Security permissions for Win32 LogonUser call.

Ask a Question related to ASP.NET Security, Design and Development.

  1. Ken Varn #1

    Default Security permissions for Win32 LogonUser call.

    I am running my ASP.NET page under IIS in Windows 2000 Pro. I need to make
    a call to the Win32 LogonUser function to get a logon token. How can I get
    security permission to do this while running under the MACHINE account for
    ASP.NET?

    --
    -----------------------------------
    Ken Varn
    Senior Software Engineer
    Diebold Inc.

    EmailID = varnk
    Domain = Diebold.com
    -----------------------------------


    Ken Varn Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. ASP.net & Win32 API (LogonUser) question...
      I am running IIS6 on a Win2k3 server. I have an ASP.Net app (C#) that a user logs into and then I use LogonUser to validate them and log them...
    2. Win32::Ole and Call by reference
      Hi all, I want to control LabWindows/CVI via ActiveX from Perl. So far I managed to start the ActiveX server of CVI and I can also load a...
    3. call win32 API from linux perl script
      Hi, I'm must calling an API from a remote win32 server in a perl script. On a windows server, I use win32::OLE and it's work fine ! But my...
    4. Getting/setting Win32 Lanman share permissions
      I am looking for a way to list and possibly change the permissions on file shares on Win2K servers via a perl script. I have tried using...
    5. Using Win32::API To call CreateProcess - help!
      I need to call the "real" CreateProcess of windows NT from an ActiveState perl script. The code below always reports a return of 0 (FALSE) and fails...
  2. Joe Kaplan \(MVP - ADSI\) #2

    Default Re: Security permissions for Win32 LogonUser call.

    Under Windows 2000, an account needs the Act As Part of the Operating System
    privilege to call LogonUser. By default, only SYSTEM has this privilege as
    it is very powerful and not something you want to give out lightly.

    Another option you might want to consider in Win2K would be using SSPI.
    I've seen a few .NET wrappers out there that will allow you to get a logon
    token for a user without calling LogonUser. A Google search should turn
    something up.

    Alternately, you can also move to 2003 server where this restriction is
    lifted.

    Joe K.

    "Ken Varn" <nospam> wrote in message
    news:uJre1F8MFHA.2576@TK2MSFTNGP10.phx.gbl...
    >I am running my ASP.NET page under IIS in Windows 2000 Pro. I need to make
    > a call to the Win32 LogonUser function to get a logon token. How can I
    > get
    > security permission to do this while running under the MACHINE account for
    > ASP.NET?
    >
    > --
    > -----------------------------------
    > Ken Varn
    > Senior Software Engineer
    > Diebold Inc.
    >
    > EmailID = varnk
    > Domain = Diebold.com
    > -----------------------------------
    >
    >

    Joe Kaplan \(MVP - ADSI\) Guest
    Reply With Quote Reply With Quote
  3. Dominick Baier [DevelopMentor] #3

    Default Re: Security permissions for Win32 LogonUser call.

    Hello Joe,

    check this out for the SSPI workaround:
    [url]http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATokenForAUser.html[/url]


    ---------------------------------------
    Dominick Baier - DevelopMentor
    [url]http://www.leastprivilege.com[/url]
    > Under Windows 2000, an account needs the Act As Part of the Operating
    > System privilege to call LogonUser. By default, only SYSTEM has this
    > privilege as it is very powerful and not something you want to give
    > out lightly.
    >
    > Another option you might want to consider in Win2K would be using
    > SSPI. I've seen a few .NET wrappers out there that will allow you to
    > get a logon token for a user without calling LogonUser. A Google
    > search should turn something up.
    >
    > Alternately, you can also move to 2003 server where this restriction
    > is lifted.
    >
    > Joe K.
    >
    > "Ken Varn" <nospam> wrote in message
    > news:uJre1F8MFHA.2576@TK2MSFTNGP10.phx.gbl...
    >
    >> I am running my ASP.NET page under IIS in Windows 2000 Pro. I need
    >> to make
    >> a call to the Win32 LogonUser function to get a logon token. How can
    >> I
    >> get
    >> security permission to do this while running under the MACHINE
    >> account for
    >> ASP.NET?
    >> --
    >> -----------------------------------
    >> Ken Varn
    >> Senior Software Engineer
    >> Diebold Inc.
    >> EmailID = varnk
    >> Domain = Diebold.com
    >> -----------------------------------


    Dominick Baier [DevelopMentor] Guest
    Reply With Quote Reply With Quote
  4. Joe Kaplan \(MVP - ADSI\) #4

    Default Re: Security permissions for Win32 LogonUser call.

