Ask a Question related to ASP.NET Security, Design and Development.
-
Alberto Ortega #1
Impersonation using WindowsIdentity( upn ) ctor
I'm trying to impersonate a user using the WindowsIdentity ctor. This is
what I'm doing
WindowsIdentity id = new WindowsIdentity( "test@dev1.domain-dev.net" );
WindowsImpersonationContext wic = id.Impersonate();
try
{
DoSome();
}
finally
{
wic.Undo();
}
I'm getting this exception
Access is denied.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
Exception Details: System.ApplicationException: Access is denied.
[ApplicationException: Access is denied.
]
System.Security.Principal.WindowsIdentity._Resolve Identity(IntPtr
userToken) +0
System.Security.Principal.WindowsIdentity.get_Name () +70
ImpersonationTest.WebForm1.DoSome() in
c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:71
ImpersonationTest.WebForm1.ImpersonateWinId() in
c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:41
ImpersonationTest.WebForm1.Page_Load(Object sender, EventArgs e) in
c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:29
System.Web.UI.Control.OnLoad(EventArgs e) +67
System.Web.UI.Control.LoadRecursive() +35
System.Web.UI.Page.ProcessRequestMain() +750
The configuration is:
* IIS: Anonynous checkbox ON and Integrated Security checkbox ON
* Web.config: <identity impersonate="true"> and <authentication
mode="Forms"> (auth mode forms is a requisite non negotiable on my app)
* The app pool for the virtual dir is configured with Network Service
Running on Win2K3 Domain Controller
Any idea of what I should do to make the impersonation work?
Thanks,
Beto
Alberto Ortega Guest
-
#38942 [NEW]: Double old-style-ctor inheritance
From: hannes dot magnusson at gmail dot com Operating system: * PHP version: 5CVS-2006-09-24 (CVS) PHP Bug Type: Scripting... -
Access is denied in WindowsIdentity.GetCurrent
I am suddenly getting this on a couple of Windows XP (.NET 1.1) machines in my environment. The machines haven't change, and my code hasn't... -
Extract NetworkCredential from WindowsIdentity
I'm using the Windows Integrated Authentication scheme for my web apps and web services. When my web applications make calls to the web services I... -
WindowsIdentity ?
Is there a way to modify WindowsIdentity.Name for System.Security.Principal class at runtime after your app. successfully logs the user on the... -
get WindowsIdentity with forms authentication
Hi, I am trying to figure out a way to authenticate against Active Directory and retrieve system.security.principal.WindowsIdentity object,... -
Joe Kaplan \(MVP - ADSI\) #2 Re: Impersonation using WindowsIdentity( upn ) ctor
The problem is fairly subtle and is related to how Kerberos S4U, or
"protocol transition", works. That is the new Windows 2003 feature that you
are using under the hood when you use the WindowsIdentity "UPN" ctor.
With S4U, the token returned by the API will either be an Impersonation
level token or an Identity level token. The level depends on whether or not
the account creating the token has the "Act as part of the operating system"
privilege. Only accounts with with that privilege can create an
Impersonation level token with S4U. By default, only the SYSTEM account has
this privilege. Everything else will create an Identify level token.
As you probably guessed, a token has to be Impersonation level in order to
impersonate it. An identify-level token can only be used to do things like
check group membership and such. This is the error that you are seeing.
This limitation is actually a security feature. When you think about it,
you wouldn't really want any old account having the ability to create a
token for a user at random with no credentials for that user and then start
executing code on their behalf!
If you have a situation where you absolutely need to do this, you need to
run the code with an account with the act as part of the operating system
privilege. If you do that, you probably want to think very very carefully
about how you are going to secure this as you are potentially opening a
massive security hole by doing this. Tread very lightly here.
Joe K.
"Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
news:%23YF4FaQGFHA.3612@TK2MSFTNGP09.phx.gbl...> I'm trying to impersonate a user using the WindowsIdentity ctor. This is
> what I'm doing
>
> WindowsIdentity id = new WindowsIdentity( "test@dev1.domain-dev.net" );
> WindowsImpersonationContext wic = id.Impersonate();
> try
> {
> DoSome();
> }
> finally
> {
> wic.Undo();
> }
>
> I'm getting this exception
>
> Access is denied.
