Introduction
Sometimes you may want an application to verify a user's user name and password on the network or on the local machine. This is a more elegant approach to handle the authentication rather than using some application defined credentials.
Background
On Windows XP, the existing LogonUser
Windows API might do just fine, but on WinNT and Win2K, your process must have the SE_TCB_NAME
privilege set. To a large extent, the CCredentials
class will only dress up some C code provided at KB 180548 in a more OOP approach.
As a quick application for this class, I've created an AutoLogon program that would set the proper Registry entries that will suppress the logon prompt after a reboot. The trick is to set the proper credentials, and the authentication process makes sure that any typos won't get in your way to achieve the desired result. The code uses COM conventions and styles, but CCredentials
is still a regular class.
Using the code
You need to create a class, set the domain name, username and password, and then check the authentication result by calling CCredentials::get_IsNTAuthenticatedUser
.
CCredentials NTCrd;
VARIANT_BOOL vbAuthenticated = VARIANT_FALSE;
NTCrd.put_NTDomain(CComBSTR(Domain));
NTCrd.put_NTUserName(CComBSTR(UserName));
NTCrd.put_NTPassword(CComBSTR(Password));
if(FAILED( NTCrd.get_IsNTAuthenticatedUser(&vbAuthenticated)) ||
vbAuthenticated == VARIANT_FALSE)
{
if(MessageBox( hDlg,
"This user cannot be authenticated!\nDo you want to continue anyway?",
"User Authentication Failed", MB_ICONERROR|MB_YESNO ) == IDNO)
{
}
}
get_IsNTAuthenticatedUser
uses APIs found in security.dll/secur32.dll that acquire, initialize, and complete the authentication for the server and the client. For more information on this topic, you will need to consult the MSDN.
Points of Interest
On a WinXP machine, make sure that the ForceGuest Registry value is set to 1 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Registry key.
Decebal Mihailescu is a software engineer with interest in .Net, C# and C++.