Accessing resources between non-trusted domains

> I'm trying to get my head around this but am having trouble (if you can
> suggest good Google keywords, I'll be happy to go search further).
>
> I have machine1 in domainA.  It needs to read the event log of machine2 in
> domainB.  There is no trust relationship between the domains.  I've figured
> out that I could have two local machine accounts on the two machines that
> have identical username and passwords, and this seems to work.  
>
> However, I'd like to some how have machine1 impersonate a user in domainB
> and make the request.  I thought I could use the LogonUser and
> ImpersonateUser API's, but LogonUser won't work since machine1 doesn't know
> about domainB users.
>
> I was about to give up hope, but someone showed me that from machine1 they
> can use Explorer and open a UNC path to machine2.  They get prompted for
> credentials, enter a domainB account, and get in.  How did that work???  What
> APIs were involved?
>
> Thanks for any hints you can send my way.
>
>
>

> You can use:
>
> Step 1: Login to domain 1, and open cmd prompt.
> Step 2: Logon to domain 2 as an "admin" (as follows)
>
>     net use \domain2\host-on-you-want-to-access /user:DOMAIN2\administrator
>     # NOTE: You'll be prompted to enter a password here.  If you wanted you
>     # could put the password on the above line
>
> Step 3: Now that your authenticated on the remote machine, you'll be able
>         to access it's event log.  I believe.
>
> HTH,
> Patrick
>
>
dnebeker@nospam.nospam says...
> > I'm trying to get my head around this but am having trouble (if you can
> > suggest good Google keywords, I'll be happy to go search further).
> >
> > I have machine1 in domainA.  It needs to read the event log of machine2 in
> > domainB.  There is no trust relationship between the domains.  I've figured
> > out that I could have two local machine accounts on the two machines that
> > have identical username and passwords, and this seems to work.  
> >
> > However, I'd like to some how have machine1 impersonate a user in domainB
> > and make the request.  I thought I could use the LogonUser and
> > ImpersonateUser API's, but LogonUser won't work since machine1 doesn't know
> > about domainB users.
> >
> > I was about to give up hope, but someone showed me that from machine1 they
> > can use Explorer and open a UNC path to machine2.  They get prompted for
> > credentials, enter a domainB account, and get in.  How did that work???
What
> > APIs were involved?
> >
> > Thanks for any hints you can send my way.
> >
> >
> >
>

> Thanks Patrick.  So it definitely works.
>
> Does anyone have any idea how this is happening under the covers (ie, what
> API calls enable this)?   I need to write a program that can get to server2.  
> I can accept credentials from the user for domainB, but I'm not sure how to
> use them (LogonUser doesn't seem to work).
>
> Thanks for any ideas.
>
> "Patrick Steranka" wrote:
>
> > You can use:
> >
> > Step 1: Login to domain 1, and open cmd prompt.
> > Step 2: Logon to domain 2 as an "admin" (as follows)
> >
> >     net use \domain2\host-on-you-want-to-access /user:DOMAIN2\administrator
> >     # NOTE: You'll be prompted to enter a password here.  If you wanted you
> >     # could put the password on the above line
> >
> > Step 3: Now that your authenticated on the remote machine, you'll be able
> >         to access it's event log.  I believe.
> >
> > HTH,
> > Patrick
> >
> >
dnebeker@nospam.nospam says...
> > > I'm trying to get my head around this but am having trouble (if you can
> > > suggest good Google keywords, I'll be happy to go search further).
> > >
> > > I have machine1 in domainA.  It needs to read the event log of machine2 in
> > > domainB.  There is no trust relationship between the domains.  I've
figured
> > > out that I could have two local machine accounts on the two machines that
> > > have identical username and passwords, and this seems to work.  
> > >
> > > However, I'd like to some how have machine1 impersonate a user in domainB
> > > and make the request.  I thought I could use the LogonUser and
> > > ImpersonateUser API's, but LogonUser won't work since machine1 doesn't
know
> > > about domainB users.
> > >
> > > I was about to give up hope, but someone showed me that from machine1 they
> > > can use Explorer and open a UNC path to machine2.  They get prompted for
> > > credentials, enter a domainB account, and get in.  How did that work???
What
> > > APIs were involved?
> > >
> > > Thanks for any hints you can send my way.
> > >
> > >
> > >
> >
>

> There a few different APIs depending on what level your coming from:
> (1) COM, (2) .NET, (3) C++/Operating System
>
> I believe they all end up calling the OS calls.  There's a book called
> "Programming Windows Security" by Keith Brown
>
>     (See
(Amazon.com product link shortened)" title="(Amazon.com product link shortened)" target="_blank" rel="nofollow">(Amazon.com product link shortened)58092967/ref=pd_bbs_
> 1/103-6512632-1471008?ie=UTF8&s=books)
>     (NOTE: URL may have wrapped)
>
> that contains a wealth of information.  Pg 95 in the book has a section titled
> Creating new Logon Sessions that probably has what you need.
> It refers to LogonUser
>
>     (See URL
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/logonuser.asp" target="_blank">http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/logonuser.asp)
>     (NOTE: URL may have wrapped)
>
> I haven't ever done this but I've read about it.
>
> HTH, and good luck with it,
> Patrick
>
>
dnebeker@nospam.nospam says...
> > Thanks Patrick.  So it definitely works.
> >
> > Does anyone have any idea how this is happening under the covers (ie, what
> > API calls enable this)?   I need to write a program that can get to server2.

> > I can accept credentials from the user for domainB, but I'm not sure how to
> > use them (LogonUser doesn't seem to work).
> >
> > Thanks for any ideas.
> >
> > "Patrick Steranka" wrote:
> >
> > > You can use:
> > >
> > > Step 1: Login to domain 1, and open cmd prompt.
> > > Step 2: Logon to domain 2 as an "admin" (as follows)
> > >
> > >     net use \domain2\host-on-you-want-to-access
/user:DOMAIN2\administrator
> > >     # NOTE: You'll be prompted to enter a password here.  If you wanted you
> > >     # could put the password on the above line
> > >
> > > Step 3: Now that your authenticated on the remote machine, you'll be able
> > >         to access it's event log.  I believe.
> > >
> > > HTH,
> > > Patrick
> > >
> > >
dnebeker@nospam.nospam says...
> > > > I'm trying to get my head around this but am having trouble (if you can
> > > > suggest good Google keywords, I'll be happy to go search further).
> > > >
> > > > I have machine1 in domainA.  It needs to read the event log of machine2
in
> > > > domainB.  There is no trust relationship between the domains.  I've
figured
> > > > out that I could have two local machine accounts on the two machines
that
> > > > have identical username and passwords, and this seems to work.  
> > > >
> > > > However, I'd like to some how have machine1 impersonate a user in
domainB
> > > > and make the request.  I thought I could use the LogonUser and
> > > > ImpersonateUser API's, but LogonUser won't work since machine1 doesn't
know
> > > > about domainB users.
> > > >
> > > > I was about to give up hope, but someone showed me that from machine1
they
> > > > can use Explorer and open a UNC path to machine2.  They get prompted for
> > > > credentials, enter a domainB account, and get in.  How did that work???
What
> > > > APIs were involved?
> > > >
> > > > Thanks for any hints you can send my way.
> > > >
> > > >
> > > >
> > >
> >
>