> Description: An unhandled exception occurred during the execution of the
> current web request. Please review the stack trace for more information
> about the error and where it originated in the code.
>
> Exception Details: System.ApplicationException: Access is denied.
>
> [ApplicationException: Access is denied.
> ]
> System.Security.Principal.WindowsIdentity._Resolve Identity(IntPtr
> userToken) +0
> System.Security.Principal.WindowsIdentity.get_Name () +70
> ImpersonationTest.WebForm1.DoSome() in
> c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:71
> ImpersonationTest.WebForm1.ImpersonateWinId() in
> c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:41
> ImpersonationTest.WebForm1.Page_Load(Object sender, EventArgs e) in
> c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:29
> System.Web.UI.Control.OnLoad(EventArgs e) +67
> System.Web.UI.Control.LoadRecursive() +35
> System.Web.UI.Page.ProcessRequestMain() +750
>
>
>
> The configuration is:
>
> * IIS: Anonynous checkbox ON and Integrated Security checkbox ON
>
> * Web.config: <identity impersonate="true"> and <authentication
> mode="Forms"> (auth mode forms is a requisite non negotiable on my app)
>
> * The app pool for the virtual dir is configured with Network Service
>
> Running on Win2K3 Domain Controller
>
> Any idea of what I should do to make the impersonation work?
>
> Thanks,
> Beto
>
>
Joe Kaplan \(MVP - ADSI\) Guest
-
Alberto Ortega #3 Re: Impersonation using WindowsIdentity( upn ) ctor
Ok, now, what if I use the LogonUser API ?
Thanks a lot.
Beto.
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:OIhXppQGFHA.2156@TK2MSFTNGP09.phx.gbl...you> The problem is fairly subtle and is related to how Kerberos S4U, or
> "protocol transition", works. That is the new Windows 2003 feature thatnot> are using under the hood when you use the WindowsIdentity "UPN" ctor.
>
> With S4U, the token returned by the API will either be an Impersonation
> level token or an Identity level token. The level depends on whether orsystem"> the account creating the token has the "Act as part of the operatinghas> privilege. Only accounts with with that privilege can create an
> Impersonation level token with S4U. By default, only the SYSTEM accountlike> this privilege. Everything else will create an Identify level token.
>
> As you probably guessed, a token has to be Impersonation level in order to
> impersonate it. An identify-level token can only be used to do thingsstart> check group membership and such. This is the error that you are seeing.
>
> This limitation is actually a security feature. When you think about it,
> you wouldn't really want any old account having the ability to create a
> token for a user at random with no credentials for that user and then> executing code on their behalf!
>
> If you have a situation where you absolutely need to do this, you need to
> run the code with an account with the act as part of the operating system
> privilege. If you do that, you probably want to think very very carefully
> about how you are going to secure this as you are potentially opening a
> massive security hole by doing this. Tread very lightly here.
>
> Joe K.
>
> "Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
> news:%23YF4FaQGFHA.3612@TK2MSFTNGP09.phx.gbl...>> > I'm trying to impersonate a user using the WindowsIdentity ctor. This is
> > what I'm doing
> >
> > WindowsIdentity id = new WindowsIdentity( "test@dev1.domain-dev.net" );
> > WindowsImpersonationContext wic = id.Impersonate();
> > try
> > {
> > DoSome();
> > }
> > finally
> > {
> > wic.Undo();
> > }
> >
> > I'm getting this exception
> >
> > Access is denied.
> > Description: An unhandled exception occurred during the execution of the
> > current web request. Please review the stack trace for more information
> > about the error and where it originated in the code.
> >
> > Exception Details: System.ApplicationException: Access is denied.
> >
> > [ApplicationException: Access is denied.
> > ]
> > System.Security.Principal.WindowsIdentity._Resolve Identity(IntPtr
> > userToken) +0
> > System.Security.Principal.WindowsIdentity.get_Name () +70
> > ImpersonationTest.WebForm1.DoSome() in
> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:71
> > ImpersonationTest.WebForm1.ImpersonateWinId() in
> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:41
> > ImpersonationTest.WebForm1.Page_Load(Object sender, EventArgs e) in
> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:29
> > System.Web.UI.Control.OnLoad(EventArgs e) +67
> > System.Web.UI.Control.LoadRecursive() +35
> > System.Web.UI.Page.ProcessRequestMain() +750
> >
> >
> >
> > The configuration is:
> >
> > * IIS: Anonynous checkbox ON and Integrated Security checkbox ON
> >
> > * Web.config: <identity impersonate="true"> and <authentication
> > mode="Forms"> (auth mode forms is a requisite non negotiable on my app)
> >
> > * The app pool for the virtual dir is configured with Network Service
> >
> > Running on Win2K3 Domain Controller
> >
> > Any idea of what I should do to make the impersonation work?
