Platform SDK: Access Control

LogonUser

The LogonUser function attempts to log a user on to the local computer, that is, to the computer from which LogonUser was called. You cannot use LogonUser to log on to a remote computer. You specify the user with a user name and domain, and authenticate the user with a clear-text password. If the function succeeds, you receive a handle to a token that represents the logged-on user. You can then use this token handle to impersonate the specified user, or in most cases, to create a process running in the context of the specified user.

BOOL LogonUser(
  LPTSTR lpszUsername,    // user name
  LPTSTR lpszDomain,      // domain or server
  LPTSTR lpszPassword,    // password
  DWORD dwLogonType,      // type of logon operation
  DWORD dwLogonProvider,  // logon provider
  PHANDLE phToken         // receive tokens handle
);

Parameters

lpszUsername
[in] Pointer to a null-terminated string that specifies the user name. This is the name of the user account to log on to.
lpszDomain
[in] Pointer to a null-terminated string that specifies the name of the domain or server whose account database contains the lpszUserName account. LogonUser asks the domain controller or server to search for and validate the account. If this parameter is ".", LogonUser validates the account using only the local account database.

Windows 2000: If this parameter is NULL, LogonUser attempts to validate the account using the local account database. If LogonUser cannot find the account in the local account database, its trusted domains search their account databases until a match is found. Note that if the security provider is LOGON32_PROVIDER_WINNT50, this parameter cannot be NULL unless you specify the user name in UPN format.

lpszPassword
[in] Pointer to a null-terminated string that specifies the clear-text password for the user account specified by lpszUsername.
dwLogonType
[in] Specifies the type of logon operation to perform. This parameter can be one of the following values.
Value Meaning
LOGON32_LOGON_BATCH This logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.
LOGON32_LOGON_INTERACTIVE This logon type is intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operation, and is therefore inappropriate for some client/server applications, such as a mail server.
LOGON32_LOGON_NETWORK This logon type is intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.
LOGON32_LOGON_NETWORK_CLEARTEXT Windows 2000: This logon type preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.
LOGON32_LOGON_NEW_CREDENTIALS Windows 2000: This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identify, but uses different credentials for other network connections.

This logon type is supported only by the LOGON32_PROVIDER_WINNT50 logon provider.

LOGON32_LOGON_SERVICE Indicates a service-type logon. The account provided must have the service privilege enabled.
LOGON32_LOGON_UNLOCK This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.

dwLogonProvider
[in] Specifies the logon provider. This parameter can be one of the following values.
Value Meaning
LOGON32_PROVIDER_DEFAULT Use the standard logon provider for the system. This is the recommended value for the dwLogonProvider parameter. It provides maximum compatibility with current and future releases of Windows NT/Windows 2000.

If you do not specify a domain name, you must specify the user name in UPN format, or the default security provider is NTLM.

LOGON32_PROVIDER_WINNT50 Windows 2000: Use the Windows 2000 logon provider.
LOGON32_PROVIDER_WINNT40 Use the Windows NT 4.0 logon provider.
LOGON32_PROVIDER_WINNT35 Use the Windows NT 3.5 logon provider.

phToken
[out] Pointer to a HANDLE variable that receives a handle to a token that represents the specified user.

You can use the returned handle in calls to the ImpersonateLoggedOnUser function.

In most cases, the returned handle is a primary token that you can use in calls to the CreateProcessAsUser function. However, if you specify the LOGON32_LOGON_NETWORK flag, LogonUser returns an impersonation token that you cannot use in CreateProcessAsUser unless you call DuplicateTokenEx to convert it to a primary token.

When you no longer need this handle, close it by calling the CloseHandle function.

Return Values

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Remarks

The LOGON32_LOGON_NETWORK logon type is the fastest, but there are two limitations. First, the function returns an impersonation token, not a primary token. You cannot use this token directly in the CreateProcessAsUser function. However, you can call the DuplicateTokenEx function to convert the token to a primary token, and then use it in CreateProcessAsUser. Second, if you convert the token to a primary token and use it in CreateProcessAsUser to start a process, the new process will not be able to access other network resources, such as remote servers or printers, through the redirector.

The process that calls LogonUser must have the SE_TCB_NAME privilege. The privilege does not need to be enabled. The LogonUser function enables the privilege as necessary. If the calling process does not have this privilege, LogonUser fails and GetLastError returns ERROR_PRIVILEGE_NOT_HELD.

In some cases, the process that calls LogonUser must also have the SE_CHANGE_NOTIFY_NAME privilege enabled; otherwise, LogonUser fails and GetLastError returns ERROR_ACCESS_DENIED. This privilege is not required for the local system account or accounts that are members of the administrators group. By default, SE_CHANGE_NOTIFY_NAME is enabled for all users, but some administrators may disable it for everyone. For more information about privileges, see Privileges.

The account being logged on, that is, the account specified by lpszUsername, must have the necessary account rights. For example, to log on a user with the LOGON32_LOGON_INTERACTIVE flag, the user (or a group to which the user belongs) must have the SE_INTERACTIVE_LOGON_NAME account right. For a list of the account rights that affect the various logon operations, see Account Rights.

A user is considered logged on as long as at least one token exists. If you call CreateProcessAsUser and then close the token, the system considers the user as still logged on until the process (and all child processes) have ended.

If the LogonUser call is successful, the system notifies network providers that the logon occurred by calling the provider's NPLogonNotify entry-point function.

Requirements

  Windows NT/2000: Requires Windows NT 3.51 or later.
  Header: Declared in Winbase.h; include Windows.h.
  Library: Use Advapi32.lib.
  Unicode: Implemented as Unicode and ANSI versions on Windows NT/2000.

See Also

Client/Server Access Control Overview, Client/Server Access Control Functions, CreateProcessAsUser, ImpersonateLoggedOnUser