Logon API on Windows 2000 with ASP.NET 1.1

[Rupreet Singh]

Hi Everyone
I’m working Windows 2000 Professional with IIS 5.0 and Framework 1.1.
In my current project, I had to use Windows Authentication. The problem is that even if I use right credentials, the LogonUser Function (P/Invoke) always return false. But if I uninstall ASP.NET 1.1 and then try to log on using LogonUser Function, it returns true for right credentials (with ASP.NET 1.0) . Also If I use the same code (with ASP.NET 1.1) on Windows XP machine or Windows 2003 Server machine, it works fine. It’s just giving me problem on Windows 2000 Professional with ASP.NET 1.1. For testing, I also changed the machine.config file and set the “username†as “SYSTEM†but the problem persists.

Can any one tell me the reason for this and the workaround for this

Thanks
Rupreet Singh

 

[jzhu]

It's due to how to use LogonUser correctly. The API needs "Act as part of operating system" privilege on W2K, but not on XP and Win2003. This explains why you succeed on the two later OSs. For the other behavior, ASP.NET work process is tightened under 1.1 so that it no long runs under the System account. The new ASPNET account doesn't have the privilege, so LogonUser will fail.

To solve you problem, if you have to call LogonUser, configure ASP.NET with an account that has the privilege, or run it with an account that can do what you are trying to do with the LogonUser account. Delegation can also be explored. There are many articles on how to set up ASP.NET.

 

[Rupreet Singh]

Hi!
Thanks for your reply
I have already tried with that. I had given ASPNET account high privilege and also added it to "act as part of Operating System", but i still not able to log on. I also tried with setting username="DomainName/DomainAdminUsername" password="DomainAdminPassword" in machine.config , but still i could not log on. Also i gave permission to IUser and IWAM User high previlige ..but all in vain.

Any more pointers on it would be appreciated.

Thanks in Advance

Rupreet Sing

 

[Hernan de Lahitte]

Perhaps is the logon type you are using. If you show the code that has this
problem it might help.

--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

Hi!
Thanks for your reply.
I have already tried with that. I had given ASPNET account high

privilege and also added it to "act as part of Operating System", but i
still not able to log on. I also tried with setting
username="DomainName/DomainAdminUsername" password="DomainAdminPassword" in
machine.config , but still i could not log on. Also i gave permission to
IUser and IWAM User high previlige ..but all in vain.

 

[Rupreet Singh]

Hi
Here is the code i used for logging.

[DllImport(@"C:\Windows\System32\ADVAPI32.DLL",SetLastError=true)
public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

const int LOGON32_LOGON_NETWORK = 3
const int LOGON32_PROVIDER_DEFAULT = 0

IntPtr token1 = IntPtr.Zero
bool LoggedOn = LogonUser(Username,DomainName,Password,LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT,ref token1)

But as i told you before, for Windows 2000, i always get "false" with ASP.NET 1.1 but "true" with ASP.NET 1.0 (with SYSTEM Account) with the right credentials

Thank
Rupreet Sing

 

[Joe Kaplan \(MVP - ADSI\)]

You really really should be using the canonical example for calling
LogonUser via P/Invoke that MS published in the Framework SDK reference:

http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true

Your's is much less robust.

Also remember, under Win2K, the current account running the LogonUser code
MUST have the "Act as part of the operating system" privilege to call
LogonUser. You state that your ASP.NET 1.0 code works and that it is
running as SYSTEM. You need to ensure that you have similar privileges for
the account executing the code in 1.1 as well.

Note that you generally don't want to be running as SYSTEM (or any account
with Act as part of the operating system), so it might be good to consider
using a different security model for what you are trying to accomplish. If
you can more to Win2K3 server, this privilege restriction is lifted, so
perhaps that is an easy path for you.

HTH,

Joe K.

Hi!
Here is the code i used for logging.

[DllImport(@"C:\Windows\System32\ADVAPI32.DLL",SetLastError=true)]
public static extern bool LogonUser(string lpszUsername, string

lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref
IntPtr phToken);

const int LOGON32_LOGON_NETWORK = 3;
const int LOGON32_PROVIDER_DEFAULT = 0;

IntPtr token1 = IntPtr.Zero;
bool LoggedOn =

LogonUser(Username,DomainName,Password,LOGON32_LOGON_NETWORK,LOGON32_PROVIDE
R_DEFAULT,ref token1);

But as i told you before, for Windows 2000, i always get "false" with

ASP.NET 1.1 but "true" with ASP.NET 1.0 (with SYSTEM Account) with the right
credentials.

 

[jzhu]

Try to find more info
1. Right before you call LogonUser, call User.Identity.Name to dump the curent user to see what's the account you are under
2. Right after you get a false, call Marshal.GetLastWin32Error() to get the error code