Accessing a remote resource
First understand the difference between LOGON32_LOGON_INTERACTIVE and LOGON32_LOGON_NETWORK
Second understand that if:
1. You are on a machine (Machine A) that is not part of the domain
And
2. You are trying to access a domain machine (Machine B) using domain credentials from Machine A using LogonUser
This will not work. Machine A doesn't know about this domain, so getting a token with information for some domain that is unknown is useless.
You must be using a domain account. One mistake that is quite common deals with a misunderstanding about logging on users. If I make a call to LogonUser and specify LOGON32_LOGON_NETWORK, there is a search order for domain controllers to validate that name. If you have specified the local machine, then there is no validation unless of course you are on a domain controller. If you are trying to validate against another machine on the network that is NOT PART OF A DOMAIN - you cannot validate these credentials through logonuser. You must map the connection as described below. Even if the local login and password match that of the remote machine, this will not work. It can be confusing, because if I try to access machine b from Machine A, and they both have an administrator account with a different password that I need to specify in the credentials from machine a:
MachineB\administrator
in order to validate the user on machineb. So one would think I can call logon user and specify a remote machine name. False. You cannot (as far as anything I am aware of). So then how does Windows do it you say, or such things like runas.exe? Think what happens in a remote machine network access. Your system tries to setup an SMB session. The remote server requires more information and sends back STATUS_MORE_PROCESSING_REQUIRED. Your system sends over the appropriate authentication information. You then access the interprocess communication share at \\MachineB\IPC$ and once this is established (with a proper account) can perform your network request (ex. c:>dir \\machineb\someshare)
How can you then achieve this behavior? Simply enough, in this case you use the WNetAddConnection2 api to establish a session to \\machineb\ipc$. Once that session is established you have "remote permissions" for your current login and can then do your mojo. You are using SMB session information, and not logonuser to achieve this.