0

Trying to use LogonUser() function under a service running as Local System. Has been successful in trying to authenticate users. However, when a user is in the the Protected Users group, the function fails.

HANDLE hToken = NULL;
BOOL bSuccess = LogonUser(username, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hToken);
if (hToken != NULL) CloseHandle(hToken);

Calling GetLastError() results in an error code of 1327. If the user is removed from the Protected Users group, then the API call succeeds.

Reading up on some of the documentation for the Protected Users group, it looks like I need to use a different method than LogonUser(). The Protected Users group is a builtin Windows security group that is more restrictive than regular domain users for security reasons. Anybody know a Windows API that would work for authentication of a user in the Protected Users group?

Joseph Willcoxson
  • 5,853
  • 1
  • 15
  • 29
  • Tried something other than LOGON32_LOGON_NETWORK? – Anders Mar 29 '22 at 01:40
  • According to the [Doc](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts): Members of the Protected Users group must be able to authenticate by using [Kerberos](https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview) with Advanced Encryption Standards (AES). – Jeaninez - MSFT Mar 29 '22 at 02:44

1 Answers1

0

Actually this API does work for Protected Users. The issue I had was that I was calling the API with the domain being an empty string, e.g. "". It was being called from C#...

For regular domain users, calling LogonUser with the domain being "", authenticated them just fine. However, for users in the Protected Users group, it would fail with Last Error being 1327. However, if I put the domain name in the domain parameter, it works. No need for Kerberos Authentication or anything like that.

Joseph Willcoxson
  • 5,853
  • 1
  • 15
  • 29