Discussion:
LogonUser
(too old to reply)
Gabi
2004-06-28 10:14:01 UTC
Permalink
Hi all,
im trying to use LogonUser as:

SuFail = LogonUser("39664",
"domainname",
"passwd",
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&HToken);

all the time i got the following error 0x522
"A required privilege is not held by the client."

im logging to myself and im sure i have all the privalage.

what can be the reason???
if you have your example ill be glad to see it.

Thanks
Arnaud Debaene
2004-06-28 11:49:17 UTC
Permalink
Post by Gabi
Hi all,
SuFail = LogonUser("39664",
"domainname",
"passwd",
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&HToken);
all the time i got the following error 0x522
"A required privilege is not held by the client."
im logging to myself and im sure i have all the privalage.
what can be the reason???
From MSDN documentation on LogonUser :
Windows 2000: The process calling LogonUser requires the SE_TCB_NAME
privilege. If the calling process does not have this privilege, LogonUser
fails and GetLastError returns ERROR_PRIVILEGE_NOT_HELD.

Arnaud
MVP - VC
Gabi
2004-06-28 12:31:01 UTC
Permalink
Hello Arnaud,
Thanks for you answer.
this is really my problem how can i change a privilage to
my calling process.(programically )

Thanks
Post by Arnaud Debaene
Post by Gabi
Hi all,
SuFail = LogonUser("39664",
"domainname",
"passwd",
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&HToken);
all the time i got the following error 0x522
"A required privilege is not held by the client."
im logging to myself and im sure i have all the privalage.
what can be the reason???
Windows 2000: The process calling LogonUser requires the SE_TCB_NAME
privilege. If the calling process does not have this privilege, LogonUser
fails and GetLastError returns ERROR_PRIVILEGE_NOT_HELD.
Arnaud
MVP - VC
CheckAbdoul
2004-06-28 14:00:08 UTC
Permalink
Take a look at the SetCurrentPrivilege() function mentioned in the
following link

http://win32.mvps.org/processes/rb.c
--
Cheers
Check Abdoul [VC++ MVP]
-----------------------------------
Post by Gabi
Hello Arnaud,
Thanks for you answer.
this is really my problem how can i change a privilage to
my calling process.(programically )
Thanks
Post by Arnaud Debaene
Post by Gabi
Hi all,
SuFail = LogonUser("39664",
"domainname",
"passwd",
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&HToken);
all the time i got the following error 0x522
"A required privilege is not held by the client."
im logging to myself and im sure i have all the privalage.
what can be the reason???
Windows 2000: The process calling LogonUser requires the SE_TCB_NAME
privilege. If the calling process does not have this privilege, LogonUser
fails and GetLastError returns ERROR_PRIVILEGE_NOT_HELD.
Arnaud
MVP - VC
Arnaud Debaene
2004-06-28 14:15:49 UTC
Permalink
Post by Gabi
Hello Arnaud,
Thanks for you answer.
this is really my problem how can i change a privilage to
my calling process.(programically )
Have you looked at the documentation I quoted? There is an hyperlink to a
"Privileges" page where everything is explained. See AdjustTokenPrivileges,
PrivilegeCheck; etc...

Arnaud
MVP - VC
William DePalo [MVP VC++]
2004-06-29 05:04:51 UTC
Permalink
Post by Gabi
Thanks for you answer.
this is really my problem how can i change a privilage to
my calling process.(programically )
The answer depends on what you want to do. Short answer: chances are that
you can not grant yourself a privilege that you don't hold.

Note that in Win32, privileges are associated with "principals", i.e. users.
Threads run in the context of principals. A thread can do what the
associated principal can do. This is different than in some other
environments where (access) checks are made based on stretches of code which
are secured or not. In Win32, it is the user context, not the code which is
all important,

Note that a principal may hold a privilege or not. Note too, that privileges
would be damned near meaningless if every principal could grant itself a
privilege which it does not hold.

In addition, as an extra sanity (my word) check, though NOT security check,
sometimes you will find that privileges are granted but not enabled. Some
Win32 functions not only check that a privilege is granted but ALSO check
that they are enabled. Where they are granted but not enabled, some
functions fail.

In this case you are at perfect liberty to enable a disabled privilege which
has been granted to you. But in general, you can't just grant yourself new
privileges. The user accounts that can do that are usually few and far
between. Where they are not, the administrator is asleep at the wheel. :-)

You, are your system administrator, will have to determine whether the user
in whose context you run LogonUser() has the SE_TCB_NAME privilege.