    Keith's SSPI sample uses NegotiateStream which is certainly cool, but
    definitely only in .NET 2.0 right now. 1.x users will need a p/invoke
    solution although I've seen several published here that should show up in a
    Google search.

    Joe K.

    "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
    wrote in message news:205957632478732355935744@news.microsoft.com.. .
    > Hello Joe,
    >
    > check this out for the SSPI workaround:
    > [url]http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATokenForAUser.html[/url]
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > [url]http://www.leastprivilege.com[/url]
    >
    >> Under Windows 2000, an account needs the Act As Part of the Operating
    >> System privilege to call LogonUser. By default, only SYSTEM has this
    >> privilege as it is very powerful and not something you want to give
    >> out lightly.
    >>
    >> Another option you might want to consider in Win2K would be using
    >> SSPI. I've seen a few .NET wrappers out there that will allow you to
    >> get a logon token for a user without calling LogonUser. A Google
    >> search should turn something up.
    >>
    >> Alternately, you can also move to 2003 server where this restriction
    >> is lifted.
    >>
    >> Joe K.
    >>
    >> "Ken Varn" <nospam> wrote in message
    >> news:uJre1F8MFHA.2576@TK2MSFTNGP10.phx.gbl...
    >>
    >>> I am running my ASP.NET page under IIS in Windows 2000 Pro. I need
    >>> to make
    >>> a call to the Win32 LogonUser function to get a logon token. How can
    >>> I
    >>> get
    >>> security permission to do this while running under the MACHINE
    >>> account for
    >>> ASP.NET?
    >>> --
    >>> -----------------------------------
    >>> Ken Varn
    >>> Senior Software Engineer
    >>> Diebold Inc.
    >>> EmailID = varnk
    >>> Domain = Diebold.com
    >>> -----------------------------------
    >
    >
    >

    Joe Kaplan \(MVP - ADSI\) Guest
    Reply With Quote Reply With Quote
  5. Dominick Baier [DevelopMentor] #5

    Default Re: Security permissions for Win32 LogonUser call.

    Hello Joe,

    whoops. Microsoft makes us live in the future, all the time :)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    [url]http://www.leastprivilege.com[/url]
    > Keith's SSPI sample uses NegotiateStream which is certainly cool, but
    > definitely only in .NET 2.0 right now. 1.x users will need a p/invoke
    > solution although I've seen several published here that should show up
    > in a Google search.
    >
    > Joe K.
    >
    > "Dominick Baier [DevelopMentor]"
    > <dbaier@pleasepleasenospamdevelop.com> wrote in message
    > news:205957632478732355935744@news.microsoft.com.. .
    >
    >> Hello Joe,
    >>
    >> check this out for the SSPI workaround:
    >> [url]http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATok[/url]
    >> enForAUser.html
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> [url]http://www.leastprivilege.com[/url]
    >>> Under Windows 2000, an account needs the Act As Part of the
    >>> Operating System privilege to call LogonUser. By default, only
    >>> SYSTEM has this privilege as it is very powerful and not something
    >>> you want to give out lightly.
    >>>
    >>> Another option you might want to consider in Win2K would be using
    >>> SSPI. I've seen a few .NET wrappers out there that will allow you to
    >>> get a logon token for a user without calling LogonUser. A Google
    >>> search should turn something up.
    >>>
    >>> Alternately, you can also move to 2003 server where this restriction
    >>> is lifted.
    >>>
    >>> Joe K.
    >>>
    >>> "Ken Varn" <nospam> wrote in message
    >>> news:uJre1F8MFHA.2576@TK2MSFTNGP10.phx.gbl...
    >>>> I am running my ASP.NET page under IIS in Windows 2000 Pro. I need
    >>>> to make
    >>>> a call to the Win32 LogonUser function to get a logon token. How
    >>>> can
    >>>> I
    >>>> get
    >>>> security permission to do this while running under the MACHINE
    >>>> account for
    >>>> ASP.NET?
    >>>> --
    >>>> -----------------------------------
    >>>> Ken Varn
    >>>> Senior Software Engineer
    >>>> Diebold Inc.
    >>>> EmailID = varnk
    >>>> Domain = Diebold.com
    >>>> -----------------------------------


    Dominick Baier [DevelopMentor] Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139