> >
> > Thanks,
> > Beto
> >
> >
>
Alberto Ortega Guest
-
Joe Kaplan \(MVP - ADSI\) #4 Re: Impersonation using WindowsIdentity( upn ) ctor
You can definitely impersonate a token created with LogonUser.
I'd use the sample code in the .NET SDK docs for
WindowsImpersonationContext. They have a one of the best ones I've seen.
Joe K.
"Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
news:%23oVdy1aGFHA.208@TK2MSFTNGP12.phx.gbl...> Ok, now, what if I use the LogonUser API ?
>
> Thanks a lot.
> Beto.
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:OIhXppQGFHA.2156@TK2MSFTNGP09.phx.gbl...> you>> The problem is fairly subtle and is related to how Kerberos S4U, or
>> "protocol transition", works. That is the new Windows 2003 feature that> not>> are using under the hood when you use the WindowsIdentity "UPN" ctor.
>>
>> With S4U, the token returned by the API will either be an Impersonation
>> level token or an Identity level token. The level depends on whether or> system">> the account creating the token has the "Act as part of the operating> has>> privilege. Only accounts with with that privilege can create an
>> Impersonation level token with S4U. By default, only the SYSTEM account> like>> this privilege. Everything else will create an Identify level token.
>>
>> As you probably guessed, a token has to be Impersonation level in order
>> to
>> impersonate it. An identify-level token can only be used to do things> start>> check group membership and such. This is the error that you are seeing.
>>
>> This limitation is actually a security feature. When you think about it,
>> you wouldn't really want any old account having the ability to create a
>> token for a user at random with no credentials for that user and then>>> executing code on their behalf!
>>
>> If you have a situation where you absolutely need to do this, you need to
>> run the code with an account with the act as part of the operating system
>> privilege. If you do that, you probably want to think very very
>> carefully
>> about how you are going to secure this as you are potentially opening a
>> massive security hole by doing this. Tread very lightly here.
>>
>> Joe K.
>>
>> "Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
>> news:%23YF4FaQGFHA.3612@TK2MSFTNGP09.phx.gbl...>>>> > I'm trying to impersonate a user using the WindowsIdentity ctor. This
>> > is
>> > what I'm doing
>> >
>> > WindowsIdentity id = new WindowsIdentity( "test@dev1.domain-dev.net" );
>> > WindowsImpersonationContext wic = id.Impersonate();
>> > try
>> > {
>> > DoSome();
>> > }
>> > finally
>> > {
>> > wic.Undo();
>> > }
>> >
>> > I'm getting this exception
>> >
>> > Access is denied.
>> > Description: An unhandled exception occurred during the execution of
>> > the
>> > current web request. Please review the stack trace for more information
>> > about the error and where it originated in the code.
>> >
>> > Exception Details: System.ApplicationException: Access is denied.
>> >
>> > [ApplicationException: Access is denied.
>> > ]
>> > System.Security.Principal.WindowsIdentity._Resolve Identity(IntPtr
>> > userToken) +0
>> > System.Security.Principal.WindowsIdentity.get_Name () +70
>> > ImpersonationTest.WebForm1.DoSome() in
>> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:71
>> > ImpersonationTest.WebForm1.ImpersonateWinId() in
>> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:41
>> > ImpersonationTest.WebForm1.Page_Load(Object sender, EventArgs e) in
>> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:29
>> > System.Web.UI.Control.OnLoad(EventArgs e) +67
>> > System.Web.UI.Control.LoadRecursive() +35
>> > System.Web.UI.Page.ProcessRequestMain() +750
>> >
>> >
>> >
>> > The configuration is:
>> >
>> > * IIS: Anonynous checkbox ON and Integrated Security checkbox ON
>> >
>> > * Web.config: <identity impersonate="true"> and <authentication
>> > mode="Forms"> (auth mode forms is a requisite non negotiable on my app)
>> >
>> > * The app pool for the virtual dir is configured with Network Service
>> >
>> > Running on Win2K3 Domain Controller
>> >
>> > Any idea of what I should do to make the impersonation work?
