>Thanks, Dmitry.
>
>I wonder whether anybody else can cast light on this. Certainly there's plenty of reference to Windows LogonUser API. There's classes for this in mainstream products like West Wind Web Connect etc. While LogonUser delivers a token to allow impersonation, you can discard the token after confirming that the credentials authenticate.
>
>But at this customer, LogonUser refuses to accept credentials. It always responds with error 1326, the Username or Password is incorrect- even if you enter a non-existent AD.
>
>This is from a West Wind Webconnect app, but also from a standard Windows .exe. The customer's network guru says that only 1% of apps have a problem with this AD and that he is unfamiliar with LogonUser; apparently LDAP via wscript or API is the norm. They have LDAP console apps that demonstrate easy authentication via LDAP_INIT and Bind API.
>
>What is everybody else doing? We've had LogonUser working fine elsewhere, but now this customer is assuming it's a fault in the app. Do we need to swap to LDAP API?
>
>I'm already advised of one difference: LogonUser logs into the machine whereas LDAP API interrogates the database. So it could be something to do with security/trust settings, with browser app users allowed to use the app but not to log onto the server itself. Is there something the customer needs to do with security to enable Logonuser? Any advice or official links to this effect would be awesome.

I'm not doing this but here are some general comments:

- can you implement LDAP API as a fallback in case LogonUser doesn't work?
- are the DCs actual Windows, or something compatible like Samba?
- I imagine a large AD environment is maximally locked down. It's possible to put a lot of restrictions on user accounts and domain-joined computers via Group Policy etc. Maybe access is effectively being denied to LogonUser (and maybe LDAP API as well)
- Are there any MFA hurdles to overcome?
- Does the environment implement Zero Trust? https://learn.microsoft.com/en-us/security/zero-trust/
- I found a link https://stackoverflow.com/questions/71653359/logonuser-doesnt-work-for-a-user-in-the-protected-users-group where someone encountered problems with Protected users, not sure if that applies to you