NT domain authentication for WinVNC?

the wikster wik "at" rabidpenguin.org
Sun, 11 Jul 1999 22:18:46 +0000 

I tried the LogonUser() function and it seemed to be limited to programs
which had a specific security token already.  If I recall correctly, it
gave me an error with not having all of the correct security "privileges"
to do the logon operation.  I would prefer to use this function and throw
away the logon token which it returns, but that's conditional on finding
out how to get it to work. :)  I'm going to play around with it some more.

As far as teh password history and "user not allowed to change password",
I think I have those errors squared away, though I'd appreciate it if
somebody could double check that.

Currently I check membership with NetUserGetInfo() and allow only
administrators and users (not guests) to authenticate.  With the right
registry key, only administrators may authenticate (I think I named it
HKEY_LOCAL_USER\SOFTWARE\ORL\WinVNC3\AllowAdminsOnly as DWORD).   As long
as you don't ask for certain "levels" of information, any program can use
this function. 

-- Jared Smolens

  /''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''\
 | Jared Smolens              Electrical and Computer Engineering |
 | www.rabidpenguin.org                Carnegie Mellon University |
 | jsmolens+ "at" andrew.cmu.edu                        Pittsburgh, PA |
 | "Counting in binary is just like decimal if you're all thumbs" |
  \,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/

On Sun, 11 Jul 1999, James Nelson wrote:

> OK, first, let me say I am much impressed, and very appreciative of all the
> responses.
> 
> This patch sounds great---I'll be testing it out tomorrow. As for what API
> to use for authentication: The problems I would see in using the change
> password function would be limited to domains where password policies might
> be fairly strict. A policy that requires password uniqueness is one example.
> Another call you could try is LogonUser. It should return a false value if
> the username/password/domain troika failed.
> 
> As an adjunct to this (based on another response), you could check a local
> (or global) group for access rights, say with NetUserGetGroups. I found one
> example here:
> 
> http://mvps.org/win32/network/nugg.cpp
> 
> Not sure what security context a process has to be in to call this. And
> there are probably more elegant ways of checking group membership for a
> user.
> 
> Thanks,
> 
> James Nelson...


---------------------------------------------------------------------
The VNC mailing list - see http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------