By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,918 Members | 1,816 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,918 IT Pros & Developers. It's quick & easy.

Impersonate with SSPLogonUser

P: n/a
Hi!

I've made a Web Service using C# that is using impersonation.
The WS is working fine on WinXP and Win2003Server, but I'm having problem
getting it to work on Win2000.

The problem is that in order to use LogonUser on Win2000, you have to have
the SE_TCB_NAME privilege.
Therefore I'm using the SSPLogonUser
(http://support.microsoft.com/default...NoWebContent=1)
to authenticate the user.
This is working.

To be able to impersonate, I use the DuplicateToken API function.
This function takes a token as parameter, and I don't know how to obtain
that token.
When using the LogonUser function, you get a token in return, so on WinXP
and Win2003Server the problem doesn't arise.

I tried using WindowsIdentity.GetCurrent() after calling SSPLogonUser, but
it seems as if the token I'm getting is the wrong one.

Does anyone have an idea on how I can obtain this token?

Thanks in advance!

Regards,
Nils Magne Lunde
Nov 15 '05 #1
Share this Question
Share on Google+
12 Replies


P: n/a
You should call QuerySecurityContextToken to obtain a token from the
security package.
Note however that this token has no network credentials.

Willy.
"Nils M. Lunde" <ni****@nospam.options.no> wrote in message
news:op**************@news.microsoft.com...
Hi!

I've made a Web Service using C# that is using impersonation.
The WS is working fine on WinXP and Win2003Server, but I'm having problem
getting it to work on Win2000.

The problem is that in order to use LogonUser on Win2000, you have to have
the SE_TCB_NAME privilege.
Therefore I'm using the SSPLogonUser
(http://support.microsoft.com/default....microsoft.com
:80/support/kb/articles/Q180/5/48.asp&NoWebContent=1) to authenticate the user.
This is working.

To be able to impersonate, I use the DuplicateToken API function.
This function takes a token as parameter, and I don't know how to obtain
that token.
When using the LogonUser function, you get a token in return, so on WinXP
and Win2003Server the problem doesn't arise.

I tried using WindowsIdentity.GetCurrent() after calling SSPLogonUser, but
it seems as if the token I'm getting is the wrong one.

Does anyone have an idea on how I can obtain this token?

Thanks in advance!

Regards,
Nils Magne Lunde

Nov 15 '05 #2

P: n/a
Ok, I see.
Is there an easy way for me to obtain the security context that is used as
input to this function, or do I have to make the SSPLogonUser return this
context?

-Nils Magne

On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:
You should call QuerySecurityContextToken to obtain a token from the
security package.
Note however that this token has no network credentials.

Willy.
"Nils M. Lunde" <ni****@nospam.options.no> wrote in message
news:op**************@news.microsoft.com...
Hi!

I've made a Web Service using C# that is using impersonation.
The WS is working fine on WinXP and Win2003Server, but I'm having
problem
getting it to work on Win2000.

The problem is that in order to use LogonUser on Win2000, you have to
have
the SE_TCB_NAME privilege.
Therefore I'm using the SSPLogonUser

(http://support.microsoft.com/default....microsoft.com
:80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
to authenticate the user.
This is working.

To be able to impersonate, I use the DuplicateToken API function.
This function takes a token as parameter, and I don't know how to obtain
that token.
When using the LogonUser function, you get a token in return, so on
WinXP
and Win2003Server the problem doesn't arise.

I tried using WindowsIdentity.GetCurrent() after calling SSPLogonUser,
but
it seems as if the token I'm getting is the wrong one.

Does anyone have an idea on how I can obtain this token?

Thanks in advance!

Regards,
Nils Magne Lunde



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Nov 15 '05 #3

P: n/a
When calling QuerySecurityContextToken , you have to pass the adress of the
Server context handle (&asServer.hctxt), you could make this call before
returning from SSPLogonUser and return the access token obtained by calling
QuerySecurityContextToken, or you could implement another function that
takes the context handle and returns the token? it's up to you ;-)

Willy.
"Nils M. Lunde" <ni****@nospam.options.no> wrote in message
news:op**************@news.microsoft.com...
Ok, I see.
Is there an easy way for me to obtain the security context that is used as
input to this function, or do I have to make the SSPLogonUser return this
context?

