Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Logon API on Windows 2000 with ASP.NET 1.1

Reply
Thread Tools

Logon API on Windows 2000 with ASP.NET 1.1

 
 
Rupreet Singh
Guest
Posts: n/a
 
      04-16-2004
Hi Everyone
I’m working Windows 2000 Professional with IIS 5.0 and Framework 1.1.
In my current project, I had to use Windows Authentication. The problem is that even if I use right credentials, the LogonUser Function (P/Invoke) always return false. But if I uninstall ASP.NET 1.1 and then try to log on using LogonUser Function, it returns true for right credentials (with ASP.NET 1.0) . Also If I use the same code (with ASP.NET 1.1) on Windows XP machine or Windows 2003 Server machine, it works fine. It’s just giving me problem on Windows 2000 Professional with ASP.NET 1.1. For testing, I also changed the machine.config file and set the “username” as “SYSTEM” but the problem persists.

Can any one tell me the reason for this and the workaround for this

Thanks
Rupreet Singh
 
Reply With Quote
 
 
 
 
jzhu
Guest
Posts: n/a
 
      04-16-2004
It's due to how to use LogonUser correctly. The API needs "Act as part of operating system" privilege on W2K, but not on XP and Win2003. This explains why you succeed on the two later OSs. For the other behavior, ASP.NET work process is tightened under 1.1 so that it no long runs under the System account. The new ASPNET account doesn't have the privilege, so LogonUser will fail.

To solve you problem, if you have to call LogonUser, configure ASP.NET with an account that has the privilege, or run it with an account that can do what you are trying to do with the LogonUser account. Delegation can also be explored. There are many articles on how to set up ASP.NET.
 
Reply With Quote
 
 
 
 
Rupreet Singh
Guest
Posts: n/a
 
      04-16-2004
Hi!
Thanks for your reply
I have already tried with that. I had given ASPNET account high privilege and also added it to "act as part of Operating System", but i still not able to log on. I also tried with setting username="DomainName/DomainAdminUsername" password="DomainAdminPassword" in machine.config , but still i could not log on. Also i gave permission to IUser and IWAM User high previlige ..but all in vain.

Any more pointers on it would be appreciated.

Thanks in Advance

Rupreet Sing


 
Reply With Quote
 
Hernan de Lahitte
Guest
Posts: n/a
 
      04-16-2004
Perhaps is the logon type you are using. If you show the code that has this
problem it might help.

--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

"Rupreet Singh" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi!
> Thanks for your reply.
> I have already tried with that. I had given ASPNET account high

privilege and also added it to "act as part of Operating System", but i
still not able to log on. I also tried with setting
username="DomainName/DomainAdminUsername" password="DomainAdminPassword" in
machine.config , but still i could not log on. Also i gave permission to
IUser and IWAM User high previlige ..but all in vain.
>
> Any more pointers on it would be appreciated.
>
> Thanks in Advance.
>
> Rupreet Singh
>
>



 
Reply With Quote
 
Rupreet Singh
Guest
Posts: n/a
 
      04-17-2004
Hi
Here is the code i used for logging.

[DllImport(@"C:\Windows\System32\ADVAPI32.DLL",SetL astError=true)
public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

const int LOGON32_LOGON_NETWORK = 3
const int LOGON32_PROVIDER_DEFAULT = 0

IntPtr token1 = IntPtr.Zero
bool LoggedOn = LogonUser(Username,DomainName,Password,LOGON32_LOG ON_NETWORK,LOGON32_PROVIDER_DEFAULT,ref token1)

But as i told you before, for Windows 2000, i always get "false" with ASP.NET 1.1 but "true" with ASP.NET 1.0 (with SYSTEM Account) with the right credentials

Thank
Rupreet Sing

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      04-17-2004
You really really should be using the canonical example for calling
LogonUser via P/Invoke that MS published in the Framework SDK reference:

http://msdn.microsoft.com/library/de...asp?frame=true

Your's is much less robust.

Also remember, under Win2K, the current account running the LogonUser code
MUST have the "Act as part of the operating system" privilege to call
LogonUser. You state that your ASP.NET 1.0 code works and that it is
running as SYSTEM. You need to ensure that you have similar privileges for
the account executing the code in 1.1 as well.

Note that you generally don't want to be running as SYSTEM (or any account
with Act as part of the operating system), so it might be good to consider
using a different security model for what you are trying to accomplish. If
you can more to Win2K3 server, this privilege restriction is lifted, so
perhaps that is an easy path for you.

HTH,

Joe K.

"Rupreet Singh" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi!
> Here is the code i used for logging.
>
> [DllImport(@"C:\Windows\System32\ADVAPI32.DLL",SetL astError=true)]
> public static extern bool LogonUser(string lpszUsername, string

lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref
IntPtr phToken);
>
> const int LOGON32_LOGON_NETWORK = 3;
> const int LOGON32_PROVIDER_DEFAULT = 0;
>
> IntPtr token1 = IntPtr.Zero;
> bool LoggedOn =

LogonUser(Username,DomainName,Password,LOGON32_LOG ON_NETWORK,LOGON32_PROVIDE
R_DEFAULT,ref token1);
>
> But as i told you before, for Windows 2000, i always get "false" with

ASP.NET 1.1 but "true" with ASP.NET 1.0 (with SYSTEM Account) with the right
credentials.
>
> Thanks
> Rupreet Singh
>



 
Reply With Quote
 
jzhu
Guest
Posts: n/a
 
      04-17-2004
Try to find more info
1. Right before you call LogonUser, call User.Identity.Name to dump the curent user to see what's the account you are under
2. Right after you get a false, call Marshal.GetLastWin32Error() to get the error code


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Events: Logon vs Account Logon Jeroen Wijnands MCSA 0 03-06-2006 03:45 PM
Question Help: Logon vs Account Logon, Local Logon vs Authentication CJH Microsoft Certification 0 01-04-2006 04:03 PM
What is best practice: Combining anonymous logon with windows logon? Kjell Kristiansson ASP .Net Security 0 11-30-2005 12:53 PM
LOGON API and persistent cookies (Windows and Form authentication) Ben Ong ASP .Net Web Services 0 02-01-2005 11:50 PM
Problem: XP Home Logon Names Vanish - Cant Logon Graham Computer Support 0 01-24-2004 11:34 AM



Advertisments