Impersonate with SSPLogonUser

Hi!

I've made a Web Service using C# that is using impersonation.
The WS is working fine on WinXP and Win2003Server, but I'm having problem
getting it to work on Win2000.

The problem is that in order to use LogonUser on Win2000, you have to have
the SE_TCB_NAME privilege.
Therefore I'm using the SSPLogonUser
(http://support.microsoft.com/default...NoWebContent=1)
to authenticate the user.
This is working.

To be able to impersonate, I use the DuplicateToken API function.
This function takes a token as parameter, and I don't know how to obtain
that token.
When using the LogonUser function, you get a token in return, so on WinXP
and Win2003Server the problem doesn't arise.

I tried using WindowsIdentity.GetCurrent() after calling SSPLogonUser, but
it seems as if the token I'm getting is the wrong one.

Does anyone have an idea on how I can obtain this token?

Thanks in advance!

Regards,
Nils Magne Lunde

You should call QuerySecurityContextToken to obtain a token from the
security package.
Note however that this token has no network credentials.

Willy.

"Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
news:opr1h8szhixwk509@news.microsoft.com...[color=blue]
> Hi!
>
> I've made a Web Service using C# that is using impersonation.
> The WS is working fine on WinXP and Win2003Server, but I'm having problem
> getting it to work on Win2000.
>
> The problem is that in order to use LogonUser on Win2000, you have to have
> the SE_TCB_NAME privilege.
> Therefore I'm using the SSPLogonUser
>[/color]
(http://support.microsoft.com/default....microsoft.com
:80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)[color=blue]
> to authenticate the user.
> This is working.
>
> To be able to impersonate, I use the DuplicateToken API function.
> This function takes a token as parameter, and I don't know how to obtain
> that token.
> When using the LogonUser function, you get a token in return, so on WinXP
> and Win2003Server the problem doesn't arise.
>
> I tried using WindowsIdentity.GetCurrent() after calling SSPLogonUser, but
> it seems as if the token I'm getting is the wrong one.
>
> Does anyone have an idea on how I can obtain this token?
>
> Thanks in advance!
>
> Regards,
> Nils Magne Lunde[/color]

Ok, I see.
Is there an easy way for me to obtain the security context that is used as
input to this function, or do I have to make the SSPLogonUser return this
context?

-Nils Magne

On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
<willy.denoyette@pandora.be> wrote:
[color=blue]
> You should call QuerySecurityContextToken to obtain a token from the
> security package.
> Note however that this token has no network credentials.
>
> Willy.
>
>
> "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
> news:opr1h8szhixwk509@news.microsoft.com...[color=green]
>> Hi!
>>
>> I've made a Web Service using C# that is using impersonation.
>> The WS is working fine on WinXP and Win2003Server, but I'm having
>> problem
>> getting it to work on Win2000.
>>
>> The problem is that in order to use LogonUser on Win2000, you have to
>> have
>> the SE_TCB_NAME privilege.
>> Therefore I'm using the SSPLogonUser
>>[/color]
> (http://support.microsoft.com/default....microsoft.com
> :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)[color=green]
>> to authenticate the user.
>> This is working.
>>
>> To be able to impersonate, I use the DuplicateToken API function.
>> This function takes a token as parameter, and I don't know how to obtain
>> that token.
>> When using the LogonUser function, you get a token in return, so on
>> WinXP
>> and Win2003Server the problem doesn't arise.
>>
>> I tried using WindowsIdentity.GetCurrent() after calling SSPLogonUser,
>> but
>> it seems as if the token I'm getting is the wrong one.
>>
>> Does anyone have an idea on how I can obtain this token?
>>
>> Thanks in advance!
>>
>> Regards,
>> Nils Magne Lunde[/color]
>
>[/color]

--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

When calling QuerySecurityContextToken , you have to pass the adress of the
Server context handle (&asServer.hctxt), you could make this call before
returning from SSPLogonUser and return the access token obtained by calling
QuerySecurityContextToken, or you could implement another function that
takes the context handle and returns the token? it's up to you ;-)

Willy.

"Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
news:opr1nmno0qxwk509@news.microsoft.com...[color=blue]
> Ok, I see.
> Is there an easy way for me to obtain the security context that is used as
> input to this function, or do I have to make the SSPLogonUser return this
> context?
>
> -Nils Magne
>
> On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
> <willy.denoyette@pandora.be> wrote:
>[color=green]
> > You should call QuerySecurityContextToken to obtain a token from the
> > security package.
> > Note however that this token has no network credentials.
> >
> > Willy.
> >
> >
> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
> > news:opr1h8szhixwk509@news.microsoft.com...[color=darkred]
> >> Hi!
> >>
> >> I've made a Web Service using C# that is using impersonation.
> >> The WS is working fine on WinXP and Win2003Server, but I'm having
> >> problem
> >> getting it to work on Win2000.
> >>
> >> The problem is that in order to use LogonUser on Win2000, you have to
> >> have
> >> the SE_TCB_NAME privilege.
> >> Therefore I'm using the SSPLogonUser
> >>[/color]
> >[/color][/color]
(http://support.microsoft.com/default....microsoft.com[color=blue][color=green]
> > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)[color=darkred]
> >> to authenticate the user.
> >> This is working.
> >>
> >> To be able to impersonate, I use the DuplicateToken API function.
> >> This function takes a token as parameter, and I don't know how to[/color][/color][/color]
obtain[color=blue][color=green][color=darkred]
> >> that token.
> >> When using the LogonUser function, you get a token in return, so on
> >> WinXP
> >> and Win2003Server the problem doesn't arise.
> >>
> >> I tried using WindowsIdentity.GetCurrent() after calling SSPLogonUser,
> >> but
> >> it seems as if the token I'm getting is the wrong one.
> >>
> >> Does anyone have an idea on how I can obtain this token?
> >>
> >> Thanks in advance!
> >>
> >> Regards,
> >> Nils Magne Lunde[/color]
> >
> >[/color]
>
>
>
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/[/color]

Thanks!
I got i to work on Win2000 Professional.
Now I only have to find a way to get it to work on Win2000 Server.
It seems as if the token is somewhat invalid, and I don't have access to
anything after impersonating using it.

Nils Magne

On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
<willy.denoyette@pandora.be> wrote:
[color=blue]
> When calling QuerySecurityContextToken , you have to pass the adress of
> the
> Server context handle (&asServer.hctxt), you could make this call before
> returning from SSPLogonUser and return the access token obtained by
> calling
> QuerySecurityContextToken, or you could implement another function that
> takes the context handle and returns the token? it's up to you ;-)
>
> Willy.
>
>
> "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
> news:opr1nmno0qxwk509@news.microsoft.com...[color=green]
>> Ok, I see.
>> Is there an easy way for me to obtain the security context that is used
>> as
>> input to this function, or do I have to make the SSPLogonUser return
>> this
>> context?
>>
>> -Nils Magne
>>
>> On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
>> <willy.denoyette@pandora.be> wrote:
>>[color=darkred]
>> > You should call QuerySecurityContextToken to obtain a token from the
>> > security package.
>> > Note however that this token has no network credentials.
>> >
>> > Willy.
>> >
>> >
>> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
>> > news:opr1h8szhixwk509@news.microsoft.com...
>> >> Hi!
>> >>
>> >> I've made a Web Service using C# that is using impersonation.
>> >> The WS is working fine on WinXP and Win2003Server, but I'm having
>> >> problem
>> >> getting it to work on Win2000.
>> >>
>> >> The problem is that in order to use LogonUser on Win2000, you have to
>> >> have
>> >> the SE_TCB_NAME privilege.
>> >> Therefore I'm using the SSPLogonUser
>> >>
>> >[/color][/color]
> (http://support.microsoft.com/default....microsoft.com[color=green][color=darkred]
>> > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
>> >> to authenticate the user.
>> >> This is working.
>> >>
>> >> To be able to impersonate, I use the DuplicateToken API function.
>> >> This function takes a token as parameter, and I don't know how to[/color][/color]
> obtain[color=green][color=darkred]
>> >> that token.
>> >> When using the LogonUser function, you get a token in return, so on
>> >> WinXP
>> >> and Win2003Server the problem doesn't arise.
>> >>
>> >> I tried using WindowsIdentity.GetCurrent() after calling[/color]
>> SSPLogonUser,[color=darkred]
>> >> but
>> >> it seems as if the token I'm getting is the wrong one.
>> >>
>> >> Does anyone have an idea on how I can obtain this token?
>> >>
>> >> Thanks in advance!
>> >>
>> >> Regards,
>> >> Nils Magne Lunde
>> >
>> >[/color]
>>
>>
>>
>> --
>> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/[/color]
>
>[/color]

--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

What exactly do you mean with "I don't have access to anything"?
Note that the token obtained has not network credentials, so network
resources are not accessible when impersonating.

Willy.

