Impersonate with SSPLogonUser

[Nils M. Lunde]

Hi!

I've made a Web Service using C# that is using impersonation.
The WS is working fine on WinXP and Win2003Server, but I'm having problem
getting it to work on Win2000.

The problem is that in order to use LogonUser on Win2000, you have to have
the SE_TCB_NAME privilege.
Therefore I'm using the SSPLogonUser
(http://support.microsoft.com/defaul...port/kb/articles/Q180/5/48.asp&NoWebContent=1)
to authenticate the user.
This is working.

To be able to impersonate, I use the DuplicateToken API function.
This function takes a token as parameter, and I don't know how to obtain
that token.
When using the LogonUser function, you get a token in return, so on WinXP
and Win2003Server the problem doesn't arise.

I tried using WindowsIdentity.GetCurrent() after calling SSPLogonUser, but
it seems as if the token I'm getting is the wrong one.

Does anyone have an idea on how I can obtain this token?

Thanks in advance!

Regards,
Nils Magne Lunde

 

[Guest]

I ran into a similar problem on a recent project, but due
to time contraints we relaxed the security and ran with
TCB privilege.

If I recall correctly the token I got back from
GetCurrent did not have the ability to delegate (ie. do
stuff on another server) - although it did have
permissions on the local machine.

Might provide another avenue to investigate - hope it
helps.

 

[Willy Denoyette [MVP]]

You should call QuerySecurityContextToken to obtain a token from the
security package.
Note however that this token has no network credentials.

Willy.

 

[Nils M. Lunde]

Ok, I see.
Is there an easy way for me to obtain the security context that is used as
input to this function, or do I have to make the SSPLogonUser return this
context?

-Nils Magne

 

[Willy Denoyette [MVP]]

When calling QuerySecurityContextToken , you have to pass the adress of the
Server context handle (&asServer.hctxt), you could make this call before
returning from SSPLogonUser and return the access token obtained by calling
QuerySecurityContextToken, or you could implement another function that
takes the context handle and returns the token? it's up to you ;-)

Willy.

 

[Nils M. Lunde]

Thanks!
I got i to work on Win2000 Professional.
Now I only have to find a way to get it to work on Win2000 Server.
It seems as if the token is somewhat invalid, and I don't have access to
anything after impersonating using it.

Nils Magne

 

[Willy Denoyette [MVP]]

What exactly do you mean with "I don't have access to anything"?
Note that the token obtained has not network credentials, so network
resources are not accessible when impersonating.

Willy.

 

[Nils M. Lunde]

I mean that after impersonating with that token, I only have guest
privilegies on this computer.
On WinXP, 2003Server and 2000Pro I can impersonate any domain user, and
have access to the same resources as if I was loged in as this user. On
Win2000Server I only have guest privilegies no matter who I'm
impersonating.

The 2000Server I'm using is the pdc of our domain.
Could that be the reason?

Nils Magne

 

[Nils M. Lunde]

Ok, I've tested my Web Service on other Win2k Servers, and it appears to
work on every computer except from the pdc.
Anyone who knows why SSPLogonUser fails on our Win2k Server pdc?

-Nils Magne

I mean that after impersonating with that token, I only have guest
privilegies on this computer.
On WinXP, 2003Server and 2000Pro I can impersonate any domain user, and
have access to the same resources as if I was loged in as this user. On
Win2000Server I only have guest privilegies no matter who I'm
impersonating.

The 2000Server I'm using is the pdc of our domain.
Could that be the reason?

Nils Magne

 

[Ronald Laeremans [MSFT]]

Interactive logons for non domain admin users are disallowed on PDCs. Maybe
that is related to the issue you are seeing.

Ronald Laeremans

 

[Nils M. Lunde]

I am a domain admin, so that shouldn't be a problem.
Could it be that impersonation using the techniques in SSPLogonUser is
disallowed on PDCs?

Nils Magne

Interactive logons for non domain admin users are disallowed on PDCs. Maybe
that is related to the issue you are seeing.

Ronald Laeremans

Ok, I've tested my Web Service on other Win2k Servers, and it appears to
work on every computer except from the pdc.
Anyone who knows why SSPLogonUser fails on our Win2k Server pdc?

-Nils Magne

access
to

(http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com how

to http://www.opera.com/m2/

 

[Willy Denoyette [MVP]]

Make sure HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest
is disabled (value 0).

Willy.

 

[Nils M. Lunde]

This value does not exist in the registry.
Wasn't the ForceGuest value introduced in WinXP?
I tried to add it anyway, but it made no difference.

The strange thing is that the WS running on my test server (Windows 2000
Server SP 4 also), is working fine.
It has to be something with the security policies for PDCs.
Maybe there is another registry key I could change??

Thanks anyway!
-Nils Magne

 

[Nils M. Lunde]

Ok, I finally got it to work!
I'm not sure if it is the best solution, but what I did was:

1. Open the Domain Controller Security Policy snap-in
2. In the User Rights Assignment page, add DOMAIN\IWAM_Computername to the
"Impersonate a client after authentication" policy.

I also got it working when running the process as the system identity by
changing to

<processModel userName="SYSTEM" password="AutoGenerate" />

in machine.config, but because this approach has serious security
implications, I desided not to go with it.

If anyone knows of a better method, please tell me!


-Nils Magne