>> >
>> > Thanks,
>> > Beto
>> >
>> >
>>
>
Joe Kaplan \(MVP - ADSI\) Guest
-
Dominick Baier [DevelopMentor] #5 Re: Impersonation using WindowsIdentity( upn ) ctor
Hello Alberto,
you need the password when calling LogonUser - how will you safely store
that in your app??
dominick baier - DevelopMentor
[url]www.leastprivilege.com[/url]
> Ok, now, what if I use the LogonUser API ?
>
> Thanks a lot.
> Beto.
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
> wrote in message news:OIhXppQGFHA.2156@TK2MSFTNGP09.phx.gbl...
>> you>> The problem is fairly subtle and is related to how Kerberos S4U, or
>> "protocol transition", works. That is the new Windows 2003 feature
>> that
>>
>> not>> are using under the hood when you use the WindowsIdentity "UPN" ctor.
>>
>> With S4U, the token returned by the API will either be an
>> Impersonation level token or an Identity level token. The level
>> depends on whether or
>>
>> system">> the account creating the token has the "Act as part of the operating
>>
>> has>> privilege. Only accounts with with that privilege can create an
>> Impersonation level token with S4U. By default, only the SYSTEM
>> account
>>
>> like>> this privilege. Everything else will create an Identify level token.
>>
>> As you probably guessed, a token has to be Impersonation level in
>> order to impersonate it. An identify-level token can only be used to
>> do things
>>
>> start>> check group membership and such. This is the error that you are
>> seeing.
>>
>> This limitation is actually a security feature. When you think about
>> it, you wouldn't really want any old account having the ability to
>> create a token for a user at random with no credentials for that user
>> and then
>>
>>> executing code on their behalf!
>>
>> If you have a situation where you absolutely need to do this, you
>> need to run the code with an account with the act as part of the
>> operating system privilege. If you do that, you probably want to
>> think very very carefully about how you are going to secure this as
>> you are potentially opening a massive security hole by doing this.
>> Tread very lightly here.
>>
>> Joe K.
>>
>> "Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
>> news:%23YF4FaQGFHA.3612@TK2MSFTNGP09.phx.gbl...
>>>>> I'm trying to impersonate a user using the WindowsIdentity ctor.
>>> This is what I'm doing
>>>
>>> WindowsIdentity id = new WindowsIdentity( "test@dev1.domain-dev.net"
>>> );
>>> WindowsImpersonationContext wic = id.Impersonate();
>>> try
>>> {
>>> DoSome();
>>> }
>>> finally
>>> {
>>> wic.Undo();
>>> }
>>> I'm getting this exception
>>>
>>> Access is denied.
>>> Description: An unhandled exception occurred during the execution of
>>> the
>>> current web request. Please review the stack trace for more
>>> information
>>> about the error and where it originated in the code.
>>> Exception Details: System.ApplicationException: Access is denied.
>>>
>>> [ApplicationException: Access is denied.
>>> ]
>>> System.Security.Principal.WindowsIdentity._Resolve Identity(IntPtr
>>> userToken) +0
>>> System.Security.Principal.WindowsIdentity.get_Name () +70
>>> ImpersonationTest.WebForm1.DoSome() in
>>> c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:71
>>> ImpersonationTest.WebForm1.ImpersonateWinId() in
>>> c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:41
>>> ImpersonationTest.WebForm1.Page_Load(Object sender, EventArgs e) in
>>> c:\inetpub\wwwroot\impersonationtest\webform1.aspx .cs:29
>>> System.Web.UI.Control.OnLoad(EventArgs e) +67
>>> System.Web.UI.Control.LoadRecursive() +35
>>> System.Web.UI.Page.ProcessRequestMain() +750
>>> The configuration is:
>>>
>>> * IIS: Anonynous checkbox ON and Integrated Security checkbox ON
>>>
>>> * Web.config: <identity impersonate="true"> and <authentication
>>> mode="Forms"> (auth mode forms is a requisite non negotiable on my
>>> app)
>>>
>>> * The app pool for the virtual dir is configured with Network
>>> Service
>>>
>>> Running on Win2K3 Domain Controller
>>>
>>> Any idea of what I should do to make the impersonation work?
