|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Kerberos S4U problemOne of the constructors for a WindowsIdentity allows you to pass the UPN of
a user and have an identity created for that user. If your permissions are setup correctly then the system is supposed to return you a delegatable token that you can use for impersonation. I have been attempting just this, I have set my local account to have permission to act as part of the operating system and have flaged it as trusted for delegation, however whenever I use this function I get a System.Security exception with the message "Incorrect Function", I get the exact same result if I call LsaLogonUser using the Kerberos S4U format. Any thoughts or advice are appreciated Robert Hi,
there are certain prereqs - works only on Windows 2003 domain members - domains needs to be in Windows 2003 functionality level - works only with domain accounts if these are met you can create a WindowsIdentity/WindowsPrincipal using the UPN and call IsInRole on that. No special privileges necessary. To impersonate the WindowsIdentity the process account needs the SeImpersonatePrivilege (Impersonate client after authentication) - not SeTcbPriv (act as part...) which is very dangerous You will not be allowed to access local resources using a Protocol Transition token (unless you run as SYSTEM) To access remote resources you have to configure constrained delegation using the "any protocol" option. The account under which you delegate the token need a SPN. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > One of the constructors for a WindowsIdentity allows you to pass the > UPN of a user and have an identity created for that user. If your > permissions are setup correctly then the system is supposed to return > you a delegatable token that you can use for impersonation. I have > been attempting just this, I have set my local account to have > permission to act as part of the operating system and have flaged it > as trusted for delegation, however whenever I use this function I get > a System.Security exception with the message "Incorrect Function", I > get the exact same result if I call LsaLogonUser using the Kerberos > S4U format. > > Any thoughts or advice are appreciated > > Robert > Thanks Dominick,
One more question, does it work from Windows XP or only from Server ? Everything else is setup as you describe. -Robert Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:4580be631953f98c7eb1c50907110@news.microsoft.com... > Hi, > there are certain prereqs > > - works only on Windows 2003 domain members > - domains needs to be in Windows 2003 functionality level > - works only with domain accounts > > if these are met you can create a WindowsIdentity/WindowsPrincipal using > the UPN and call IsInRole on that. No special privileges necessary. To > impersonate the WindowsIdentity the process account needs the > SeImpersonatePrivilege (Impersonate client after authentication) - not > SeTcbPriv (act as part...) which is very dangerous > > You will not be allowed to access local resources using a Protocol > Transition token (unless you run as SYSTEM) > > To access remote resources you have to configure constrained delegation > using the "any protocol" option. The account under which you delegate the > token need a SPN. > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> One of the constructors for a WindowsIdentity allows you to pass the >> UPN of a user and have an identity created for that user. If your >> permissions are setup correctly then the system is supposed to return >> you a delegatable token that you can use for impersonation. I have >> been attempting just this, I have set my local account to have >> permission to act as part of the operating system and have flaged it >> as trusted for delegation, however whenever I use this function I get >> a System.Security exception with the message "Incorrect Function", I >> get the exact same result if I call LsaLogonUser using the Kerberos >> S4U format. >> >> Any thoughts or advice are appreciated >> >> Robert >> > > Hi,
only Windows 2003 Server --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Thanks Dominick, > > One more question, does it work from Windows XP or only from Server ? > Everything else is setup as you describe. > > -Robert > "Dominick Baier [DevelopMentor]" > <dbaier@pleasepleasenospamdevelop.com> > wrote in message > news:4580be631953f98c7eb1c50907110@news.microsoft.com... >> Hi, >> there are certain prereqs >> - works only on Windows 2003 domain members >> - domains needs to be in Windows 2003 functionality level >> - works only with domain accounts >> if these are met you can create a WindowsIdentity/WindowsPrincipal >> using the UPN and call IsInRole on that. No special privileges >> necessary. To impersonate the WindowsIdentity the process account >> needs the SeImpersonatePrivilege (Impersonate client after >> authentication) - not SeTcbPriv (act as part...) which is very >> dangerous >> >> You will not be allowed to access local resources using a Protocol >> Transition token (unless you run as SYSTEM) >> >> To access remote resources you have to configure constrained >> delegation using the "any protocol" option. The account under which >> you delegate the token need a SPN. >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> One of the constructors for a WindowsIdentity allows you to pass the >>> UPN of a user and have an identity created for that user. If your >>> permissions are setup correctly then the system is supposed to >>> return you a delegatable token that you can use for impersonation. I >>> have been attempting just this, I have set my local account to have >>> permission to act as part of the operating system and have flaged it >>> as trusted for delegation, however whenever I use this function I >>> get a System.Security exception with the message "Incorrect >>> Function", I get the exact same result if I call LsaLogonUser using >>> the Kerberos S4U format. >>> >>> Any thoughts or advice are appreciated >>> >>> Robert >>> and now it works, thanks !
Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:4580be631954028c7eb1ed23fe928@news.microsoft.com... > Hi, > only Windows 2003 Server > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Thanks Dominick, >> >> One more question, does it work from Windows XP or only from Server ? >> Everything else is setup as you describe. >> >> -Robert >> "Dominick Baier [DevelopMentor]" >> <dbaier@pleasepleasenospamdevelop.com> >> wrote in message >> news:4580be631953f98c7eb1c50907110@news.microsoft.com... >>> Hi, >>> there are certain prereqs >>> - works only on Windows 2003 domain members >>> - domains needs to be in Windows 2003 functionality level >>> - works only with domain accounts >>> if these are met you can create a WindowsIdentity/WindowsPrincipal >>> using the UPN and call IsInRole on that. No special privileges >>> necessary. To impersonate the WindowsIdentity the process account >>> needs the SeImpersonatePrivilege (Impersonate client after >>> authentication) - not SeTcbPriv (act as part...) which is very >>> dangerous >>> >>> You will not be allowed to access local resources using a Protocol >>> Transition token (unless you run as SYSTEM) >>> >>> To access remote resources you have to configure constrained >>> delegation using the "any protocol" option. The account under which >>> you delegate the token need a SPN. >>> >>> --------------------------------------- >>> Dominick Baier - DevelopMentor >>> http://www.leastprivilege.com >>>> One of the constructors for a WindowsIdentity allows you to pass the >>>> UPN of a user and have an identity created for that user. If your >>>> permissions are setup correctly then the system is supposed to >>>> return you a delegatable token that you can use for impersonation. I >>>> have been attempting just this, I have set my local account to have >>>> permission to act as part of the operating system and have flaged it >>>> as trusted for delegation, however whenever I use this function I >>>> get a System.Security exception with the message "Incorrect >>>> Function", I get the exact same result if I call LsaLogonUser using >>>> the Kerberos S4U format. >>>> >>>> Any thoughts or advice are appreciated >>>> >>>> Robert >>>> > > 
Other interesting topics
Client/Server application with single login-SecureStream?
Securing a .NET webapp with ActiveDir and SQL-server? Issuing X.509 Certificates How can I access more properties of the AD Acount Application Security and Trust How to make Windows inaccessible from my software user? Instantiate Shell.Explorer.2 at runtime for a web page Directory access check SHA1Managed class has different results in 2.0 vs. 1.1?? LogParser - Error |
|||||||||||||||||||||||
