Home/ Questions/Q 7403119
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T04:58:30+00:00

Recently I have been dealing with windows LogonUser API. The LogonUser api returns different

  • 0

Recently I have been dealing with windows LogonUser API. The LogonUser api returns different token depending on the dwLogonType passed to the API. The document mentions:

• The function returns an impersonation token, not a primary token. You
cannot use this token directly in the CreateProcessAsUser function.
However, you can call the DuplicateTokenEx function to convert the
token to a primary token, and then use it in CreateProcessAsUser.

• If you convert the token to a primary token and use it in
CreateProcessAsUser to start a process, the new process cannot access
other network resources, such as remote servers or printers, through
the redirector. An exception is that if the network resource is not
access controlled, then the new process will be able to access it.

I am totally confused on different token types. I want to understand on what are different windows token types and how they differ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Historically speaking (like 17 years ago):

    If a process running on server B as user U wants to connect to server C as the same user, then the authentication protocol between the servers requires that server B knows user U’s password.

    If user U is logged on at server B, this isn’t a problem (the user must have entered a password).

    However, suppose that user U is actually logged on at client A and is connecting to server B (which could be a mail server say). Then server B can securely determine that it really is user U connecting, but server B never sees U’s password so it cannot connect to server C on U’s behalf.

    This distinction naturally creates two kinds of user tokens:

    • A primary token representing a user who is “really” logged on and can connect to other network resources.
    • An impersonation token representing an authenticated user who is actually logged on to another computer so the token cannot be used to access other network resources (because the OS doesn’t know the password, and that’s required by the inter-server authentication protocol).

    Back in the present day, things are more complicated because, for example, Kerberos authentication supports delegation across multiple servers, but unless you explicitly enable this the same restrictions outlined above still apply.

    Going back to your question, the restrictions you mention apply only if you ask for a LOGON32_LOGON_NETWORK token. As the documentation says, this is a fast logon for network servers that don’t need to access other network resources; if you do need this access, choose a different logon type.

    For further reading, this article is out of date but does cover the various impersonation and delegation options.

    • 0