LogonUser + LOGON32_LOGON_NEW_CREDENTIALS, What is this flag used for?

  • Article

A new flag was introduced in Windows VISTA for LogonUser(), LOGON32_LOGON_NEW_CREDENTIALS

https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx

The remarks say the following for this flag:

"This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identifier but uses different credentials for other network connections."

Why was this flag introduced and what is it used for?

A common scenario in Windows is you need to access secured resources on a remote system as a different user through impersonation.  Some APIs that you may call to access a remote Windows system include:

  • RegConnectRegistry()
  • OpenSCManager()
  • WTSOpenServer()

Impersonation becomes really important in a scenario where you are attempting to access a server which has no trust with your system since you can't modify the permissions for the remote secured resource to allow your user access.

In the past, this was done by providing alternate credentials to the IPC$ share with WNetAddConnection2().  There is an old KB article which provides background information on IPC$:

https://support.microsoft.com/en-us/kb/3034016

Using IPC$ kind of stopped working in Windows VISTA for certain scenarios but a lot of developers today are still unaware of the changes.

Due to the limitations and scenarios where it doesn't work, a new flag was introduced in Windows VISTA for LogonUser(), LOGON32_LOGON_NEW_CREDENTIALS to address the weaknesses for this common scenario. 

The way the flag works, if you impersonate the user, the user's credentials are only used on the remote system.  Locally you are still using the identity of the process.  On remote systems, the credentials will be used to generate a token on the remote system.  Since the credentials are being presented on the system itself, no trust is required.  You can now access the remote system as a different user without any trust.

I hope this post gives you some insight into the LOGON32_LOGON_NEW_CREDENTIALS flag.

thanks

Frank

Follow us on Twitter, www.twitter.com/WindowsSDK.