|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Get an unauthenticated windowsIdentity?I have a case where I need to get a WindowsIdentity for an account that has
not been authenticated. Is this possible? It looks like the only way to do it so far has been to get a token from LogonUser first, but I want to get the identity without logging on. If you have 2003 servers and a 2003 native mode AD domain, you can use
protocol transition/Kerberos S4U. This is very easy to take advantage in ..NET. Just use the constructor on WindowsIdentity that takes the user's UPN as the only argument. It works great. Note that to get a token you can impersonate, you need to be running with Act as part of the operating system privilege, but if you just want to check group membership and such, it is great for that. Joe K. Show quoteHide quote "ep" <re***@newgroup.only.please> wrote in message news:OVppk06iFHA.1412@TK2MSFTNGP09.phx.gbl... >I have a case where I need to get a WindowsIdentity for an account that has > not been authenticated. Is this possible? > > It looks like the only way to do it so far has been to get a token from > LogonUser first, but I want to get the identity without logging on. > > Hello ep,
give WindowsIdentity.GetAnonymous() a try HTH --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > I have a case where I need to get a WindowsIdentity for an account > that has not been authenticated. Is this possible? > > It looks like the only way to do it so far has been to get a token > from LogonUser first, but I want to get the identity without logging > on. > Hello Dominick Baier [DevelopMentor],
ah ok - so maybe i misunderstood you - yes - the only way of getting a token without knowledge of the password is to use Protocol Transition - which will limit you to native w2k3 domains. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hello ep, > > give > > WindowsIdentity.GetAnonymous() a try > > HTH > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com >> I have a case where I need to get a WindowsIdentity for an account >> that has not been authenticated. Is this possible? >> >> It looks like the only way to do it so far has been to get a token >> from LogonUser first, but I want to get the identity without logging >> on. >> well, needs to be win2k/xp pro/win2k3.
GetAnonymous() doesn't work because I need the identity for a particular account. Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:611459632573217008773744@news.microsoft.com... > Hello Dominick Baier [DevelopMentor], > > ah ok - so maybe i misunderstood you - > > yes - the only way of getting a token without knowledge of the password is > to use Protocol Transition - which will limit you to native w2k3 domains. > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Hello ep, > > > > give > > > > WindowsIdentity.GetAnonymous() a try > > > > HTH > > > > --------------------------------------- > > Dominick Baier - DevelopMentor > > http://www.leastprivilege.com > >> I have a case where I need to get a WindowsIdentity for an account > >> that has not been authenticated. Is this possible? > >> > >> It looks like the only way to do it so far has been to get a token > >> from LogonUser first, but I want to get the identity without logging > >> on. > >> > > > This is essentially impossible as far as I know unless you write your own
SSPI logon provider or something which is a significantly challenging undertaking. I'm not positive though. It might be a good question for ms.public.platformsdk.security. Joe K. Show quoteHide quote "ep" <re***@newgroup.only.please> wrote in message news:OakAOe%23iFHA.3468@TK2MSFTNGP10.phx.gbl... > well, needs to be win2k/xp pro/win2k3. > > GetAnonymous() doesn't work because I need the identity for a particular > account. > > > "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> > wrote in message news:611459632573217008773744@news.microsoft.com... >> Hello Dominick Baier [DevelopMentor], >> >> ah ok - so maybe i misunderstood you - >> >> yes - the only way of getting a token without knowledge of the password >> is >> to use Protocol Transition - which will limit you to native w2k3 domains. >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >> >> > Hello ep, >> > >> > give >> > >> > WindowsIdentity.GetAnonymous() a try >> > >> > HTH >> > >> > --------------------------------------- >> > Dominick Baier - DevelopMentor >> > http://www.leastprivilege.com >> >> I have a case where I need to get a WindowsIdentity for an account >> >> that has not been authenticated. Is this possible? >> >> >> >> It looks like the only way to do it so far has been to get a token >> >> from LogonUser first, but I want to get the identity without logging >> >> on. >> >> >> >> >> > > 
Other interesting topics
CryptoAPI, System.Security.Cryptography Interoperability
Export/import session key between CryptoAPI/C++ and .NET/C# Authenticate User in Windows 2000 machine .NET 2.0 Membership "role context" Weird registry behavior when writing to custom event log IsInRole & SID/Token Caching in .NET v1.1 Cryptography implementation using memeorystream Configuration Error LDAP and Organization group Impersonation Windows ID in .Net Cosole applicaion |
|||||||||||||||||||||||