Usually, it is the LocalSystem account that can do LogonUser() "out of the
box". Services (which by the way must be installed by administrators) by
default run as LocalSystem. It is often a good idea to limit calls to
LogonUser() to services running as LocalSystem. If you can't do that you
might want to read this link for an alternate solution to the same problem:

http://support.microsoft.com/?id=180548

Regards,
Will

P.S. Please post follow-up in the kernel group
Gabi
2004-06-29 07:33:01 UTC
Permalink
Wiiliam,
someone recommend me to use the pview.exe application.
i saw on the pview on Token-->process-->privileges
i dont have the option to put "SeTcbPrivilege" (SE_TCS_NAME).
is that mean i havn't activate it or i have to make another step that i missed???

Thanks for advance
Gabi
Post by William DePalo [MVP VC++]
Post by Gabi
Thanks for you answer.
this is really my problem how can i change a privilage to
my calling process.(programically )
The answer depends on what you want to do. Short answer: chances are that
you can not grant yourself a privilege that you don't hold.
Note that in Win32, privileges are associated with "principals", i.e. users.
Threads run in the context of principals. A thread can do what the
associated principal can do. This is different than in some other
environments where (access) checks are made based on stretches of code which
are secured or not. In Win32, it is the user context, not the code which is
all important,
Note that a principal may hold a privilege or not. Note too, that privileges
would be damned near meaningless if every principal could grant itself a
privilege which it does not hold.
In addition, as an extra sanity (my word) check, though NOT security check,
sometimes you will find that privileges are granted but not enabled. Some
Win32 functions not only check that a privilege is granted but ALSO check
that they are enabled. Where they are granted but not enabled, some
functions fail.
In this case you are at perfect liberty to enable a disabled privilege which
has been granted to you. But in general, you can't just grant yourself new
privileges. The user accounts that can do that are usually few and far
between. Where they are not, the administrator is asleep at the wheel. :-)
You, are your system administrator, will have to determine whether the user
in whose context you run LogonUser() has the SE_TCB_NAME privilege.
Usually, it is the LocalSystem account that can do LogonUser() "out of the
box". Services (which by the way must be installed by administrators) by
default run as LocalSystem. It is often a good idea to limit calls to
LogonUser() to services running as LocalSystem. If you can't do that you
http://support.microsoft.com/?id=180548
Regards,
Will
P.S. Please post follow-up in the kernel group
Gabi
2004-06-29 07:51:02 UTC
Permalink
by the way
on win xp i dont have any problem to LogonUser()
and im working on win2K

Thanks
Post by Gabi
Wiiliam,
someone recommend me to use the pview.exe application.
i saw on the pview on Token-->process-->privileges
i dont have the option to put "SeTcbPrivilege" (SE_TCS_NAME).
is that mean i havn't activate it or i have to make another step that i missed???
Thanks for advance
Gabi
Post by William DePalo [MVP VC++]
Post by Gabi
Thanks for you answer.
this is really my problem how can i change a privilage to
my calling process.(programically )
The answer depends on what you want to do. Short answer: chances are that
you can not grant yourself a privilege that you don't hold.
Note that in Win32, privileges are associated with "principals", i.e. users.
Threads run in the context of principals. A thread can do what the
associated principal can do. This is different than in some other
environments where (access) checks are made based on stretches of code which
are secured or not. In Win32, it is the user context, not the code which is
all important,
Note that a principal may hold a privilege or not. Note too, that privileges
would be damned near meaningless if every principal could grant itself a
privilege which it does not hold.
In addition, as an extra sanity (my word) check, though NOT security check,
sometimes you will find that privileges are granted but not enabled. Some
Win32 functions not only check that a privilege is granted but ALSO check
that they are enabled. Where they are granted but not enabled, some
functions fail.
In this case you are at perfect liberty to enable a disabled privilege which
has been granted to you. But in general, you can't just grant yourself new
privileges. The user accounts that can do that are usually few and far
between. Where they are not, the administrator is asleep at the wheel. :-)
You, are your system administrator, will have to determine whether the user
in whose context you run LogonUser() has the SE_TCB_NAME privilege.
Usually, it is the LocalSystem account that can do LogonUser() "out of the
box". Services (which by the way must be installed by administrators) by
default run as LocalSystem. It is often a good idea to limit calls to
LogonUser() to services running as LocalSystem. If you can't do that you
http://support.microsoft.com/?id=180548
Regards,
Will
P.S. Please post follow-up in the kernel group
William DePalo [MVP VC++]
2004-06-29 16:14:55 UTC
Permalink
Post by Gabi
i dont have the option to put "SeTcbPrivilege" (SE_TCS_NAME).
As well you should not. If you were able to give yourself every privilege
under the sun then what kind of security would there be?

