LogonUser API doesn't work correctly with Domain from Workstation

Question

For test I have setup a simple domain and added some users. I have Win10 workstation(s) NOT joined to that domain as well. I can access the DC with from the workstations with no issues by supplying a domain username and password to see file shares through Window's explorer. I can even use LDAP from vb.net to authenticate DC accounts.

I am trying to use the LOGONUSER API (all flavors tried) in an attempt to validate a domain account (local accounts validate OK) from a workstation NOT joined to that domain. Whatever flag/combo I use, it always returns false (failed logon). The only time I get a success is when use the flag NEW_CREDENTIALS but that supposedly returns a true value by default even with invalid credentials. Apparently From reading other posts related to using LogonUser API from a workstation computer to a domain controller nobody can seem to get it to work. I have even tried it on our corp. domains with no luck. However, the program I wrote (borrowed /tried code from several sources) works fine if I put it on any computer already joined to the domain, and it will even authenticate across domains that have a full trust between them. It just will not work from non-domain workstation to a domain. What needs to be done to make this work? I can't find any official documents that say it won't work, which would be great if I could find they exist. Thanks for your time..

  <DllImport("advapi32.dll", SetLastError:=True)> _
    Private Shared Function LogonUser(ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String,
                                      ByVal dwLogonType As LogonType, ByVal dwLogonProvider As LogonProvider, ByRef phToken As IntPtr) As Boolean
    End Function

Enum LogonType As Integer
    LOGON32_LOGON_INTERACTIVE = 2
    LOGON32_LOGON_NETWORK = 3
    LOGON32_LOGON_BATCH = 4
    LOGON32_LOGON_SERVICE = 5
    LOGON32_LOGON_UNLOCK = 7
    LOGON32_LOGON_NETWORK_CLEARTEXT = 8
    LOGON32_LOGON_NEW_CREDENTIALS = 9
End Enum
Enum LogonProvider As Integer
    LOGON32_PROVIDER_DEFAULT = 0
    LOGON32_PROVIDER_WINNT35 = 1
    LOGON32_PROVIDER_WINNT40 = 2
    LOGON32_PROVIDER_WINNT50 = 3
End Enum

public sub TryLogon()   
     Dim token As New IntPtr
    Dim Username as string = "myuser",domain as string = "mydomain.local",password as string = "password"
        Dim retVal = LogonUser(Username, domain, Password, LogonType.LOGON32_LOGON_NETWORK, LogonProvider.LOGON32_PROVIDER_DEFAULT, token)
        If retVal = False Then
            Dim errMsg = New System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message
            MsgBox(errMsg, MsgBoxStyle.Critical, "Logon")
        End If
end sub

Answer 1

LogonUser() requires that the current user has the "Act as a part of the operating system" privilege. By default, it's granted to no one, not even the administrators.

EDIT: before LogonUser , you need to call AdjustTokenPrivileges() - add the SE_TCB_NAME privilege to the current user.

EDIT: I'll have to check, but I don't think LogonUser was meant for authenticating users from untrusted authorities (eg domains that the current machine is not on).

Consider creating a dummy share on one of the domain machines (maybe the domain controller), and calling WNetAddConnection2() against it.

Answer 2

I solved my problem on Windows 10 (1607) that was not connected to the domain by: - using "." as domain - LOGON32_LOGON_INTERACTIVE - LOGON32_PROVIDER_DEFAULT

Just to let you know.

The following post put me on track: LogonUser() not authenticating user for invalid domain when computer is not on a domain