"Nils M. Lunde" <nilsml@options.no> wrote in message
news:opr1puiv117zdv43@news.microsoft.com...[color=blue]
> Thanks!
> I got i to work on Win2000 Professional.
> Now I only have to find a way to get it to work on Win2000 Server.
> It seems as if the token is somewhat invalid, and I don't have access to
> anything after impersonating using it.
>
> Nils Magne
>
> On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
> <willy.denoyette@pandora.be> wrote:
>[color=green]
> > When calling QuerySecurityContextToken , you have to pass the adress of
> > the
> > Server context handle (&asServer.hctxt), you could make this call[/color][/color]
before[color=blue][color=green]
> > returning from SSPLogonUser and return the access token obtained by
> > calling
> > QuerySecurityContextToken, or you could implement another function that
> > takes the context handle and returns the token? it's up to you ;-)
> >
> > Willy.
> >
> >
> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
> > news:opr1nmno0qxwk509@news.microsoft.com...[color=darkred]
> >> Ok, I see.
> >> Is there an easy way for me to obtain the security context that is used
> >> as
> >> input to this function, or do I have to make the SSPLogonUser return
> >> this
> >> context?
> >>
> >> -Nils Magne
> >>
> >> On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
> >> <willy.denoyette@pandora.be> wrote:
> >>
> >> > You should call QuerySecurityContextToken to obtain a token from the
> >> > security package.
> >> > Note however that this token has no network credentials.
> >> >
> >> > Willy.
> >> >
> >> >
> >> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
> >> > news:opr1h8szhixwk509@news.microsoft.com...
> >> >> Hi!
> >> >>
> >> >> I've made a Web Service using C# that is using impersonation.
> >> >> The WS is working fine on WinXP and Win2003Server, but I'm having
> >> >> problem
> >> >> getting it to work on Win2000.
> >> >>
> >> >> The problem is that in order to use LogonUser on Win2000, you have[/color][/color][/color]
to[color=blue][color=green][color=darkred]
> >> >> have
> >> >> the SE_TCB_NAME privilege.
> >> >> Therefore I'm using the SSPLogonUser
> >> >>
> >> >[/color]
> >[/color][/color]
(http://support.microsoft.com/default....microsoft.com[color=blue][color=green][color=darkred]
> >> > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
> >> >> to authenticate the user.
> >> >> This is working.
> >> >>
> >> >> To be able to impersonate, I use the DuplicateToken API function.
> >> >> This function takes a token as parameter, and I don't know how to[/color]
> > obtain[color=darkred]
> >> >> that token.
> >> >> When using the LogonUser function, you get a token in return, so on
> >> >> WinXP
> >> >> and Win2003Server the problem doesn't arise.
> >> >>
> >> >> I tried using WindowsIdentity.GetCurrent() after calling
> >> SSPLogonUser,
> >> >> but
> >> >> it seems as if the token I'm getting is the wrong one.
> >> >>
> >> >> Does anyone have an idea on how I can obtain this token?
> >> >>
> >> >> Thanks in advance!
> >> >>
> >> >> Regards,
> >> >> Nils Magne Lunde
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/[/color]
> >
> >[/color]
>
>
>
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/[/color]

I mean that after impersonating with that token, I only have guest
privilegies on this computer.
On WinXP, 2003Server and 2000Pro I can impersonate any domain user, and
have access to the same resources as if I was loged in as this user. On
Win2000Server I only have guest privilegies no matter who I'm
impersonating.

The 2000Server I'm using is the pdc of our domain.
Could that be the reason?