>>>
>>> Thanks,
>>> Beto
Dominick Baier [DevelopMentor] Guest
-
Matias Woloski #6 Re: Impersonation using WindowsIdentity( upn ) ctor
Hi, I'm a coworker of Alberto.
Certainly, using LogonUser, is not an option. We are looking for a solution
using WindowsIdentity upn ctor.
I've read The .NET Developer's Guide to Windows Security from Keith Brown,
and he writes a chapter about Protocol Transition, but nowhere he mentions
about the need of having Act As Part of Operating System privilege.
Is there any scenario/configuration for this to work?
Let me tell you which is the real problem. Maybe you have an idea on how to
solve this.
* DotNetNuke ASP.NET app.
* The users of this application will be either intranet and extranet users.
If only were intranet users we could use Integrated Security in IIS and
impersonate="true" on ASP.Net and everything would be solved.
* However, we need to give access to extranet users. We enabled Anonymous in
IIS to do that.
* BUT, here is the non-negotiable requirement: the ASP.Net thread MUST run
with the user identity (either intranet user or extranet).
* We give Forms Authentication for extranet users. They login using its upn
and password, we authenticate them against AD and finally we need to
impersonate the thread with the identity of this user.
The scenario is: two domains (forests) with a trust relationship between
them. One domain for intranet users and another for extranet.
So we need a solution that fits this:
* Users from different domains must be able to impersonate its identity for
every request on the ASP.Net app.
Thanks for your help,
Matias
"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:40767632447886293808016@news.microsoft.com...> Hello Alberto,
>
> you need the password when calling LogonUser - how will you safely store
> that in your app??
>
> dominick baier - DevelopMentor
> [url]www.leastprivilege.com[/url]
>
>>> Ok, now, what if I use the LogonUser API ?
>>
>> Thanks a lot.
>> Beto.
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:OIhXppQGFHA.2156@TK2MSFTNGP09.phx.gbl...
>>>> you>>> The problem is fairly subtle and is related to how Kerberos S4U, or
>>> "protocol transition", works. That is the new Windows 2003 feature
>>> that
>>>
>>>> not>>> are using under the hood when you use the WindowsIdentity "UPN" ctor.
>>>
>>> With S4U, the token returned by the API will either be an
>>> Impersonation level token or an Identity level token. The level
>>> depends on whether or
>>>
>>>> system">>> the account creating the token has the "Act as part of the operating
>>>
>>>> has>>> privilege. Only accounts with with that privilege can create an
>>> Impersonation level token with S4U. By default, only the SYSTEM
>>> account
>>>
>>>> like>>> this privilege. Everything else will create an Identify level token.
>>>
>>> As you probably guessed, a token has to be Impersonation level in
>>> order to impersonate it. An identify-level token can only be used to
>>> do things
>>>
>>>> start>>> check group membership and such. This is the error that you are
>>> seeing.
>>>
>>> This limitation is actually a security feature. When you think about
>>> it, you wouldn't really want any old account having the ability to
>>> create a token for a user at random with no credentials for that user
>>> and then
>>>
>>>>> executing code on their behalf!
>>>
>>> If you have a situation where you absolutely need to do this, you
>>> need to run the code with an account with the act as part of the
>>> operating system privilege. If you do that, you probably want to
>>> think very very carefully about how you are going to secure this as
>>> you are potentially opening a massive security hole by doing this.
>>> Tread very lightly here.
>>>
>>> Joe K.
>>>
>>> "Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
>>> news:%23YF4FaQGFHA.3612@TK2MSFTNGP09.phx.gbl...
>>>
Matias Woloski Guest
-
Joe Kaplan \(MVP - ADSI\) #7 Re: Impersonation using WindowsIdentity( upn ) ctor
What I'd suggest is that you put the WindowsIdentity creation code in a COM+
component running under the SYSTEM identity or perhaps another account with
Act As Part of the Operating System and call that from your web code. That
is the most secure approach I can think of to do this.
