4

I am trying to use this code to logon to a restricted network share (with windows server 2012 on the head node) from my local machine (windows 8.1), and I can't seem to get it to work.

Both machines are on the same domain (verified), the account I am using is an adminstrator on my local machine, and the account I am trying to impersonate has admin rights on the machine hosting the share. I can mount the share using the credentials just fine.

But when I run this line of code:

bool returnValue = LogonUser(userName, domainName, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, out safeTokenHandle);

I get the following error: The trust relationship between this workstation and the primary domain failed NativeErrorCode 1798.

This seems to occur regardless of what credentials I use- it happens if I use my own (which I know are good!).

I can't seem to find a solution for this- the docs I find are for a different use case (I think), and involve removing a machine (which one?) from the domain and rejoining.

Any suggestions on how to debug this? Solutions? Suggestions?

Community
  • 1
  • 1
Nicros
  • 5,031
  • 12
  • 57
  • 101
  • Hi, Can u access a share or resource on the target machine with RUNAS using an account that has rights on the target ? and they have the same FQDN and the SPN is the same in AD? – fuzzybear Jul 07 '14 at 23:35
  • @saj Yep and yep. I'm thinking it doesn't have anything really to do with the machine I'm trying to access- just trying to retrieve that token fails with several known good credentials. – Nicros Jul 07 '14 at 23:38

1 Answers1

4

So I found the answer. LOGON32_LOGON_INTERACTIVE is not right. LOGON32_LOGON_NEW_CREDENTIALS is what to use.

On this page they describe what the variables are, but not the values. You need to actually go look at the #define in winbase.h (I found a version here) that shows the values for those variables. In this case, you need to use a logon type value of 9 instead of 2. In C# land, it's just a bit more work, but... it works :)

Nicros
  • 5,031
  • 12
  • 57
  • 101
  • Sincere thanks for this, since it's the only way I can get my (just under) 800 regression and unit tests to run under Windows 8.1. I wonder how long it will take the Microsoft (air quotes) security experts (end air quotes) to scream about "security holes!" and stop us from using this. As a developer I'm really getting sick and tired of MS kicking me in the nuts every other week... – jerhewet Mar 27 '15 at 21:58
  • you rock! thanks my CI server was down because of this. – Mihai Jul 31 '15 at 09:19