Nils Magne

On Tue, 13 Jan 2004 17:05:32 +0100, Willy Denoyette [MVP]
<willy.denoyette@pandora.be> wrote:
[color=blue]
> What exactly do you mean with "I don't have access to anything"?
> Note that the token obtained has not network credentials, so network
> resources are not accessible when impersonating.
>
> Willy.
>
> "Nils M. Lunde" <nilsml@options.no> wrote in message
> news:opr1puiv117zdv43@news.microsoft.com...[color=green]
>> Thanks!
>> I got i to work on Win2000 Professional.
>> Now I only have to find a way to get it to work on Win2000 Server.
>> It seems as if the token is somewhat invalid, and I don't have access to
>> anything after impersonating using it.
>>
>> Nils Magne
>>
>> On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
>> <willy.denoyette@pandora.be> wrote:
>>[color=darkred]
>> > When calling QuerySecurityContextToken , you have to pass the adress[/color]
>> of[color=darkred]
>> > the
>> > Server context handle (&asServer.hctxt), you could make this call[/color][/color]
> before[color=green][color=darkred]
>> > returning from SSPLogonUser and return the access token obtained by
>> > calling
>> > QuerySecurityContextToken, or you could implement another function[/color]
>> that[color=darkred]
>> > takes the context handle and returns the token? it's up to you ;-)
>> >
>> > Willy.
>> >
>> >
>> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
>> > news:opr1nmno0qxwk509@news.microsoft.com...
>> >> Ok, I see.
>> >> Is there an easy way for me to obtain the security context that is[/color]
>> used[color=darkred]
>> >> as
>> >> input to this function, or do I have to make the SSPLogonUser return
>> >> this
>> >> context?
>> >>
>> >> -Nils Magne
>> >>
>> >> On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
>> >> <willy.denoyette@pandora.be> wrote:
>> >>
>> >> > You should call QuerySecurityContextToken to obtain a token from[/color]
>> the[color=darkred]
>> >> > security package.
>> >> > Note however that this token has no network credentials.
>> >> >
>> >> > Willy.
>> >> >
>> >> >
>> >> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
>> >> > news:opr1h8szhixwk509@news.microsoft.com...
>> >> >> Hi!
>> >> >>
>> >> >> I've made a Web Service using C# that is using impersonation.
>> >> >> The WS is working fine on WinXP and Win2003Server, but I'm having
>> >> >> problem
>> >> >> getting it to work on Win2000.
>> >> >>
>> >> >> The problem is that in order to use LogonUser on Win2000, you have[/color][/color]
> to[color=green][color=darkred]
>> >> >> have
>> >> >> the SE_TCB_NAME privilege.
>> >> >> Therefore I'm using the SSPLogonUser
>> >> >>
>> >> >
>> >[/color][/color]
> (http://support.microsoft.com/default....microsoft.com[color=green][color=darkred]
>> >> > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
>> >> >> to authenticate the user.
>> >> >> This is working.
>> >> >>
>> >> >> To be able to impersonate, I use the DuplicateToken API function.
>> >> >> This function takes a token as parameter, and I don't know how to
>> > obtain
>> >> >> that token.
>> >> >> When using the LogonUser function, you get a token in return, so[/color]
>> on[color=darkred]
>> >> >> WinXP
>> >> >> and Win2003Server the problem doesn't arise.
>> >> >>
>> >> >> I tried using WindowsIdentity.GetCurrent() after calling
>> >> SSPLogonUser,
>> >> >> but
>> >> >> it seems as if the token I'm getting is the wrong one.
>> >> >>
>> >> >> Does anyone have an idea on how I can obtain this token?
>> >> >>
>> >> >> Thanks in advance!
>> >> >>
>> >> >> Regards,
>> >> >> Nils Magne Lunde
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Using M2, Opera's revolutionary e-mail client:[/color]
>> http://www.opera.com/m2/[color=darkred]
>> >
>> >[/color]
>>
>>
>>
>> --
>> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/[/color]
>
>[/color]

--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Ok, I've tested my Web Service on other Win2k Servers, and it appears to
work on every computer except from the pdc.
Anyone who knows why SSPLogonUser fails on our Win2k Server pdc?

-Nils Magne

"Nils M. Lunde" <nilsml@options.no> wrote in message
news:opr1q6cfo47zdv43@news.microsoft.com...[color=blue]
> I mean that after impersonating with that token, I only have guest
> privilegies on this computer.
