Accessing resources between non-trusted domains

microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late! 

Subject Author Date Accessing resources between non-trusted domains dnebeker 09-12-2006  Re: Accessing resources between non-trusted domain... Patrick Sterank... 09-12-2006  Re: Accessing resources between non-trusted domain... dne 09-12-2006  Re: Accessing resources between non-trusted domain... Patrick Sterank... 09-12-2006  Re: Accessing resources between non-trusted domain... dne 09-13-2006

Posted by dnebeker on September 12, 2006, 9:53 am Please log in for more thread options I'm trying to get my head around this but am having trouble (if you can suggest good Google keywords, I'll be happy to go search further). I have machine1 in domainA. It needs to read the event log of machine2 in domainB. There is no trust relationship between the domains. I've figured out that I could have two local machine accounts on the two machines that have identical username and passwords, and this seems to work. However, I'd like to some how have machine1 impersonate a user in domainB and make the request. I thought I could use the LogonUser and ImpersonateUser API's, but LogonUser won't work since machine1 doesn't know about domainB users. I was about to give up hope, but someone showed me that from machine1 they can use Explorer and open a UNC path to machine2. They get prompted for credentials, enter a domainB account, and get in. How did that work??? What APIs were involved? Thanks for any hints you can send my way. Posted by Patrick Steranka on September 12, 2006, 12:00 pm Please log in for more thread options You can use: Step 1: Login to domain 1, and open cmd prompt. Step 2: Logon to domain 2 as an "admin" (as follows) net use \domain2\host-on-you-want-to-access /user:DOMAIN2\administrator # NOTE: You'll be prompted to enter a password here. If you wanted you # could put the password on the above line Step 3: Now that your authenticated on the remote machine, you'll be able to access it's event log. I believe. HTH, Patrick dnebeker@nospam.nospam says... show/hide quoted text > I'm trying to get my head around this but am having trouble (if you can > suggest good Google keywords, I'll be happy to go search further). > > I have machine1 in domainA. It needs to read the event log of machine2 in > domainB. There is no trust relationship between the domains. I've figured > out that I could have two local machine accounts on the two machines that > have identical username and passwords, and this seems to work. > > However, I'd like to some how have machine1 impersonate a user in domainB > and make the request. I thought I could use the LogonUser and > ImpersonateUser API's, but LogonUser won't work since machine1 doesn't know > about domainB users. > > I was about to give up hope, but someone showed me that from machine1 they > can use Explorer and open a UNC path to machine2. They get prompted for > credentials, enter a domainB account, and get in. How did that work??? What > APIs were involved? > > Thanks for any hints you can send my way. > > > Posted by dnebeker on September 12, 2006, 2:43 pm Please log in for more thread options Thanks Patrick. So it definitely works. Does anyone have any idea how this is happening under the covers (ie, what API calls enable this)? I need to write a program that can get to server2. I can accept credentials from the user for domainB, but I'm not sure how to use them (LogonUser doesn't seem to work). Thanks for any ideas. "Patrick Steranka" wrote: show/hide quoted text > You can use: > > Step 1: Login to domain 1, and open cmd prompt. > Step 2: Logon to domain 2 as an "admin" (as follows) > > net use \domain2\host-on-you-want-to-access /user:DOMAIN2\administrator > # NOTE: You'll be prompted to enter a password here. If you wanted you > # could put the password on the above line > > Step 3: Now that your authenticated on the remote machine, you'll be able > to access it's event log. I believe. > > HTH, > Patrick > > dnebeker@nospam.nospam says... show/hide quoted text > > I'm trying to get my head around this but am having trouble (if you can > > suggest good Google keywords, I'll be happy to go search further). > > > > I have machine1 in domainA. It needs to read the event log of machine2 in > > domainB. There is no trust relationship between the domains. I've figured > > out that I could have two local machine accounts on the two machines that > > have identical username and passwords, and this seems to work. > > > > However, I'd like to some how have machine1 impersonate a user in domainB > > and make the request. I thought I could use the LogonUser and > > ImpersonateUser API's, but LogonUser won't work since machine1 doesn't know > > about domainB users. > > > > I was about to give up hope, but someone showed me that from machine1 they > > can use Explorer and open a UNC path to machine2. They get prompted for > > credentials, enter a domainB account, and get in. How did that work??? What show/hide quoted text > > APIs were involved? > > > > Thanks for any hints you can send my way. > > > > > > > Posted by Patrick Steranka on September 12, 2006, 4:35 pm Please log in for more thread options There a few different APIs depending on what level your coming from: (1) COM, (2) .NET, (3) C++/Operating System I believe they all end up calling the OS calls. There's a book called "Programming Windows Security" by Keith Brown (See http://www.amazon.com/Programming-Windows-Security-Keith-Brown/dp/0201604426/sr=1-1/qid=1158092967/ref=pd_bbs_ 1/103-6512632-1471008?ie=UTF8&s=books) (NOTE: URL may have wrapped) that contains a wealth of information. Pg 95 in the book has a section titled Creating new Logon Sessions that probably has what you need. It refers to LogonUser (See URL http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/logonuser.asp) (NOTE: URL may have wrapped) I haven't ever done this but I've read about it. HTH, and good luck with it, Patrick dnebeker@nospam.nospam says... show/hide quoted text > Thanks Patrick. So it definitely works. > > Does anyone have any idea how this is