How does VSys integrate with your Active Directory infrastructure?
Whenever someone logs into VSys, VSys will take the login credentials it's handed at that moment and authenticate them against AD using
LogonUser. It does no impersonation: the user who is currently logged into Windows does not necessarily have any relationship to the user who is logging into the application. (These are usually the same people but VSys does not make that assumption and the rights of the Windows user need not have any relationship to the user who's logging into VSys.)
The call made to
LogonUser includes the domain name as a parameter, so even if the user were to manage to take the machine off of the domain then the call would fail, making it impossible for them to establish a local account with the same name as the AD account and bypass the domain account.
LogonUser authenticates to the local machine rather than explicitly calling a remote machine. Here, since the local machine is on the domain (and VSys verifies this before calling
LogonUser), the local machine passes the credentials to the domain for it to validate. Using the
LOGON32_LOGON_NETWORK option rather than
LOGON32_LOGON_INTERACTIVE indicates that the call is being made solely to authenticate the user rather than to log into the local machine as an active user.
"plaintext" in this context (in the MSDN documentation) does not indicate that the user's password is passed in the clear across the network. Here it means that VSys hands
LogonUser an unencrypted password rather than a password hash or authentication token because that's what VSys has at the time as provided by the user. If VSys used
LOGON32_LOGON_NETWORK_CLEARTEXT then the unencrypted and un-hashed password could be passed across the wire. The way it's being done with
LOGON32_LOGON_NETWORK, if you ran WireShark to watch the traffic out of this machine you would not see the password traversing the network as readable text. The MSDN documentation doesn't make it clear but when the Windows machine communicates with its domain controller all of that communication is encrypted.
In order for a VSys One user to successfully authenticate using domain authentication, that user must have network login rights to the workstation or server on which VSys is running.