> On WinXP, 2003Server and 2000Pro I can impersonate any domain user, and
> have access to the same resources as if I was loged in as this user. On
> Win2000Server I only have guest privilegies no matter who I'm
> impersonating.
>
> The 2000Server I'm using is the pdc of our domain.
> Could that be the reason?
>
> Nils Magne
>
> On Tue, 13 Jan 2004 17:05:32 +0100, Willy Denoyette [MVP]
> <willy.denoyette@pandora.be> wrote:
>[color=green]
> > What exactly do you mean with "I don't have access to anything"?
> > Note that the token obtained has not network credentials, so network
> > resources are not accessible when impersonating.
> >
> > Willy.
> >
> > "Nils M. Lunde" <nilsml@options.no> wrote in message
> > news:opr1puiv117zdv43@news.microsoft.com...[color=darkred]
> >> Thanks!
> >> I got i to work on Win2000 Professional.
> >> Now I only have to find a way to get it to work on Win2000 Server.
> >> It seems as if the token is somewhat invalid, and I don't have access[/color][/color][/color]
to[color=blue][color=green][color=darkred]
> >> anything after impersonating using it.
> >>
> >> Nils Magne
> >>
> >> On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
> >> <willy.denoyette@pandora.be> wrote:
> >>
> >> > When calling QuerySecurityContextToken , you have to pass the adress
> >> of
> >> > the
> >> > Server context handle (&asServer.hctxt), you could make this call[/color]
> > before[color=darkred]
> >> > returning from SSPLogonUser and return the access token obtained by
> >> > calling
> >> > QuerySecurityContextToken, or you could implement another function
> >> that
> >> > takes the context handle and returns the token? it's up to you ;-)
> >> >
> >> > Willy.
> >> >
> >> >
> >> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
> >> > news:opr1nmno0qxwk509@news.microsoft.com...
> >> >> Ok, I see.
> >> >> Is there an easy way for me to obtain the security context that is
> >> used
> >> >> as
> >> >> input to this function, or do I have to make the SSPLogonUser return
> >> >> this
> >> >> context?
> >> >>
> >> >> -Nils Magne
> >> >>
> >> >> On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
> >> >> <willy.denoyette@pandora.be> wrote:
> >> >>
> >> >> > You should call QuerySecurityContextToken to obtain a token from
> >> the
> >> >> > security package.
> >> >> > Note however that this token has no network credentials.
> >> >> >
> >> >> > Willy.
> >> >> >
> >> >> >
> >> >> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
> >> >> > news:opr1h8szhixwk509@news.microsoft.com...
> >> >> >> Hi!
> >> >> >>
> >> >> >> I've made a Web Service using C# that is using impersonation.
> >> >> >> The WS is working fine on WinXP and Win2003Server, but I'm having
> >> >> >> problem
> >> >> >> getting it to work on Win2000.
> >> >> >>
> >> >> >> The problem is that in order to use LogonUser on Win2000, you[/color][/color][/color]
have[color=blue][color=green]
> > to[color=darkred]
> >> >> >> have
> >> >> >> the SE_TCB_NAME privilege.
> >> >> >> Therefore I'm using the SSPLogonUser
> >> >> >>
> >> >> >
> >> >[/color]
> >[/color][/color]
(http://support.microsoft.com/default....microsoft.com[color=blue][color=green][color=darkred]
> >> >> > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
> >> >> >> to authenticate the user.
> >> >> >> This is working.
> >> >> >>
> >> >> >> To be able to impersonate, I use the DuplicateToken API function.
> >> >> >> This function takes a token as parameter, and I don't know how to
> >> > obtain
> >> >> >> that token.
> >> >> >> When using the LogonUser function, you get a token in return, so
> >> on
> >> >> >> WinXP
> >> >> >> and Win2003Server the problem doesn't arise.
> >> >> >>
> >> >> >> I tried using WindowsIdentity.GetCurrent() after calling
> >> >> SSPLogonUser,
> >> >> >> but
> >> >> >> it seems as if the token I'm getting is the wrong one.
> >> >> >>
> >> >> >> Does anyone have an idea on how I can obtain this token?
> >> >> >>
> >> >> >> Thanks in advance!
> >> >> >>
> >> >> >> Regards,
> >> >> >> Nils Magne Lunde
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Using M2, Opera's revolutionary e-mail client:
> >> http://www.opera.com/m2/
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/[/color]
> >
> >[/color]
>
>
>
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/[/color]