-Nils Magne

On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:
You should call QuerySecurityContextToken to obtain a token from the
security package.
Note however that this token has no network credentials.

Willy.
"Nils M. Lunde" <ni****@nospam.options.no> wrote in message
news:op**************@news.microsoft.com...
Hi!

I've made a Web Service using C# that is using impersonation.
The WS is working fine on WinXP and Win2003Server, but I'm having
problem
getting it to work on Win2000.

The problem is that in order to use LogonUser on Win2000, you have to
have
the SE_TCB_NAME privilege.
Therefore I'm using the SSPLogonUser

(http://support.microsoft.com/default....microsoft.com :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
to authenticate the user.
This is working.

To be able to impersonate, I use the DuplicateToken API function.
This function takes a token as parameter, and I don't know how to obtain that token.
When using the LogonUser function, you get a token in return, so on
WinXP
and Win2003Server the problem doesn't arise.

I tried using WindowsIdentity.GetCurrent() after calling SSPLogonUser,
but
it seems as if the token I'm getting is the wrong one.

Does anyone have an idea on how I can obtain this token?

Thanks in advance!

Regards,
Nils Magne Lunde



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Nov 15 '05 #4

P: n/a
Thanks!
I got i to work on Win2000 Professional.
Now I only have to find a way to get it to work on Win2000 Server.
It seems as if the token is somewhat invalid, and I don't have access to
anything after impersonating using it.

Nils Magne

On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:
When calling QuerySecurityContextToken , you have to pass the adress of
the
Server context handle (&asServer.hctxt), you could make this call before
returning from SSPLogonUser and return the access token obtained by
calling
QuerySecurityContextToken, or you could implement another function that
takes the context handle and returns the token? it's up to you ;-)

Willy.
"Nils M. Lunde" <ni****@nospam.options.no> wrote in message
news:op**************@news.microsoft.com...
Ok, I see.
Is there an easy way for me to obtain the security context that is used
as
input to this function, or do I have to make the SSPLogonUser return
this
context?

-Nils Magne

On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:
> You should call QuerySecurityContextToken to obtain a token from the
> security package.
> Note however that this token has no network credentials.
>
> Willy.
>
>
> "Nils M. Lunde" <ni****@nospam.options.no> wrote in message
> news:op**************@news.microsoft.com...
>> Hi!
>>
>> I've made a Web Service using C# that is using impersonation.
>> The WS is working fine on WinXP and Win2003Server, but I'm having
>> problem
>> getting it to work on Win2000.
>>
>> The problem is that in order to use LogonUser on Win2000, you have to
>> have
>> the SE_TCB_NAME privilege.
>> Therefore I'm using the SSPLogonUser
>>
> (http://support.microsoft.com/default....microsoft.com > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
>> to authenticate the user.
>> This is working.
>>
>> To be able to impersonate, I use the DuplicateToken API function.
>> This function takes a token as parameter, and I don't know how to obtain >> that token.
>> When using the LogonUser function, you get a token in return, so on
>> WinXP
>> and Win2003Server the problem doesn't arise.
>>
>> I tried using WindowsIdentity.GetCurrent() after calling

SSPLogonUser,
>> but
>> it seems as if the token I'm getting is the wrong one.
>>
>> Does anyone have an idea on how I can obtain this token?
>>
>> Thanks in advance!
>>
>> Regards,
>> Nils Magne Lunde
>
>


--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Nov 15 '05 #5

P: n/a
What exactly do you mean with "I don't have access to anything"?
Note that the token obtained has not network credentials, so network
resources are not accessible when impersonating.

Willy.

"Nils M. Lunde" <ni****@options.no> wrote in message
news:op**************@news.microsoft.com...
Thanks!
I got i to work on Win2000 Professional.
Now I only have to find a way to get it to work on Win2000 Server.
It seems as if the token is somewhat invalid, and I don't have access to
anything after impersonating using it.

Nils Magne

On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:
When calling QuerySecurityContextToken , you have to pass the adress of
the
Server context handle (&asServer.hctxt), you could make this call before
returning from SSPLogonUser and return the access token obtained by
calling
QuerySecurityContextToken, or you could implement another function that
takes the context handle and returns the token? it's up to you ;-)

Willy.
"Nils M. Lunde" <ni****@nospam.options.no> wrote in message
news:op**************@news.microsoft.com...
Ok, I see.
Is there an easy way for me to obtain the security context that is used
as
input to this function, or do I have to make the SSPLogonUser return
this
context?

