After doing a chunk of reading about authenticating users (both here in SO land and the internet generally), it seems fairly obvious that the “best” way to authenticate a user (and thus detect things like expired password, etc) is to call Win32 LogonUser(), rather than attempt to use PrincipalContext.ValidateCredentials in .NET.

However I’m not fully clear on though is what LogonUser actually does – and thus what overhead does it carry with it? The MSDN’s not entirely clear on this, the part that mostly concerns me is right at the end which says that LogonUser calls NPLoginNotify(), and it’s not entirely clear what this does (other than preparing logon scripts), nor what happens to the results of the call.

I was initially concerned that LogonUser loaded the user’s profile, but some further reading has put that concern to bed as a non-issue (unless I’m wrong on this one, but from what I can tell LogonUser never loads the profile – this would have to be explicitly loaded through a different function call).

The context for this is an intranet webapp that requires the ability to authenticate against active directory, so there will be a number of logins and logouts to the app: probably not that many initially, but may ramp significantly in the future. It seems that calling LoginUser with a type of LOGIN32_LOGIN_NETWORK and then immediately discarding the token that it gives me may be the best route forward.

Is there any overhead I’m not aware of, or am I just worrying unduly?