Interactive logons for non domain admin users are disallowed on PDCs. Maybe
that is related to the issue you are seeing.

Ronald Laeremans

"Nils M. Lunde" <nilsml@options.no> wrote in message
news:eCGeEfp3DHA.4060@TK2MSFTNGP11.phx.gbl...[color=blue]
> Ok, I've tested my Web Service on other Win2k Servers, and it appears to
> work on every computer except from the pdc.
> Anyone who knows why SSPLogonUser fails on our Win2k Server pdc?
>
> -Nils Magne
>
> "Nils M. Lunde" <nilsml@options.no> wrote in message
> news:opr1q6cfo47zdv43@news.microsoft.com...[color=green]
> > I mean that after impersonating with that token, I only have guest
> > privilegies on this computer.
> > On WinXP, 2003Server and 2000Pro I can impersonate any domain user, and
> > have access to the same resources as if I was loged in as this user. On
> > Win2000Server I only have guest privilegies no matter who I'm
> > impersonating.
> >
> > The 2000Server I'm using is the pdc of our domain.
> > Could that be the reason?
> >
> > Nils Magne
> >
> > On Tue, 13 Jan 2004 17:05:32 +0100, Willy Denoyette [MVP]
> > <willy.denoyette@pandora.be> wrote:
> >[color=darkred]
> > > What exactly do you mean with "I don't have access to anything"?
> > > Note that the token obtained has not network credentials, so network
> > > resources are not accessible when impersonating.
> > >
> > > Willy.
> > >
> > > "Nils M. Lunde" <nilsml@options.no> wrote in message
> > > news:opr1puiv117zdv43@news.microsoft.com...
> > >> Thanks!
> > >> I got i to work on Win2000 Professional.
> > >> Now I only have to find a way to get it to work on Win2000 Server.
> > >> It seems as if the token is somewhat invalid, and I don't have access[/color][/color]
> to[color=green][color=darkred]
> > >> anything after impersonating using it.
> > >>
> > >> Nils Magne
> > >>
> > >> On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
> > >> <willy.denoyette@pandora.be> wrote:
> > >>
> > >> > When calling QuerySecurityContextToken , you have to pass the[/color][/color][/color]
adress[color=blue][color=green][color=darkred]
> > >> of
> > >> > the
> > >> > Server context handle (&asServer.hctxt), you could make this call
> > > before
> > >> > returning from SSPLogonUser and return the access token obtained by
> > >> > calling
> > >> > QuerySecurityContextToken, or you could implement another function
> > >> that
> > >> > takes the context handle and returns the token? it's up to you ;-)
> > >> >
> > >> > Willy.
> > >> >
> > >> >
> > >> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
> > >> > news:opr1nmno0qxwk509@news.microsoft.com...
> > >> >> Ok, I see.
> > >> >> Is there an easy way for me to obtain the security context that is
> > >> used
> > >> >> as
> > >> >> input to this function, or do I have to make the SSPLogonUser[/color][/color][/color]
return[color=blue][color=green][color=darkred]
> > >> >> this
> > >> >> context?
> > >> >>
> > >> >> -Nils Magne
> > >> >>
> > >> >> On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
> > >> >> <willy.denoyette@pandora.be> wrote:
> > >> >>
> > >> >> > You should call QuerySecurityContextToken to obtain a token from
> > >> the
> > >> >> > security package.
> > >> >> > Note however that this token has no network credentials.
> > >> >> >
> > >> >> > Willy.
> > >> >> >
> > >> >> >
> > >> >> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
> > >> >> > news:opr1h8szhixwk509@news.microsoft.com...
> > >> >> >> Hi!
> > >> >> >>
> > >> >> >> I've made a Web Service using C# that is using impersonation.
> > >> >> >> The WS is working fine on WinXP and Win2003Server, but I'm[/color][/color][/color]
having[color=blue][color=green][color=darkred]
> > >> >> >> problem
> > >> >> >> getting it to work on Win2000.
> > >> >> >>
> > >> >> >> The problem is that in order to use LogonUser on Win2000, you[/color][/color]
> have[color=green][color=darkred]
> > > to
> > >> >> >> have
> > >> >> >> the SE_TCB_NAME privilege.
> > >> >> >> Therefore I'm using the SSPLogonUser
> > >> >> >>
> > >> >> >
> > >> >
> > >[/color][/color]
>[/color]
(http://support.microsoft.com/default....microsoft.com[color=blue][color=green][color=darkred]
> > >> >> > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
> > >> >> >> to authenticate the user.
> > >> >> >> This is working.
> > >> >> >>
> > >> >> >> To be able to impersonate, I use the DuplicateToken API[/color][/color][/color]
function.[color=blue][color=green][color=darkred]
> > >> >> >> This function takes a token as parameter, and I don't know how[/color][/color][/color]
to[color=blue][color=green][color=darkred]
> > >> > obtain
> > >> >> >> that token.
> > >> >> >> When using the LogonUser function, you get a token in return,[/color][/color][/color]
so[color=blue][color=green][color=darkred]
> > >> on
> > >> >> >> WinXP
> > >> >> >> and Win2003Server the problem doesn't arise.
> > >> >> >>
> > >> >> >> I tried using WindowsIdentity.GetCurrent() after calling
> > >> >> SSPLogonUser,
> > >> >> >> but
> > >> >> >> it seems as if the token I'm getting is the wrong one.
> > >> >> >>
> > >> >> >> Does anyone have an idea on how I can obtain this token?
> > >> >> >>
> > >> >> >> Thanks in advance!
> > >> >> >>
> > >> >> >> Regards,
> > >> >> >> Nils Magne Lunde
> > >> >> >
> > >> >> >
> > >> >>
> > >> >>
> > >> >>
> > >> >> --
> > >> >> Using M2, Opera's revolutionary e-mail client:
> > >> http://www.opera.com/m2/
> > >> >
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Using M2, Opera's revolutionary e-mail client:[/color][/color][/color]
http://www.opera.com/m2/[color=blue][color=green][color=darkred]
> > >
> > >[/color]
> >
> >
> >
> > --
> > Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/[/color]
>
>[/color]

I am a domain admin, so that shouldn't be a problem.
Could it be that impersonation using the techniques in SSPLogonUser is
disallowed on PDCs?