-Nils Magne

On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:

> You should call QuerySecurityContextToken to obtain a token from the
> security package.
> Note however that this token has no network credentials.
>
> Willy.
>
>
> "Nils M. Lunde" <ni****@nospam.options.no> wrote in message
> news:op**************@news.microsoft.com...
>> Hi!
>>
>> I've made a Web Service using C# that is using impersonation.
>> The WS is working fine on WinXP and Win2003Server, but I'm having
>> problem
>> getting it to work on Win2000.
>>
>> The problem is that in order to use LogonUser on Win2000, you have to >> have
>> the SE_TCB_NAME privilege.
>> Therefore I'm using the SSPLogonUser
>>
>

(http://support.microsoft.com/default....microsoft.com
> :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
>> to authenticate the user.
>> This is working.
>>
>> To be able to impersonate, I use the DuplicateToken API function.
>> This function takes a token as parameter, and I don't know how to

obtain
>> that token.
>> When using the LogonUser function, you get a token in return, so on
>> WinXP
>> and Win2003Server the problem doesn't arise.
>>
>> I tried using WindowsIdentity.GetCurrent() after calling
SSPLogonUser,
>> but
>> it seems as if the token I'm getting is the wrong one.
>>
>> Does anyone have an idea on how I can obtain this token?
>>
>> Thanks in advance!
>>
>> Regards,
>> Nils Magne Lunde
>
>

--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Nov 15 '05 #6

P: n/a
I mean that after impersonating with that token, I only have guest
privilegies on this computer.
On WinXP, 2003Server and 2000Pro I can impersonate any domain user, and
have access to the same resources as if I was loged in as this user. On
Win2000Server I only have guest privilegies no matter who I'm
impersonating.

The 2000Server I'm using is the pdc of our domain.
Could that be the reason?

Nils Magne

On Tue, 13 Jan 2004 17:05:32 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:
What exactly do you mean with "I don't have access to anything"?
Note that the token obtained has not network credentials, so network
resources are not accessible when impersonating.

Willy.

"Nils M. Lunde" <ni****@options.no> wrote in message
news:op**************@news.microsoft.com...
Thanks!
I got i to work on Win2000 Professional.
Now I only have to find a way to get it to work on Win2000 Server.
It seems as if the token is somewhat invalid, and I don't have access to
anything after impersonating using it.

Nils Magne

On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:
> When calling QuerySecurityContextToken , you have to pass the adress

of
> the
> Server context handle (&asServer.hctxt), you could make this call before > returning from SSPLogonUser and return the access token obtained by
> calling
> QuerySecurityContextToken, or you could implement another function

that
> takes the context handle and returns the token? it's up to you ;-)
>
> Willy.
>
>
> "Nils M. Lunde" <ni****@nospam.options.no> wrote in message
> news:op**************@news.microsoft.com...
>> Ok, I see.
>> Is there an easy way for me to obtain the security context that is

used
>> as
>> input to this function, or do I have to make the SSPLogonUser return
>> this
>> context?
>>
>> -Nils Magne
>>
>> On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
>> <wi*************@pandora.be> wrote:
>>
>> > You should call QuerySecurityContextToken to obtain a token from

the
>> > security package.
>> > Note however that this token has no network credentials.
>> >
>> > Willy.
>> >
>> >
>> > "Nils M. Lunde" <ni****@nospam.options.no> wrote in message
>> > news:op**************@news.microsoft.com...
>> >> Hi!
>> >>
>> >> I've made a Web Service using C# that is using impersonation.
>> >> The WS is working fine on WinXP and Win2003Server, but I'm having
>> >> problem
>> >> getting it to work on Win2000.
>> >>
>> >> The problem is that in order to use LogonUser on Win2000, you have to >> >> have
>> >> the SE_TCB_NAME privilege.
>> >> Therefore I'm using the SSPLogonUser
>> >>
>> >
> (http://support.microsoft.com/default....microsoft.com >> > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
>> >> to authenticate the user.
>> >> This is working.
>> >>
>> >> To be able to impersonate, I use the DuplicateToken API function.
>> >> This function takes a token as parameter, and I don't know how to
> obtain
>> >> that token.
>> >> When using the LogonUser function, you get a token in return, so

