NT Authentication Oops..
the wikster
wik "at" rabidpenguin.org
Wed, 14 Jul 1999 16:05:18 +0000
On Wed, 14 Jul 1999, Alex Nicolaou wrote:
> "Carroll, Patrick S" wrote:
> Ok, this makes sense for some environments. In this case, though, you'd
> imagine that the VNC client would try to authenticate with your existing
> credentials and if that failed *the client* would call LogonUser to
> allow you to log into the foreign domain. As I undertstand the patch,
> the client is transmitting the domain/user/password trio in plaintext to
> the server so that the server can call LogonUser, which doesn't seem to
> be the right way to go about it.
>
> alex
Yes, this is currently how I am doing the authentication. This is a known
problem with authenticating non-local accounts right now, which has to do
with the NetUserGetInfo function calls that I make. Once I do a
NetGetDCInfo and get the domain controller, it should work properly.
If you wanted to use the Impersonate* functions, you need to get a HANDLE
from calling LogonUser first. :) Somewhere, you have to compare username,
password and domain information against something and make sure the VNC
server has a non-forgeable notification of a successful authentication
(assuming it happened client-side).
You are also assuming that the client can authenticate with the primary
domain controller or server machine, which may not be the case.
Jared Smolens
/''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''\
| Jared Smolens Electrical and Computer Engineering |
| www.rabidpenguin.org Carnegie Mellon University |
| jsmolens+ "at" andrew.cmu.edu Pittsburgh, PA |
| "Counting in binary is just like decimal if you're all thumbs" |
\,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/
---------------------------------------------------------------------
The VNC mailing list - see http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------