The other approach is to run your worker process as a similarly powerful
account, but that leaves you more open to vulnerability.
The documentation is here:
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/lsalogonuser.asp?frame=true[/url]
I'm surprised Keith's book doesn't mention that as I was almost positive I
learned this originally from him. Maybe it was an article or blog
posting...
Best of luck,
Joe K.
"Matias Woloski" <woloski@NOSPAMsion.com> wrote in message
news:O2hoaFhGFHA.2748@tk2msftngp13.phx.gbl...> Hi, I'm a coworker of Alberto.
> Certainly, using LogonUser, is not an option. We are looking for a
> solution using WindowsIdentity upn ctor.
> I've read The .NET Developer's Guide to Windows Security from Keith Brown,
> and he writes a chapter about Protocol Transition, but nowhere he mentions
> about the need of having Act As Part of Operating System privilege.
>
> Is there any scenario/configuration for this to work?
>
> Let me tell you which is the real problem. Maybe you have an idea on how
> to solve this.
>
> * DotNetNuke ASP.NET app.
> * The users of this application will be either intranet and extranet
> users. If only were intranet users we could use Integrated Security in IIS
> and impersonate="true" on ASP.Net and everything would be solved.
> * However, we need to give access to extranet users. We enabled Anonymous
> in IIS to do that.
> * BUT, here is the non-negotiable requirement: the ASP.Net thread MUST run
> with the user identity (either intranet user or extranet).
> * We give Forms Authentication for extranet users. They login using its
> upn and password, we authenticate them against AD and finally we need to
> impersonate the thread with the identity of this user.
>
> The scenario is: two domains (forests) with a trust relationship between
> them. One domain for intranet users and another for extranet.
>
> So we need a solution that fits this:
> * Users from different domains must be able to impersonate its identity
> for every request on the ASP.Net app.
>
> Thanks for your help,
> Matias
>
> "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
> wrote in message news:40767632447886293808016@news.microsoft.com...>>> Hello Alberto,
>>
>> you need the password when calling LogonUser - how will you safely store
>> that in your app??
>>
>> dominick baier - DevelopMentor
>> [url]www.leastprivilege.com[/url]
>>
>>>>> Ok, now, what if I use the LogonUser API ?
>>>
>>> Thanks a lot.
>>> Beto.
>>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>>> wrote in message news:OIhXppQGFHA.2156@TK2MSFTNGP09.phx.gbl...
>>>
>>>> The problem is fairly subtle and is related to how Kerberos S4U, or
>>>> "protocol transition", works. That is the new Windows 2003 feature
>>>> that
>>>>
>>> you
>>>
>>>> are using under the hood when you use the WindowsIdentity "UPN" ctor.
>>>>
>>>> With S4U, the token returned by the API will either be an
>>>> Impersonation level token or an Identity level token. The level
>>>> depends on whether or
>>>>
>>> not
>>>
>>>> the account creating the token has the "Act as part of the operating
>>>>
>>> system"
>>>
>>>> privilege. Only accounts with with that privilege can create an
>>>> Impersonation level token with S4U. By default, only the SYSTEM
>>>> account
>>>>
>>> has
>>>
>>>> this privilege. Everything else will create an Identify level token.
>>>>
>>>> As you probably guessed, a token has to be Impersonation level in
>>>> order to impersonate it. An identify-level token can only be used to
>>>> do things
>>>>
>>> like
>>>
>>>> check group membership and such. This is the error that you are
>>>> seeing.
>>>>
>>>> This limitation is actually a security feature. When you think about
>>>> it, you wouldn't really want any old account having the ability to
>>>> create a token for a user at random with no credentials for that user
>>>> and then
>>>>
>>> start
>>>
>>>> executing code on their behalf!
>>>>
>>>> If you have a situation where you absolutely need to do this, you
>>>> need to run the code with an account with the act as part of the
>>>> operating system privilege. If you do that, you probably want to
>>>> think very very carefully about how you are going to secure this as
>>>> you are potentially opening a massive security hole by doing this.
>>>> Tread very lightly here.
>>>>
>>>> Joe K.
>>>>
>>>> "Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
>>>> news:%23YF4FaQGFHA.3612@TK2MSFTNGP09.phx.gbl...
>>>>
>
Joe Kaplan \(MVP - ADSI\) Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
