We are developing an application with an internal user accounts system, but would like to be able to use credentials from Active Directory and/or Windows accounts. To that end we store the User SID in a field in the application's users table. Our login mechanism functions like this:
The problem that has come up is this: we have been using LOGON32_LOGON_NETWORK for the logon_type, but we have now run into some security configurations where "Access this computer from the network" is denied, meaning the Network logon type is prohibited.
My question is what logon type should we be using for this situation? Interactive? We are not actually using the Logon token for anything other than extracting the user's SID. Our application has its own internal groups and permissions; we do not use Windows groups or permissions in any way. From the perspective of Windows and the domain controller, all we are doing is logging on and quickly logging off.
Or are we looking at this in a completely wrong way, and we should be using some other login method entirely?
Thanks
I also have been surprised to find out that the LogonUser()
with the LOGON32_LOGON_NETWORK
type fails when user right "Access this computer from the network" is not granted for Everyone on local computer.
I use the following workaround:
LogonUser()
with the LOGON32_LOGON_NETWORK
type.ERROR_LOGON_TYPE_NOT_GRANTED
, call LogonUser()
with the LOGON32_LOGON_NEW_CREDENTIALS
type and the LOGON32_PROVIDER_WINNT50
logon provider.If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With