Nils Magne

"Ronald Laeremans [MSFT]" <ronaldl@online.microsoft.com> wrote in message
news:%239H2xCI4DHA.2388@TK2MSFTNGP09.phx.gbl...[color=blue]
> Interactive logons for non domain admin users are disallowed on PDCs.[/color]
Maybe[color=blue]
> that is related to the issue you are seeing.
>
> Ronald Laeremans
>
> "Nils M. Lunde" <nilsml@options.no> wrote in message
> news:eCGeEfp3DHA.4060@TK2MSFTNGP11.phx.gbl...[color=green]
> > Ok, I've tested my Web Service on other Win2k Servers, and it appears to
> > work on every computer except from the pdc.
> > Anyone who knows why SSPLogonUser fails on our Win2k Server pdc?
> >
> > -Nils Magne
> >
> > "Nils M. Lunde" <nilsml@options.no> wrote in message
> > news:opr1q6cfo47zdv43@news.microsoft.com...[color=darkred]
> > > I mean that after impersonating with that token, I only have guest
> > > privilegies on this computer.
> > > On WinXP, 2003Server and 2000Pro I can impersonate any domain user,[/color][/color][/color]
and[color=blue][color=green][color=darkred]
> > > have access to the same resources as if I was loged in as this user.[/color][/color][/color]
On[color=blue][color=green][color=darkred]
> > > Win2000Server I only have guest privilegies no matter who I'm
> > > impersonating.
> > >
> > > The 2000Server I'm using is the pdc of our domain.
> > > Could that be the reason?
> > >
> > > Nils Magne
> > >
> > > On Tue, 13 Jan 2004 17:05:32 +0100, Willy Denoyette [MVP]
> > > <willy.denoyette@pandora.be> wrote:
> > >
> > > > What exactly do you mean with "I don't have access to anything"?
> > > > Note that the token obtained has not network credentials, so network
> > > > resources are not accessible when impersonating.
> > > >
> > > > Willy.
> > > >
> > > > "Nils M. Lunde" <nilsml@options.no> wrote in message
> > > > news:opr1puiv117zdv43@news.microsoft.com...
> > > >> Thanks!
> > > >> I got i to work on Win2000 Professional.
> > > >> Now I only have to find a way to get it to work on Win2000 Server.
> > > >> It seems as if the token is somewhat invalid, and I don't have[/color][/color][/color]
access[color=blue][color=green]
> > to[color=darkred]
> > > >> anything after impersonating using it.
> > > >>
> > > >> Nils Magne
> > > >>
> > > >> On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
> > > >> <willy.denoyette@pandora.be> wrote:
> > > >>
> > > >> > When calling QuerySecurityContextToken , you have to pass the[/color][/color]
> adress[color=green][color=darkred]
> > > >> of
> > > >> > the
> > > >> > Server context handle (&asServer.hctxt), you could make this call
> > > > before
> > > >> > returning from SSPLogonUser and return the access token obtained[/color][/color][/color]
by[color=blue][color=green][color=darkred]
> > > >> > calling
> > > >> > QuerySecurityContextToken, or you could implement another[/color][/color][/color]
function[color=blue][color=green][color=darkred]
> > > >> that
> > > >> > takes the context handle and returns the token? it's up to you[/color][/color][/color]
;-)[color=blue][color=green][color=darkred]
> > > >> >
> > > >> > Willy.
> > > >> >
> > > >> >
> > > >> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
> > > >> > news:opr1nmno0qxwk509@news.microsoft.com...
> > > >> >> Ok, I see.
> > > >> >> Is there an easy way for me to obtain the security context that[/color][/color][/color]
is[color=blue][color=green][color=darkred]
> > > >> used
> > > >> >> as
> > > >> >> input to this function, or do I have to make the SSPLogonUser[/color][/color]
> return[color=green][color=darkred]
> > > >> >> this
> > > >> >> context?
> > > >> >>
> > > >> >> -Nils Magne
> > > >> >>
> > > >> >> On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
> > > >> >> <willy.denoyette@pandora.be> wrote:
> > > >> >>
> > > >> >> > You should call QuerySecurityContextToken to obtain a token[/color][/color][/color]
from[color=blue][color=green][color=darkred]
> > > >> the
> > > >> >> > security package.
> > > >> >> > Note however that this token has no network credentials.
> > > >> >> >
> > > >> >> > Willy.
> > > >> >> >
> > > >> >> >
> > > >> >> > "Nils M. Lunde" <nilsml@nospam.options.no> wrote in message
> > > >> >> > news:opr1h8szhixwk509@news.microsoft.com...
> > > >> >> >> Hi!
> > > >> >> >>
> > > >> >> >> I've made a Web Service using C# that is using impersonation.
> > > >> >> >> The WS is working fine on WinXP and Win2003Server, but I'm[/color][/color]
> having[color=green][color=darkred]
> > > >> >> >> problem
> > > >> >> >> getting it to work on Win2000.
> > > >> >> >>
> > > >> >> >> The problem is that in order to use LogonUser on Win2000, you[/color]
> > have[color=darkred]
> > > > to
> > > >> >> >> have
> > > >> >> >> the SE_TCB_NAME privilege.
> > > >> >> >> Therefore I'm using the SSPLogonUser
> > > >> >> >>
> > > >> >> >
> > > >> >
> > > >[/color]
> >[/color]
>[/color]
(http://support.microsoft.com/default....microsoft.com[color=blue][color=green][color=darkred]
> > > >> >> > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
> > > >> >> >> to authenticate the user.
> > > >> >> >> This is working.
> > > >> >> >>
> > > >> >> >> To be able to impersonate, I use the DuplicateToken API[/color][/color]
> function.[color=green][color=darkred]
> > > >> >> >> This function takes a token as parameter, and I don't know[/color][/color][/color]
how[color=blue]
> to[color=green][color=darkred]
> > > >> > obtain
> > > >> >> >> that token.
> > > >> >> >> When using the LogonUser function, you get a token in return,[/color][/color]
> so[color=green][color=darkred]
> > > >> on
> > > >> >> >> WinXP
> > > >> >> >> and Win2003Server the problem doesn't arise.
> > > >> >> >>
> > > >> >> >> I tried using WindowsIdentity.GetCurrent() after calling
> > > >> >> SSPLogonUser,
> > > >> >> >> but
> > > >> >> >> it seems as if the token I'm getting is the wrong one.
> > > >> >> >>
> > > >> >> >> Does anyone have an idea on how I can obtain this token?
> > > >> >> >>
> > > >> >> >> Thanks in advance!
> > > >> >> >>
> > > >> >> >> Regards,
> > > >> >> >> Nils Magne Lunde
> > > >> >> >
> > > >> >> >
> > > >> >>
> > > >> >>
> > > >> >>
> > > >> >> --
> > > >> >> Using M2, Opera's revolutionary e-mail client:
> > > >> http://www.opera.com/m2/
> > > >> >
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Using M2, Opera's revolutionary e-mail client:[/color][/color]
> http://www.opera.com/m2/[color=green][color=darkred]
> > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Using M2, Opera's revolutionary e-mail client:[/color][/color][/color]
http://www.opera.com/m2/[color=blue][color=green]
> >
> >[/color]
>
>[/color]

