Impersonation for accessing network resources?

[Guest]

Hi

I have a small WinForms app that needs to copy files from a shared drive on
a network. If I connect to the mapped drive using Explorer, a password dialog
pops-up and I have to provide credentials with permission to access this
resource on the machine where it's hosted. This is once for each desktop
logon session (ie after every reboot). If I do this, my app can access the
network resource fine, but otherwise fails with permission errors.

As my app runs when Windows starts, I don't want to first connect to the
mapped drive each and every time.

I've found some C# code that allows me to impersonate a
domain/account/password context, but it won't work in the scenario I want. I
know the code works because it allows me to impersonate local accounts, just
not access the network resource. When run, the following error occurs:

"Error No: 1326 - Error: Logon failure: unknown user name or bad password."

However, I know the domain/account/password are all correct.

The code is based on Win32 API's LogonUser. Am I barking up the wrong tree?

Thanks

Ben

 

[Willy Denoyette [MVP]]

Hi

I have a small WinForms app that needs to copy files from a shared drive
on
a network. If I connect to the mapped drive using Explorer, a password
dialog
pops-up and I have to provide credentials with permission to access this
resource on the machine where it's hosted. This is once for each desktop
logon session (ie after every reboot). If I do this, my app can access the
network resource fine, but otherwise fails with permission errors.

As my app runs when Windows starts, I don't want to first connect to the
mapped drive each and every time.

I've found some C# code that allows me to impersonate a
domain/account/password context, but it won't work in the scenario I want.
I
know the code works because it allows me to impersonate local accounts,
just
not access the network resource. When run, the following error occurs:

"Error No: 1326 - Error: Logon failure: unknown user name or bad
password."

However, I know the domain/account/password are all correct.

The code is based on Win32 API's LogonUser. Am I barking up the wrong
tree?

Thanks

Ben

If you call LogonUser you should specify the credentials of a valid user
that has appropriate privileges to access the remote server.


Willy.

 

[Ben Fidge]

Basically I've been using [domain]\Administrator and [password] the same as
I enter when I try to access the mapped drive from explorer. However it
works in explorer but not my app. However, if I first connect using
Explorer, I then don't need to use LogonUser. Strange!

Ben

 

[Willy Denoyette [MVP]]

Beware "domain\\Administrator" or @"domain\administrator" not
"domain\administrator".

Once you have a connected network session it remains valid for the whole
logon session, that is why you should create a session from your domain
logon (through a logon script) or from a batch file that runs when a user
logs on locally instead of impersonating in user applications.

Willy.

Basically I've been using [domain]\Administrator and [password] the same
as I enter when I try to access the mapped drive from explorer. However it
works in explorer but not my app. However, if I first connect using
Explorer, I then don't need to use LogonUser. Strange!

Ben

If you call LogonUser you should specify the credentials of a valid user
that has appropriate privileges to access the remote server.


Willy.

 

[Ben Fidge]

Hi Willy,

The domain, account and password are all entered via a Form and not
hard-coded. I've tried passing all three to LogonUser as seperate
parameters, to no avail. I've also tried leaving domain param empty (not
null though) and concatenating doman and account together and passing them
in the Account param.

Really starting to frustrate me now.

Ben

Beware "domain\\Administrator" or @"domain\administrator" not
"domain\administrator".

Once you have a connected network session it remains valid for the whole
logon session, that is why you should create a session from your domain
logon (through a logon script) or from a batch file that runs when a user
logs on locally instead of impersonating in user applications.

Willy.

Basically I've been using [domain]\Administrator and [password] the same
as I enter when I try to access the mapped drive from explorer. However
it works in explorer but not my app. However, if I first connect using
Explorer, I then don't need to use LogonUser. Strange!

Ben

Hi

I have a small WinForms app that needs to copy files from a shared
drive on
a network. If I connect to the mapped drive using Explorer, a password
dialog
pops-up and I have to provide credentials with permission to access
this
resource on the machine where it's hosted. This is once for each
desktop
logon session (ie after every reboot). If I do this, my app can access
the
network resource fine, but otherwise fails with permission errors.

As my app runs when Windows starts, I don't want to first connect to
the
mapped drive each and every time.

I've found some C# code that allows me to impersonate a
domain/account/password context, but it won't work in the scenario I
want. I
know the code works because it allows me to impersonate local accounts,
just
not access the network resource. When run, the following error occurs:

"Error No: 1326 - Error: Logon failure: unknown user name or bad
password."

However, I know the domain/account/password are all correct.

The code is based on Win32 API's LogonUser. Am I barking up the wrong
tree?

Thanks

Ben


If you call LogonUser you should specify the credentials of a valid user
that has appropriate privileges to access the remote server.


Willy.

 

[Willy Denoyette [MVP]]

Hi Willy,

The domain, account and password are all entered via a Form and not
hard-coded. I've tried passing all three to LogonUser as seperate
parameters, to no avail. I've also tried leaving domain param empty (not
null though) and concatenating doman and account together and passing them
in the Account param.

Really starting to frustrate me now.

Ben

I understand your frustration, but you need to make sure that
- the user account string you pass to LogonUser() has the correct syntax,
that is, it should contain the accountname "accountname" or the
"account@domainname" in UPN format
- the domain name must refer to your account domain if the user name is NOT
in UPN format, else it must be null or . for local user accounts or the
remote machine name for non local/non domain accounts.
So in your case the call could look like :

LogonUser("Administrator", "YourDomainName", "YourAdminsPwd",...);

Willy.

 

[Guest]

Hi Willy,

Does LogonUser login the specified user into the local system only, or can
it be used to specify credentials when accessing a network resource. I've
tried everything you've suggested and it's occured to me that I'm trying to
provide credentials for the administrator account of the SERVER where my
files are located. I'm owrried I might actually be trying to logon to my
local machine using credentials it knows nothing about.

Ben

 

[Guest]

Found it!!

First of all, I was assuming that LogonUser returned 0 (zero) on success,
wrongly. Secondly, I changed my code to use LOGON32_LOGON_NEW_CREDENTIALS
instead of LOGON32_LOGON_NETWORK, and it works a treat.

Thanks for your help Willy.

Ben

 

[Willy Denoyette [MVP]]

You should not use LOGON32_LOGON_NETWORK to obtain an access token to access
remote server resources when impersonating, this type of logon token has no
network access.
LOGON32_LOGON_NEW_CREDENTIALS (w2k and up) uses the supplied credentials to
access the remote server, while using your current logon token to access
local resources.

Willy.