Windows Login Authentication

  • Thread starter Thread starter Nick
  • Start date Start date
N

Nick

Platform: Visual Studio 2003
Language: C#
NOTES:
1. Application will need to run on Windows 2000, Windows 2003, Windows
XP
2. Client machines will be standalone NOT part of a domain.
3. I don't want to depend on having Active Directory installed

Problem Description:
When my application starts, it checks if the current windows user
belongs to a group. If he/she does belong to the group it allows them
to run it. If he/she does NOT belong to the group, it prompts them to
log in as another user that will belong to that group. I having trouble
authenticating the windows login and password. I reasearched this issue
for quite some time but no luck. These are some of my attempts to solve
the problem:
1. Using the LogonUser () function. This call will not work under
Windows 2000 unless you
make a change to the security policy. Not good for me!
2. Using the DirectoryEntry in DirectoryServices namespace. I created
an instance of the
DirectoryEntry class and passed the path, name, login, password and
authenticationtype.
Tried to bind to the Native object with "Object native =
deDirEntry.NativeObject;" but it did
not work. I used the following value for path: "WinNT://" +
Environment.MachineName

NOTE: If I could do this with managed code that would be great.

Thanks in Advance
 
You should probably write your own custom authentication if you're not
part of a domain. Basically you want Integrated Authentication but
you're not integrated to anything.
 
This is an administrative issue, if a user is logged on to windows using his
logon credentials he should be member of the right group, if he's not a
member of the right group, you should ask to logoff and logon to windows
using the correct credentials, you should never authenticate in code.

Willy.

| Platform: Visual Studio 2003
| Language: C#
| NOTES:
| 1. Application will need to run on Windows 2000, Windows 2003, Windows
| XP
| 2. Client machines will be standalone NOT part of a domain.
| 3. I don't want to depend on having Active Directory installed
|
| Problem Description:
| When my application starts, it checks if the current windows user
| belongs to a group. If he/she does belong to the group it allows them
| to run it. If he/she does NOT belong to the group, it prompts them to
| log in as another user that will belong to that group. I having trouble
| authenticating the windows login and password. I reasearched this issue
| for quite some time but no luck. These are some of my attempts to solve
| the problem:
| 1. Using the LogonUser () function. This call will not work under
| Windows 2000 unless you
| make a change to the security policy. Not good for me!
| 2. Using the DirectoryEntry in DirectoryServices namespace. I created
| an instance of the
| DirectoryEntry class and passed the path, name, login, password and
| authenticationtype.
| Tried to bind to the Native object with "Object native =
| deDirEntry.NativeObject;" but it did
| not work. I used the following value for path: "WinNT://" +
| Environment.MachineName
|
| NOTE: If I could do this with managed code that would be great.
|
| Thanks in Advance
|
 
I appreciate everyone's input but I still have to do it. (Per
management). Could someone show me how to do it?

Thanks in Advance
 
|I appreciate everyone's input but I still have to do it. (Per
| management). Could someone show me how to do it?
|
| Thanks in Advance
|

You don't get it really, by calling "LogonUser" you simply validate the
specified users credentials, but that doesn't mean that your application
(thread) runs as the user specified in the LogonUser call, to do so you need
to impersonate the new Logon token obtained by LogonUser.
But that's not all, the environment and profile loaded and attached to the
application is still the one of the initial logon users (the one that
started the application). That means that the application will fail if it
relies on the presence of the "impersonating users" profile.
If the latter is no issue, you should search MSDN it contains a sample how
to impersonate a user.

Willy.
 
Hello Willy,

First of all, I would like to thank you for taking the time and
responding to my question. Here are some additional information that
may help you understand where I am coming from:
When a logged on user double clicks on the application icon the
application checks if the user belongs to that special group. If he/she
does NOT then we need to prompt for
a windows user login and password that does belong to that group. If
he/she belongs to that special group then to need to prompt for login
and password. It's just a convenience so the user does NOT need to log
off and log back in as that user. The application does NOT care about
any environment or profile information.
As for the LogonUser, my understanding is that there is some security
issue with Windows 2000 and I don't want to enforce any policy changes
on the user's machine.

Thanks Again
 
| Hello Willy,
|
| First of all, I would like to thank you for taking the time and
| responding to my question. Here are some additional information that
| may help you understand where I am coming from:
| When a logged on user double clicks on the application icon the
| application checks if the user belongs to that special group. If he/she
| does NOT then we need to prompt for
| a windows user login and password that does belong to that group.

Note that this way the "user" pretends he is someone else, but the
application still runs as the initial logon user, using the initials
security token, environment and profile, hope that's clear.


If
| he/she belongs to that special group then to need to prompt for login
| and password. It's just a convenience so the user does NOT need to log
| off and log back in as that user. The application does NOT care about
| any environment or profile information.
| As for the LogonUser, my understanding is that there is some security
| issue with Windows 2000 and I don't want to enforce any policy changes
| on the user's machine.
|

True, W2K needs TCB privileges in order to call LogonUser. An other option
is to use DirectoryServices, something like this may do.

....
try
{
using(DirectoryEntry AD = new
DirectoryEntry("WinNT://sixfour,computer", "administrator", "keviin",
AuthenticationTypes.Secure))
{
object no = AD.Guid;
}
}
catch (Exception ex)
{
int hr = Marshal.GetHRForException(ex);
if(hr == -2147023570) //0x8007052E
Console.WriteLine("Logon failure");
}

Willy.
 
Back
Top