LOGON32_LOGON_NETWORK,LOGON32_PROVIDE
    R_DEFAULT,ref token1);
    >
    > But as i told you before, for Windows 2000, i always get "false" with

    ASP.NET 1.1 but "true" with ASP.NET 1.0 (with SYSTEM Account) with the right
    credentials.
    >
    > Thanks
    > Rupreet Singh
    >
     
    Joe Kaplan \(MVP - ADSI\), Apr 17, 2004
    #6
  7. Rupreet Singh

    jzhu Guest

    Try to find more info
    1. Right before you call LogonUser, call User.Identity.Name to dump the curent user to see what's the account you are under
    2. Right after you get a false, call Marshal.GetLastWin32Error() to get the error code
     
    jzhu, Apr 17, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    0
    Views:
    1,119
  2. Guest
    Replies:
    2
    Views:
    930
    dave wanta
    Jul 11, 2003
  3. C Did
    Replies:
    3
    Views:
    4,009
    Chris Lithgow
    Jun 20, 2006
  4. Kjell Kristiansson
    Replies:
    0
    Views:
    306
    Kjell Kristiansson
    Nov 30, 2005
  5. Ben Ong
    Replies:
    0
    Views:
    142
    Ben Ong
    Feb 1, 2005
Loading...

Share This Page