on
>> >> WinXP
>> >> and Win2003Server the problem doesn't arise.
>> >>
>> >> I tried using WindowsIdentity.GetCurrent() after calling
>> SSPLogonUser,
>> >> but
>> >> it seems as if the token I'm getting is the wrong one.
>> >>
>> >> Does anyone have an idea on how I can obtain this token?
>> >>
>> >> Thanks in advance!
>> >>
>> >> Regards,
>> >> Nils Magne Lunde
>> >
>> >
>>
>>
>>
>> --
>> Using M2, Opera's revolutionary e-mail client:

http://www.opera.com/m2/
>
>


--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Nov 15 '05 #7

P: n/a
Ok, I've tested my Web Service on other Win2k Servers, and it appears to
work on every computer except from the pdc.
Anyone who knows why SSPLogonUser fails on our Win2k Server pdc?

-Nils Magne

"Nils M. Lunde" <ni****@options.no> wrote in message
news:op**************@news.microsoft.com...
I mean that after impersonating with that token, I only have guest
privilegies on this computer.
On WinXP, 2003Server and 2000Pro I can impersonate any domain user, and
have access to the same resources as if I was loged in as this user. On
Win2000Server I only have guest privilegies no matter who I'm
impersonating.

The 2000Server I'm using is the pdc of our domain.
Could that be the reason?

Nils Magne

On Tue, 13 Jan 2004 17:05:32 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:
What exactly do you mean with "I don't have access to anything"?
Note that the token obtained has not network credentials, so network
resources are not accessible when impersonating.

Willy.

"Nils M. Lunde" <ni****@options.no> wrote in message
news:op**************@news.microsoft.com...
Thanks!
I got i to work on Win2000 Professional.
Now I only have to find a way to get it to work on Win2000 Server.
It seems as if the token is somewhat invalid, and I don't have access to anything after impersonating using it.

Nils Magne

On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:

> When calling QuerySecurityContextToken , you have to pass the adress
of
> the
> Server context handle (&asServer.hctxt), you could make this call

before
> returning from SSPLogonUser and return the access token obtained by
> calling
> QuerySecurityContextToken, or you could implement another function
that
> takes the context handle and returns the token? it's up to you ;-)
>
> Willy.
>
>
> "Nils M. Lunde" <ni****@nospam.options.no> wrote in message
> news:op**************@news.microsoft.com...
>> Ok, I see.
>> Is there an easy way for me to obtain the security context that is
used
>> as
>> input to this function, or do I have to make the SSPLogonUser return
>> this
>> context?
>>
>> -Nils Magne
>>
>> On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
>> <wi*************@pandora.be> wrote:
>>
>> > You should call QuerySecurityContextToken to obtain a token from
the
>> > security package.
>> > Note however that this token has no network credentials.
>> >
>> > Willy.
>> >
>> >
>> > "Nils M. Lunde" <ni****@nospam.options.no> wrote in message
>> > news:op**************@news.microsoft.com...
>> >> Hi!
>> >>
>> >> I've made a Web Service using C# that is using impersonation.
>> >> The WS is working fine on WinXP and Win2003Server, but I'm having
>> >> problem
>> >> getting it to work on Win2000.
>> >>
>> >> The problem is that in order to use LogonUser on Win2000, you have
to
>> >> have
>> >> the SE_TCB_NAME privilege.
>> >> Therefore I'm using the SSPLogonUser
>> >>
>> >
>

(http://support.microsoft.com/default....microsoft.com >> > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
>> >> to authenticate the user.
>> >> This is working.
>> >>
>> >> To be able to impersonate, I use the DuplicateToken API function.
>> >> This function takes a token as parameter, and I don't know how to
> obtain
>> >> that token.
>> >> When using the LogonUser function, you get a token in return, so
on
>> >> WinXP
>> >> and Win2003Server the problem doesn't arise.
>> >>
>> >> I tried using WindowsIdentity.GetCurrent() after calling
>> SSPLogonUser,
>> >> but
>> >> it seems as if the token I'm getting is the wrong one.
>> >>
>> >> Does anyone have an idea on how I can obtain this token?
>> >>
>> >> Thanks in advance!
>> >>
>> >> Regards,
>> >> Nils Magne Lunde
>> >
>> >
>>
>>
>>
>> --
>> Using M2, Opera's revolutionary e-mail client:
http://www.opera.com/m2/
>
>

--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Nov 15 '05 #8

P: n/a
Interactive logons for non domain admin users are disallowed on PDCs. Maybe
that is related to the issue you are seeing.