happening under the covers (ie, what > API calls enable this)? I need to write a program that can get to server2. > I can accept credentials from the user for domainB, but I'm not sure how to > use them (LogonUser doesn't seem to work). > > Thanks for any ideas. > > "Patrick Steranka" wrote: > > > You can use: > > > > Step 1: Login to domain 1, and open cmd prompt. > > Step 2: Logon to domain 2 as an "admin" (as follows) > > > > net use \domain2\host-on-you-want-to-access /user:DOMAIN2\administrator > > # NOTE: You'll be prompted to enter a password here. If you wanted you > > # could put the password on the above line > > > > Step 3: Now that your authenticated on the remote machine, you'll be able > > to access it's event log. I believe. > > > > HTH, > > Patrick > > > > dnebeker@nospam.nospam says... show/hide quoted text > > > I'm trying to get my head around this but am having trouble (if you can > > > suggest good Google keywords, I'll be happy to go search further). > > > > > > I have machine1 in domainA. It needs to read the event log of machine2 in > > > domainB. There is no trust relationship between the domains. I've figured show/hide quoted text > > > out that I could have two local machine accounts on the two machines that > > > have identical username and passwords, and this seems to work. > > > > > > However, I'd like to some how have machine1 impersonate a user in domainB > > > and make the request. I thought I could use the LogonUser and > > > ImpersonateUser API's, but LogonUser won't work since machine1 doesn't know show/hide quoted text > > > about domainB users. > > > > > > I was about to give up hope, but someone showed me that from machine1 they > > > can use Explorer and open a UNC path to machine2. They get prompted for > > > credentials, enter a domainB account, and get in. How did that work??? What show/hide quoted text > > > APIs were involved? > > > > > > Thanks for any hints you can send my way. > > > > > > > > > > > > Posted by dnebeker on September 13, 2006, 9:58 am Please log in for more thread options I'll post the answer for any that come after: WNetAddConnection2 (as simple as that!) "Patrick Steranka" wrote: show/hide quoted text > There a few different APIs depending on what level your coming from: > (1) COM, (2) .NET, (3) C++/Operating System > > I believe they all end up calling the OS calls. There's a book called > "Programming Windows Security" by Keith Brown > > (See http://www.amazon.com/Programming-Windows-Security-Keith-Brown/dp/0201604426/sr=1-1/qid=1158092967/ref=pd_bbs_ show/hide quoted text > 1/103-6512632-1471008?ie=UTF8&s=books) > (NOTE: URL may have wrapped) > > that contains a wealth of information. Pg 95 in the book has a section titled > Creating new Logon Sessions that probably has what you need. > It refers to LogonUser > > (See URL http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/logonuser.asp) show/hide quoted text > (NOTE: URL may have wrapped) > > I haven't ever done this but I've read about it. > > HTH, and good luck with it, > Patrick > > dnebeker@nospam.nospam says... show/hide quoted text > > Thanks Patrick. So it definitely works. > > > > Does anyone have any idea how this is happening under the covers (ie, what > > API calls enable this)? I need to write a program that can get to server2. show/hide quoted text > > I can accept credentials from the user for domainB, but I'm not sure how to > > use them (LogonUser doesn't seem to work). > > > > Thanks for any ideas. > > > > "Patrick Steranka" wrote: > > > > > You can use: > > > > > > Step 1: Login to domain 1, and open cmd prompt. > > > Step 2: Logon to domain 2 as an "admin" (as follows) > > > > > > net use \domain2\host-on-you-want-to-access /user:DOMAIN2\administrator show/hide quoted text > > > # NOTE: You'll be prompted to enter a password here. If you wanted you > > > # could put the password on the above line > > > > > > Step 3: Now that your authenticated on the remote machine, you'll be able > > > to access it's event log. I believe. > > > > > > HTH, > > > Patrick > > > > > > dnebeker@nospam.nospam says... show/hide quoted text > > > > I'm trying to get my head around this but am having trouble (if you can > > > > suggest good Google keywords, I'll be happy to go search further). > > > > > > > > I have machine1 in domainA. It needs to read the event log of machine2 in show/hide quoted text > > > > domainB. There is no trust relationship between the domains. I've figured show/hide quoted text > > > > out that I could have two local machine accounts on the two machines that show/hide quoted text > > > > have identical username and passwords, and this seems to work. > > > > > > > > However, I'd like to some how have machine1 impersonate a user in domainB show/hide quoted text > > > > and make the request. I thought I could use the LogonUser and > > > > ImpersonateUser API's, but LogonUser won't work since machine1 doesn't know show/hide quoted text > > > > about domainB users. > > > > > > > > I was about to give up hope, but someone showed me that from machine1 they show/hide quoted text > > > > can use Explorer and open a UNC path to machine2. They get prompted for > > > > credentials, enter a domainB account, and get in. How did that work??? What show/hide quoted text > > > > APIs were involved? > > > > > > > > Thanks for any hints you can send my way. > > > > > > > > > > > > > > > > > > Similar Threads Posted ABE not hiding resources April 23, 2006, 7:35 am What is set different so that on some PCs I can see the shared resources and others not? December 23, 2009, 11:10 am Cannot access Resources from a Win98 ClientPC June 28, 2005, 4:53 pm Find Huge MCSE resources... June 26, 2007, 6:40 am Authenticated users can't access domain resources... June 21, 2005, 10:05 am Global Groups and What Resources they Give access to December 3, 2008, 4:00 pm Authentication Across Domains using IIS July 29, 2005, 6:47 am Net send over different domains November 21, 2008, 7:50 am authenticating users from different domains January 19, 2006, 6:35 pm Questions about using IPsec across domains February 25, 2008, 5:47 pm