Using LogonUser() only to Validate Credentials

Question

We are developing an application with an internal user accounts system, but would like to be able to use credentials from Active Directory and/or Windows accounts. To that end we store the User SID in a field in the application's users table. Our login mechanism functions like this:

• Prompt user for domain, login, password
• Call LogonUser(logon, domain, password, logon_type, logon_provider, &hToken)
• If successful, get User SID from hToken
• Close hToken
• Search our application's database for a user with the given SID; if found, we are considered logged in to that account.

The problem that has come up is this: we have been using LOGON32_LOGON_NETWORK for the logon_type, but we have now run into some security configurations where "Access this computer from the network" is denied, meaning the Network logon type is prohibited.

My question is what logon type should we be using for this situation? Interactive? We are not actually using the Logon token for anything other than extracting the user's SID. Our application has its own internal groups and permissions; we do not use Windows groups or permissions in any way. From the perspective of Windows and the domain controller, all we are doing is logging on and quickly logging off.

Or are we looking at this in a completely wrong way, and we should be using some other login method entirely?

Thanks

Answer 1

I also have been surprised to find out that the LogonUser() with the LOGON32_LOGON_NETWORK type fails when user right "Access this computer from the network" is not granted for Everyone on local computer.

I use the following workaround:

• First try LogonUser() with the LOGON32_LOGON_NETWORK type.
• If it fails with error ERROR_LOGON_TYPE_NOT_GRANTED, call LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS type and the LOGON32_PROVIDER_WINNT50 logon provider.