Windows LogonUser Function Works with Old Passwords?

Question

Hey Folks,

I am using the LogonUser function (http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspx) to authenticate users. However i have found that if a user changes their password (ie from Password1 to Password2) both passwords will then work. However i would like it so that only the current password can be used. Is there something i need to set to get this to work like that?

I am using the following code snippet:

LogonUser(nt_id, NULL, nt_password, LOGON32_LOGON_NETWORK, 3, &hToken );

nt_id is going in in the format of [email protected]

and i have 3 there in place of LOGON32_PROVIDER_WINNT50, because i would get a compile error saying undeclaired identifier for LOGON32_PROVIDER_WINNT50 (could this be a symptom?) but i know it is defined as 3.

Thanks, -Pete

Answer 1

The compile-time error is probably there because you haven't

#define _WIN32_WINNT 0x0500

before including windows.h or added it as a compile-time setting (-D_WIN32_WINNT=0x0500).

Why LogonUser would work with both the new and the old password is beyond me though. But since what you want is to authenticate users (as opposed to impersonating them) according to MSDN it's more appropriate to use the SSPI API (here's the recommended way).

Answer 2

This is a network setting. By default, windows passwords remain valid for one hour after they are changed. Your network admin can change this if required. (Note that this doesn't affect the interactive login, but it does affect all programmatic methods.)