Did you follow the link that I posted?

Regards,
Will
Gabi
2004-06-30 05:11:01 UTC
Permalink
Hello william,
i found my problem .
and the problem was that i add myself under administartor and
logonuser working smooth.
Thanks allot
Post by William DePalo [MVP VC++]
Post by Gabi
i dont have the option to put "SeTcbPrivilege" (SE_TCS_NAME).
As well you should not. If you were able to give yourself every privilege
under the sun then what kind of security would there be?
Did you follow the link that I posted?
Regards,
Will
Arnaud Debaene
2004-06-28 15:52:02 UTC
Permalink
Post by Gabi
Hi all,
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
cout << "OpenProcessToken failed." << endl;
GG = SetPrivilege(
hToken, // access token handle
lpszPrivilege, // name of privilege to enable/disable
bEnablePrivilege // to enable or disable privilege
) ;
What is this "SetPrivilege"? It is not part of the Win32 API. What is the
value of lpszPriviliege?
Post by Gabi
where can find those privilages on my machine.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/authorization_constants.asp +
LookupPrivilegeValues.

Arnaud
MVP - VC
Gabi
2004-06-29 05:41:01 UTC
Permalink
Hello ARnaud

main(...)
{
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
cout << "OpenProcessToken failed." << endl;

GG = SetPrivilege(
hToken, // access token handle
lpszPrivilege, // name of privilege to enable/disable
bEnablePrivilege // to enable or disable privilege
) ;

SuFail = LogonUser("39664",
"domain",
"passwd",
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&HToken);
}

SetPrivilege(HANDLE hToken,
LPCTSTR lpszPrivilege,
BOOL bEnablePrivilege )
{
TOKEN_PRIVILEGES tp;
LUID luid;

if ( !LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid ) ) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError() );
return FALSE;
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;

// Enable the privilege or disable all privileges.

if ( !AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError() );
return FALSE;
}

return TRUE;
}

*******************
And evrything working fine until im calling LogonUser(...)
than im always fail and get the ususal error
"A required privilege is not held by the client. "

what im missing???
sorry that i botter you
thanks
Post by Arnaud Debaene
Post by Gabi
Hi all,
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
cout << "OpenProcessToken failed." << endl;
GG = SetPrivilege(
hToken, // access token handle
lpszPrivilege, // name of privilege to enable/disable
bEnablePrivilege // to enable or disable privilege
) ;
What is this "SetPrivilege"? It is not part of the Win32 API. What is the
value of lpszPriviliege?
Post by Gabi
where can find those privilages on my machine.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/authorization_constants.asp +
LookupPrivilegeValues.
Arnaud
MVP - VC
Arnaud Debaene
2004-06-29 09:01:13 UTC
Permalink
Post by Gabi
Hello ARnaud
main(...)
{
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
cout << "OpenProcessToken failed." << endl;
GG = SetPrivilege(
hToken, // access token handle
lpszPrivilege, // name of privilege to enable/disable
bEnablePrivilege // to enable or disable privilege
) ;
You still haven't said us what is the value of lpszPrivilege

As Will has explained, you may not have the SE_TCB_NAME privilege on the
acount under which your code run. In such a case, only the administrator can
grant you this privilege (using LsaAddAccountRights and co), but it is a bad
idea for security reasons.
Why do you need LogonUser exaclty? An alternative may be to call LogonUser
with dwLogonType=LOGON32_LOGON_NETWORK, which doesn't require SE_TCB_NAME.

Arnaud
MVP - VC
Gabi
2004-06-29 09:23:01 UTC
Permalink
sorry

GG = SetPrivilege(hToken, // access token handle
SE_TCB_NAME, // name of privilege to enable/disable
bEnablePrivilege // to enable or disable privilege
) ;

and i receive pszPrivilege = SetTcbPrivilege
Post by Arnaud Debaene
Post by Gabi
Hello ARnaud
main(...)
{
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
cout << "OpenProcessToken failed." << endl;
GG = SetPrivilege(
hToken, // access token handle
lpszPrivilege, // name of privilege to enable/disable
bEnablePrivilege // to enable or disable privilege
) ;
You still haven't said us what is the value of lpszPrivilege
As Will has explained, you may not have the SE_TCB_NAME privilege on the
acount under which your code run. In such a case, only the administrator can
grant you this privilege (using LsaAddAccountRights and co), but it is a bad
idea for security reasons.
Why do you need LogonUser exaclty? An alternative may be to call LogonUser
with dwLogonType=LOGON32_LOGON_NETWORK, which doesn't require SE_TCB_NAME.
Arnaud
MVP - VC
Continue reading on narkive:
Loading...