|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
ImpersonateIf your a service as say Admin or Local System, can you impersonate other
users without their password (i.e. run a thread with their WindowsIdentity)? TIA. -- William Stacey [MVP] It depends. If the user is a domain user AND your current OS is 2003+ AND
your AD is 2003 native mode, then you can use protocol transition (S4U auth) to create a WindowsIdentity (using the constructor that takes the UPN) and you can impersonate that. In order to access local resources, the caller must have the TCB privilege, but SYSTEM will have that by default. Note that an identity created this way can also be used for impersonation to access remote resources via delegation. You have to use constrained delegation here and the calling account needs to be enabled for delegation with "any protocol". This setting is also orthogonal to needing the TCB privilege to access local resources, in that you might be able to delegate to a remote service without having the rights to access local resources. However, in my experience, a lot of .NET code will end up accessing at least one local file or registry key in the process of doing any kind of remote operation, so you tend to end up needing access to local resources to perform the call to access remote ones. Otherwise, there is no way that I'm aware of to do this unless you possibly write your own SSPI provider. Ick. Joe K. Show quoteHide quote "William Stacey [MVP]" <william.sta***@gmail.com> wrote in message news:%23L$tqZgSGHA.5908@TK2MSFTNGP14.phx.gbl... > If your a service as say Admin or Local System, can you impersonate other > users without their password (i.e. run a thread with their > WindowsIdentity)? > TIA. > > -- > William Stacey [MVP] > > > Thanks Joe. Any bit of code to get the idea going for me? Will need file
access with user ACLs, run process with user ACLs, maybe registry. Do I need to use something like the AuthentiatedStream class on the server side to login and get a WindowsIdentity passing a null password or something? I could not find any examples in this specific area (i.e. no pwd). -- Show quoteHide quoteWilliam Stacey [MVP] "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote in message news:%23bCJCsgSGHA.736@TK2MSFTNGP12.phx.gbl... | It depends. If the user is a domain user AND your current OS is 2003+ AND | your AD is 2003 native mode, then you can use protocol transition (S4U auth) | to create a WindowsIdentity (using the constructor that takes the UPN) and | you can impersonate that. In order to access local resources, the caller | must have the TCB privilege, but SYSTEM will have that by default. | | Note that an identity created this way can also be used for impersonation to | access remote resources via delegation. You have to use constrained | delegation here and the calling account needs to be enabled for delegation | with "any protocol". This setting is also orthogonal to needing the TCB | privilege to access local resources, in that you might be able to delegate | to a remote service without having the rights to access local resources. | However, in my experience, a lot of .NET code will end up accessing at least | one local file or registry key in the process of doing any kind of remote | operation, so you tend to end up needing access to local resources to | perform the call to access remote ones. | | Otherwise, there is no way that I'm aware of to do this unless you possibly | write your own SSPI provider. Ick. | | Joe K. | | "William Stacey [MVP]" <william.sta***@gmail.com> wrote in message | news:%23L$tqZgSGHA.5908@TK2MSFTNGP14.phx.gbl... | > If your a service as say Admin or Local System, can you impersonate other | > users without their password (i.e. run a thread with their | > WindowsIdentity)? | > TIA. | > | > -- | > William Stacey [MVP] | > | > | > | | You just use the WindowsIdentity constructor that takes the user's UPN
(single string parameter). Once you have that, you just call the impersonate method. If all the preconditions I mentioned are true (2003 server, 2003 native AD), then S4U auth will work. All you need is the user's UPN. WindowsIdentity user = new WindowsIdentity("some***@domain.com"); WindowsImpersonationContext wc = null; try { wc = user.Impersonate(); //do stuff here } finally { if (wc != null) wc.Undo(); } The other thing you can do is use NegotiateStream to authenticate the remote user and get a token you can impersonate that way. That is more akin to a classic Windows client/server RPC type of thing, but that locks your clients into using Negotiate auth. Note that in that case, the OS and domain restrictions are gone as you are not creating the token with S4U. The Negotiate SSPI provider does it instead. So, it really depends on what you need to do. Joe K. Show quoteHide quote "William Stacey [MVP]" <william.sta***@gmail.com> wrote in message news:OxBf$Y7SGHA.4280@TK2MSFTNGP10.phx.gbl... > Thanks Joe. Any bit of code to get the idea going for me? Will need file > access with user ACLs, run process with user ACLs, maybe registry. Do I > need to use something like the AuthentiatedStream class on the server side > to login and get a WindowsIdentity passing a null password or something? > I > could not find any examples in this specific area (i.e. no pwd). > > -- > William Stacey [MVP] > > The other thing you can do is use NegotiateStream to authenticate the NegotiateStream requires a password.