LogonUser Lib “advapi32.dll” strange on non domain cpu when local account exists?

Question

In attempting a Login Form for a VB.NET WinForms app and it needs to only allow domain users in a certain group. On using the API LogonUser for advapi32.dll either I'm not getting the flags right or something else unknown is happening.

For Interest, I've known for years that using Local users with the same username and password on multiple computers allowed simple user management without the need of a full domain in sharing files between (ie: at home) There is probably a policy on the computer to turn this off - please note if you know it??

When used on a domain computer the paramaters of login type (INTERACTIVE,NETWORK,BATCH,NEW_CREDENTIALS) all appear to work fine.

When used on a Workgroup computer eg: in workgroup "WORKGROUP" on the same network as the domain but isn't on the domain, it doesn't work in any combination I try. If the account you use eg: MyDomain\\User1 exists as MyComputer\\User1 it returns MyComputer\\User1 regardless of specifying the Domain in the Call as "MyDomain". This computer can communicate with the domain shares (by logging in) - therefore I would expect to able to login to the domain simply just for a login screen if available. This isn't for impersonation reasons at all, just to prove who you are regardless of being on a Work Domain PC or BYOD.

Heres some code:

Public Class WinSecurity

    Private Declare Auto Function LogonUser Lib "advapi32.dll" (
    ByVal lpszUsername As String,
    ByVal lpszDomain As String,
    ByVal lpszPassword As String,
    ByVal dwLogonType As Integer,
    ByVal dwLogonProvider As Integer,
    ByRef phToken As IntPtr) As Boolean

    Private Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Boolean

    Public Const LOGON32_LOGON_INTERACTIVE As Long = 2
    Public Const LOGON32_LOGON_NETWORK As Long = 3
    Public Const LOGON32_LOGON_BATCH As Long = 4
    Public Const LOGON32_LOGON_SERVICE As Long = 5
    Public Const LOGON32_LOGON_CLEARTEXT As Long = 8
    Public Const LOGON32_LOGON_NEW_CREDENTIALS As Long = 9

    Public Const LOGON32_PROVIDER_DEFAULT As Long = 0
    Public Const LOGON32_PROVIDER_WINNT50 As Long = 3
    Public Const LOGON32_PROVIDER_WINNT40 As Long = 2
    Public Const LOGON32_PROVIDER_WINNT35 As Long = 1

    Public Shared Function checkUserLogin(ByVal LoginCode As String, ByVal Password As String, ByVal Domain As String, Login As integer, Provider As integer) As WindowsIdentity
        Dim token As IntPtr
        LogonUser(LoginCode, Domain, Password, Login, Provider, token)
        If (token.ToInt32 > 0) Then
            Dim newId As New WindowsIdentity(token)
            Track.LogDEBUG(String.Format("Attempto PASS: {0}, Auth: {1}, method: {2}, Provider: {3}", newId.Name, newId.Token, Login, Provider))
            CloseHandle(token)
        Else
            Track.LogDEBUG(String.Format("Attempto FAIL: {0}, Auth: {1}, method: {2}, Provider: {3}", LoginCode, Domain, Login, Provider))
        End If

    End Function
End Class

''Calling Code
dim sDomain as string = "MyDomain"
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_INTERACTIVE, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_NETWORK, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_BATCH, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_NEW_CREDENTIALS, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_INTERACTIVE, WinSecurity.LOGON32_PROVIDER_DEFAULT)

Note: Test WorkGroup Computer is running "Windows Server 2012 RC2" but assuming same result for a Win10, etc not on domain.

My Results on the WorkGroup Computer - Local User Active:

Attempto PASS: MyComputer\User1, Auth: 1088, method: 2, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1100, method: 3, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1060, method: 4, Provider: 0
Attempto PASS: MyComputer\LoggedOnUser, Auth: 1108, method: 9, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1076, method: 2, Provider: 0

Results on WorkGroup Computer - Local User Disabled/doesn't exits:

Attempto FAIL: User1, Auth: MyDomain, method: 2, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 3, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 4, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 9, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 2, Provider: 0

Results on Domain Computer:

Attempto PASS: MyDomain\User1, Auth: 1340, method: 2, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1724, method: 3, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1736, method: 4, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1648, method: 9, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1744, method: 2, Provider: 0

Obviously I don't have a Trust setup to this Computer, but I'm assuming something like this should still work if I can browse to network shares?

Answer 1

guess I'll have to use the directoryservices method instead.

Validate a username and password against Active Directory?

https://social.msdn.microsoft.com/Forums/vstudio/en-US/3c825b3a-824b-4a43-9424-8afa2e875b3a/logonuser-lib-quotadvapi32dllquot-strange-on-non-domain-cpu-when-local-exists?forum=vbgeneral#3c825b3a-824b-4a43-9424-8afa2e875b3a