none
LogonUser Failure error 1314

    Question

  • using System.Runtime.InteropServices;
    using
    System.Security.Permissions;
    using
    System.Security.Principal;
    using System.DirectoryServices;

    private const int LOGON32_LOGON_INTERACTIVE = 2;
    private const int LOGON32_PROVIDER_DEFAULT = 0;

      [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError = true)]
      public static extern bool LogonUser(string lpszUserName, string lpszDomain, string lpszPassword, int dwLogonType , int dwLogonProvider,ref IntPtr phToken);
     

      [DllImport("kernel32.dll", SetLastError = true)]
      static extern bool CloseHandle(IntPtr handle);
     
      public static int CheckCorrectUser(string strUserName , string strUserDomain, string strUserPass)
      {
       //IntPtr token = IntPtr.Zero;
       IntPtr logtoken = new IntPtr(0);
       WindowsImpersonationContext impersonatedUser = null;
       int iReturn = 0;
     
       try
       {
        // Call LogonUser to obtain a handle to an access token.
        bool result = LogonUser(strUserName, strUserDomain, strUserPass, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref logtoken);
        if (result)
        {
         WindowsIdentity id = new WindowsIdentity(logtoken);
                   
         // Begin impersonation
         impersonatedUser = id.Impersonate();
         // Log the new identity
         string UN = WindowsIdentity.GetCurrent().Name;
         iReturn = 1;
        }
        else
        {
         string sErr = Marshal.GetLastWin32Error().ToString();
         iReturn = 0;
        }
       }
       catch
       {
        // Prevent any exceptions that occur while the thread is
        // impersonating from propagating
       }
       finally
       {
        // Stop impersonation and revert to the process identity
        if (impersonatedUser != null)
         impersonatedUser.Undo();
        // Free the token
        if (logtoken != IntPtr.Zero)
         CloseHandle(logtoken);
       }
       return iReturn;
      }

    I am working in C# now and struck up in login page. This is ASP.Net page where I am using advapi32.dll to validate the userID, password and domain. This DLL supplies a method LogonUser which takes userid, password and domain name, though I am giving valid userid and password it always retunes zero that means login fail. Now I wanted to know, to use this dll do I need to do some settings? or do I need some rights settings? if so what are those settings please let me know. This deals with Active Directory. If I try Marshal.GetLastError it returns 1314 - ERROR_PRIVILEGE_NOT_HELD  :  A required privilege is not held by the client. According to this I granted all rights to all user  under Local security policy. still it is giving me the same error. Can anbody tell me what else I had to do to solve this problem. Some where I am missing some setting because it works fine for one of my friend here. It deals with Active Directory, my Operating System is Windows 2000 and VS 1.1
     
    Thanks
    Prasanna V.
    Tuesday, November 29, 2005 10:23 AM

Answers

  • The first thing you should do is go back into your security policy and reset your security settings.  It is never a good idea to give everyone all rights.  If you wanted to do that then there would be no reason for authentication anyway.  When you need to test security settings I'd recommend creating a special user or group account and then fiddle with the settings of the group or user.  Then when you're done you can delete the user or group and not worry about a security hole.

    The problem you are running into is a common one and revolves around the myth that because you can have a right means that you do have the right.  This is not entirely true.  Being able to have a user right doesn't give you that right.  The SE_TCB_NAME right must be held in order to call LogonUser.  This is the right that says you can act as part of the OS.  This right is a powerful right to have and should only be given to the account that needs it.  Depending on the directory security of your site you should give this right to the appropriate account.  Note that in XP and above I believe this privilege is no longer needed.

    Once a user has a right you need to enable the right for the user by calling AdjustTokenPrivileges.  You should probably do this before each call to LogonUser (and probably remove it after the call).  I would recommend using something like Process Explorer (http://www.sysinternals.com) or something to evaluate the security rights of site while it is running to verify it has the rights you expect.  You can verify whether the account running the site has the right enabled before the call to determine if this is the problem.

    Refer to the following article for more information.
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000023.asp

    Michael Taylor - 11/29/05
    Tuesday, November 29, 2005 12:39 PM

All replies

  • The first thing you should do is go back into your security policy and reset your security settings.  It is never a good idea to give everyone all rights.  If you wanted to do that then there would be no reason for authentication anyway.  When you need to test security settings I'd recommend creating a special user or group account and then fiddle with the settings of the group or user.  Then when you're done you can delete the user or group and not worry about a security hole.

    The problem you are running into is a common one and revolves around the myth that because you can have a right means that you do have the right.  This is not entirely true.  Being able to have a user right doesn't give you that right.  The SE_TCB_NAME right must be held in order to call LogonUser.  This is the right that says you can act as part of the OS.  This right is a powerful right to have and should only be given to the account that needs it.  Depending on the directory security of your site you should give this right to the appropriate account.  Note that in XP and above I believe this privilege is no longer needed.

    Once a user has a right you need to enable the right for the user by calling AdjustTokenPrivileges.  You should probably do this before each call to LogonUser (and probably remove it after the call).  I would recommend using something like Process Explorer (http://www.sysinternals.com) or something to evaluate the security rights of site while it is running to verify it has the rights you expect.  You can verify whether the account running the site has the right enabled before the call to determine if this is the problem.

    Refer to the following article for more information.
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000023.asp

    Michael Taylor - 11/29/05
    Tuesday, November 29, 2005 12:39 PM
  • Don't use LogonUuser, instead use the code from this article:
    http://support.microsoft.com/kb/180548

    LogonUser has a problem in windows 2k where it requires a permission that you can only set (but not add).

    In case the link goes bad, the function you're looking for is:
    BOOL WINAPI SSPLogonUser(LPTSTR szDomain, LPTSTR szUser, LPTSTR szPassword)

    Thanks,
    Brian R. Bondy
    http://www.brianbondy.com


    Tuesday, February 20, 2007 5:04 AM