Client Logon Sessions

A server with the SE_TCB_NAME privilege, such as a Windows service running in the LocalSystem Account, can call the LogonUser function to authenticate a client on the computer that the server is running on. The LogonUser function starts a new logon session and returns a primary access token that contains the client's security information. You can use this primary token in calling the ImpersonateLoggedOnUser function to impersonate the client or in calling the CreateProcessAsUser function to create a process that runs in the security context of the client.

The advantage of authenticating the client in this way is that the server impersonating the authenticated client, or a process created in the context of the authenticated client, can connect to remote network resources as the client. If this authentication is not done, the server can connect to network resources only if it has acquired the client's account name and password to pass to the WNetAddConnection2 function.

The disadvantage of authenticating the client in this way is that the server must have acquired the client's credentials (domain name, user name, and password). If a remote client supplies these credentials to the server, it is the responsibility of the client and server to ensure that the credentials are transmitted in a secure manner.