|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
recovering password stored with reversible encryption?I have a server application which needs to log on as a configurable local
user for anonymous access, exactly like IIS does with the IUSR_XXX account. I understand local passwords can be stored with "reversible encryption". My question is, how can I retrieve the plaintext password so I can perform LogonUser with that user and retrieve a token? Or if I know the username of a local account, how can I perform LogonUser and retrieve a token? nevermind, a colleague pointed me to this handy link
http://support.microsoft.com/?id=216828 Show quoteHide quote > I have a server application which needs to log on as a configurable > local > user for anonymous access, exactly like IIS does with the IUSR_XXX > account. > I understand local passwords can be stored with "reversible > encryption". > My question is, how can I retrieve the plaintext password so I can > perform > LogonUser with that user and retrieve a token? > Or if I know the username of a local account, how can I perform > LogonUser and retrieve a token? > AFAIK, the "reversible encryption" scheme is not openly published outside of
Microsoft. In most cases, you should NOT be enabling it, it is for specific uses. As the article you posted shows, you can fix your problem if you "turn off the "Enable Automatic Password Synchronization" option or "Allow IIS to Control Password" option in the Internet Service Manager. Be sure that you reset the password in User Manager to ensure that it is correct for this user account." But also note this: http://securityadmin.info/faq.asp#iwam Like the IUSR account, a copy of the IWAM account password is stored in the IIS metabase, so that IIS can log on as the IWAM account. IIS cannot log on as IWAM and/or IUSR if the password in the IIS metabase does not match the actual password for that user ID in the Windows security database. The ADSUTIL.VBS command can be used to retrieve or change the IWAM and/or IUSR ID and/or password stored in the IIS metabase. For example, you may need to use the command "ADSUTIL GET" to get the IWAM password from the metabase, then use the Windows 2000 / XP / .NET Local Users and Groups MMC to change the password on the IWAM account to match. More information on using the ADSUTIL.VBS command can be found in the articles below: http://support.microsoft.com/?kbid=297989 http://support.microsoft.com/?kbid=296851 Show quoteHide quote "Eric Pearson" <reply@newsgrouponly.please> wrote in message news:e3cfe936330e8c8543ab9887a30@msnews.microsoft.com... > nevermind, a colleague pointed me to this handy link > > http://support.microsoft.com/?id=216828 > > > > > >> I have a server application which needs to log on as a configurable >> local >> user for anonymous access, exactly like IIS does with the IUSR_XXX >> account. >> I understand local passwords can be stored with "reversible >> encryption". >> My question is, how can I retrieve the plaintext password so I can >> perform >> LogonUser with that user and retrieve a token? >> Or if I know the username of a local account, how can I perform >> LogonUser and retrieve a token? >> > > actually the article pointed out a much better solution... since I need to
get a login token for an account i create (not IUSER or IWAM), I can just create a subauthentication module, so that when I call LogonUser, windows in turn will call MY dll to perform the authentication. Hello Karl, Show quoteHide quote > AFAIK, the "reversible encryption" scheme is not openly published > outside of Microsoft. In most cases, you should NOT be enabling it, > it is for specific uses. > > As the article you posted shows, you can fix your problem if you "turn > off the "Enable Automatic Password Synchronization" option or "Allow > IIS to Control Password" option in the Internet Service Manager. Be > sure that you reset the password in User Manager to ensure that it is > correct for this user account." > > But also note this: > > http://securityadmin.info/faq.asp#iwam > > Like the IUSR account, a copy of the IWAM account password is stored > in the IIS metabase, so that IIS can log on as the IWAM account. IIS > cannot log on as IWAM and/or IUSR if the password in the IIS metabase > does not match the actual password for that user ID in the Windows > security database. > > The ADSUTIL.VBS command can be used to retrieve or change the IWAM > and/or IUSR ID and/or password stored in the IIS metabase. For > example, you may need to use the command "ADSUTIL GET" to get the IWAM > password from the metabase, then use the Windows 2000 / XP / .NET > Local Users and Groups MMC to change the password on the IWAM account > to match. > > More information on using the ADSUTIL.VBS command can be found in the > articles below: > > http://support.microsoft.com/?kbid=297989 > http://support.microsoft.com/?kbid=296851 > "Eric Pearson" <reply@newsgrouponly.please> wrote in message > news:e3cfe936330e8c8543ab9887a30@msnews.microsoft.com... > >> nevermind, a colleague pointed me to this handy link >> >> http://support.microsoft.com/?id=216828 >> >>> I have a server application which needs to log on as a configurable >>> local >>> user for anonymous access, exactly like IIS does with the IUSR_XXX >>> account. >>> I understand local passwords can be stored with "reversible >>> encryption". >>> My question is, how can I retrieve the plaintext password so I can >>> perform >>> LogonUser with that user and retrieve a token? >>> Or if I know the username of a local account, how can I perform >>> LogonUser and retrieve a token? 
Other interesting topics
Private & Public Key storage location
HOW TO IIS -Security Security in SMTP Virtual Server Help with password prompt Access problems on "Windows Server 2003 Web Edition". using IIS 6.0 IP Address and Domain Name Restrictions button greyed out - Help ! ASP error script and trojan SSL problem IIS HTTPS + Windows XP HTTP Error 403.6 - Forbidden: IP address of the client has been re |
|||||||||||||||||||||||
