- 1 year ago
LookupAccountName / LsaLookupNames fails for cached domain credential when DC unavailable
The LookupAccountName
function and the LsaLookupNames
function are used to retrieve a security identifier (SID) for a specified account name. When using these functions to lookup a cached domain credential while the domain controller (DC) is unavailable, the functions may fail because they cannot retrieve the SID from the DC.
When a user logs on to a domain-joined computer, Windows caches the user's domain credentials locally. This allows the user to log on to the computer even if the DC is unavailable. However, some functions, such as LookupAccountName
and LsaLookupNames
, may require access to the DC to retrieve the SID for the cached credential.
To work around this issue, you can use the ConvertSidToStringSid
function to retrieve the string representation of the cached credential's SID, and then use the LookupAccountSid
function to retrieve the account name associated with the SID. Here's an example:
scssPSID pSid;
LPWSTR pSidString;
// Get the cached credential's SID
if (GetUserSid(&pSid)) {
// Convert the SID to a string
if (ConvertSidToStringSid(pSid, &pSidString)) {
// Look up the account name associated with the SID
TCHAR accountName[128];
DWORD accountNameSize = sizeof(accountName);
TCHAR domainName[128];
DWORD domainNameSize = sizeof(domainName);
SID_NAME_USE sidUse;
if (LookupAccountSid(NULL, pSid, accountName, &accountNameSize, domainName, &domainNameSize, &sidUse)) {
// Use the account name and domain name as needed
// ...
}
LocalFree(pSidString);
}
LocalFree(pSid);
}
Note that this workaround only works for cached domain credentials, and not for local user accounts. If the credential is not cached, you may need to use a different approach, such as prompting the user for their credentials or using a different authentication mechanism.