Make sure HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\ForceGuest
is disabled (value 0).

Willy.

"Nils M. Lunde" <nilsml@options.no> wrote in message
news:%23sJaqmY4DHA.2168@TK2MSFTNGP12.phx.gbl...[color=blue]
>I am a domain admin, so that shouldn't be a problem.
> Could it be that impersonation using the techniques in SSPLogonUser is
> disallowed on PDCs?
>
> Nils Magne
>[/color]

This value does not exist in the registry.
Wasn't the ForceGuest value introduced in WinXP?
I tried to add it anyway, but it made no difference.

The strange thing is that the WS running on my test server (Windows 2000
Server SP 4 also), is working fine.
It has to be something with the security policies for PDCs.
Maybe there is another registry key I could change??

Thanks anyway!
-Nils Magne

"Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message
news:Ox8tAh54DHA.2560@TK2MSFTNGP09.phx.gbl...[color=blue]
> Make sure[/color]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\ForceGuest[color=blue]
> is disabled (value 0).
>
> Willy.
>
> "Nils M. Lunde" <nilsml@options.no> wrote in message
> news:%23sJaqmY4DHA.2168@TK2MSFTNGP12.phx.gbl...[color=green]
> >I am a domain admin, so that shouldn't be a problem.
> > Could it be that impersonation using the techniques in SSPLogonUser is
> > disallowed on PDCs?
> >
> > Nils Magne
> >[/color]
>
>[/color]

Ok, I finally got it to work!
I'm not sure if it is the best solution, but what I did was:

1. Open the Domain Controller Security Policy snap-in
2. In the User Rights Assignment page, add DOMAIN\IWAM_Computername to the
"Impersonate a client after authentication" policy.

I also got it working when running the process as the system identity by
changing to

<processModel userName="SYSTEM" password="AutoGenerate" />

in machine.config, but because this approach has serious security
implications, I desided not to go with it.

If anyone knows of a better method, please tell me!

-Nils Magne

"Nils M. Lunde" <nilsml@options.no> wrote in message
news:ejAfXWk6DHA.632@TK2MSFTNGP12.phx.gbl...[color=blue]
> This value does not exist in the registry.
> Wasn't the ForceGuest value introduced in WinXP?
> I tried to add it anyway, but it made no difference.
>
> The strange thing is that the WS running on my test server (Windows 2000
> Server SP 4 also), is working fine.
> It has to be something with the security policies for PDCs.
> Maybe there is another registry key I could change??
>
> Thanks anyway!
> -Nils Magne
>
> "Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message
> news:Ox8tAh54DHA.2560@TK2MSFTNGP09.phx.gbl...[color=green]
> > Make sure[/color]
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\ForceGuest[color=green]
> > is disabled (value 0).
> >
> > Willy.
> >
> > "Nils M. Lunde" <nilsml@options.no> wrote in message
> > news:%23sJaqmY4DHA.2168@TK2MSFTNGP12.phx.gbl...[color=darkred]
> > >I am a domain admin, so that shouldn't be a problem.
> > > Could it be that impersonation using the techniques in SSPLogonUser is
> > > disallowed on PDCs?
> > >
> > > Nils Magne
> > >[/color]
> >
> >[/color]
>
>[/color]