> remote user and get a token you can impersonate that way. That is > more akin to a classic Windows client/server RPC type of thing, but > that locks your clients into using Negotiate auth. Note that in that > case, the OS and domain restrictions are gone as you are not creating > the token with S4U. The Negotiate SSPI provider does it instead. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > You just use the WindowsIdentity constructor that takes the user's UPN > (single string parameter). Once you have that, you just call the > impersonate method. If all the preconditions I mentioned are true > (2003 server, 2003 native AD), then S4U auth will work. All you need > is the user's UPN. > > WindowsIdentity user = new WindowsIdentity("some***@domain.com"); > WindowsImpersonationContext wc = null; > try > { > wc = user.Impersonate(); > //do stuff here > } > finally > { > if (wc != null) > wc.Undo(); > } > The other thing you can do is use NegotiateStream to authenticate the > remote user and get a token you can impersonate that way. That is > more akin to a classic Windows client/server RPC type of thing, but > that locks your clients into using Negotiate auth. Note that in that > case, the OS and domain restrictions are gone as you are not creating > the token with S4U. The Negotiate SSPI provider does it instead. > > So, it really depends on what you need to do. > > Joe K. > > "William Stacey [MVP]" <william.sta***@gmail.com> wrote in message > news:OxBf$Y7SGHA.4280@TK2MSFTNGP10.phx.gbl... > >> Thanks Joe. Any bit of code to get the idea going for me? Will need >> file >> access with user ACLs, run process with user ACLs, maybe registry. >> Do I >> need to use something like the AuthentiatedStream class on the server >> side >> to login and get a WindowsIdentity passing a null password or >> something? >> I >> could not find any examples in this specific area (i.e. no pwd). >> -- William Stacey [MVP] >> Thanks Joe. So nothing will work (i.e. LogonUser) if AD is not native or no
AD? -- Show quoteHide quoteWilliam Stacey [MVP] "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote in message news:OOY7Zb8SGHA.1868@TK2MSFTNGP10.phx.gbl... | You just use the WindowsIdentity constructor that takes the user's UPN | (single string parameter). Once you have that, you just call the | impersonate method. If all the preconditions I mentioned are true (2003 | server, 2003 native AD), then S4U auth will work. All you need is the | user's UPN. S4U won't work. That is the only logon method that is exposed in the API if
you don't have a password. If you can authenticate clients via NegotiateStream, that should work in all cases as you can authenticate Kerberos and NTLM clients and you don't need a domain for NTLM for local machine accounts. Like I said, I think you can write your own SSPI provider too, but I wouldn't go there. Joe K. Show quoteHide quote "William Stacey [MVP]" <william.sta***@gmail.com> wrote in message news:%23zpCUi%23SGHA.224@TK2MSFTNGP10.phx.gbl... > Thanks Joe. So nothing will work (i.e. LogonUser) if AD is not native or > no > AD? > > -- > William Stacey [MVP] > > "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote > in message news:OOY7Zb8SGHA.1868@TK2MSFTNGP10.phx.gbl... > | You just use the WindowsIdentity constructor that takes the user's UPN > | (single string parameter). Once you have that, you just call the > | impersonate method. If all the preconditions I mentioned are true (2003 > | server, 2003 native AD), then S4U auth will work. All you need is the > | user's UPN. > > 
Other interesting topics
FileLoadException when running app with Impersonate from network folder.
SslStream AuthenticateAsServer help users and roles Problems with AzMan interop and CLR 2 Help please, security problem with NET Ent. Library w/DB 2 registry access problem Fail mutual authentication from c# client to tomcat 4.1 web servic How to use makecert.exe ? Signing documents with certificates Extracting certificate from the smart card thru cryptoApi in c# |
|||||||||||||||||||||||