Ronald Laeremans

"Nils M. Lunde" <ni****@options.no> wrote in message
news:eC**************@TK2MSFTNGP11.phx.gbl...
Ok, I've tested my Web Service on other Win2k Servers, and it appears to
work on every computer except from the pdc.
Anyone who knows why SSPLogonUser fails on our Win2k Server pdc?

-Nils Magne

"Nils M. Lunde" <ni****@options.no> wrote in message
news:op**************@news.microsoft.com...
I mean that after impersonating with that token, I only have guest
privilegies on this computer.
On WinXP, 2003Server and 2000Pro I can impersonate any domain user, and
have access to the same resources as if I was loged in as this user. On
Win2000Server I only have guest privilegies no matter who I'm
impersonating.

The 2000Server I'm using is the pdc of our domain.
Could that be the reason?

Nils Magne

On Tue, 13 Jan 2004 17:05:32 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:
What exactly do you mean with "I don't have access to anything"?
Note that the token obtained has not network credentials, so network
resources are not accessible when impersonating.

Willy.

"Nils M. Lunde" <ni****@options.no> wrote in message
news:op**************@news.microsoft.com...
> Thanks!
> I got i to work on Win2000 Professional.
> Now I only have to find a way to get it to work on Win2000 Server.
> It seems as if the token is somewhat invalid, and I don't have access to> anything after impersonating using it.
>
> Nils Magne
>
> On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
> <wi*************@pandora.be> wrote:
>
> > When calling QuerySecurityContextToken , you have to pass the adress> of
> > the
> > Server context handle (&asServer.hctxt), you could make this call
before
> > returning from SSPLogonUser and return the access token obtained by
> > calling
> > QuerySecurityContextToken, or you could implement another function
> that
> > takes the context handle and returns the token? it's up to you ;-)
> >
> > Willy.
> >
> >
> > "Nils M. Lunde" <ni****@nospam.options.no> wrote in message
> > news:op**************@news.microsoft.com...
> >> Ok, I see.
> >> Is there an easy way for me to obtain the security context that is
> used
> >> as
> >> input to this function, or do I have to make the SSPLogonUser return> >> this
> >> context?
> >>
> >> -Nils Magne
> >>
> >> On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
> >> <wi*************@pandora.be> wrote:
> >>
> >> > You should call QuerySecurityContextToken to obtain a token from
> the
> >> > security package.
> >> > Note however that this token has no network credentials.
> >> >
> >> > Willy.
> >> >
> >> >
> >> > "Nils M. Lunde" <ni****@nospam.options.no> wrote in message
> >> > news:op**************@news.microsoft.com...
> >> >> Hi!
> >> >>
> >> >> I've made a Web Service using C# that is using impersonation.
> >> >> The WS is working fine on WinXP and Win2003Server, but I'm having> >> >> problem
> >> >> getting it to work on Win2000.
> >> >>
> >> >> The problem is that in order to use LogonUser on Win2000, you have to
> >> >> have
> >> >> the SE_TCB_NAME privilege.
> >> >> Therefore I'm using the SSPLogonUser
> >> >>
> >> >
> >

(http://support.microsoft.com/default....microsoft.com
> >> > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
> >> >> to authenticate the user.
> >> >> This is working.
> >> >>
> >> >> To be able to impersonate, I use the DuplicateToken API function.> >> >> This function takes a token as parameter, and I don't know how to> > obtain
> >> >> that token.
> >> >> When using the LogonUser function, you get a token in return, so> on
> >> >> WinXP
> >> >> and Win2003Server the problem doesn't arise.
> >> >>
> >> >> I tried using WindowsIdentity.GetCurrent() after calling
> >> SSPLogonUser,
> >> >> but
> >> >> it seems as if the token I'm getting is the wrong one.
> >> >>
> >> >> Does anyone have an idea on how I can obtain this token?
> >> >>
> >> >> Thanks in advance!
> >> >>
> >> >> Regards,
> >> >> Nils Magne Lunde
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Using M2, Opera's revolutionary e-mail client:
> http://www.opera.com/m2/
> >
> >
>
>
>
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/


--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/


Nov 15 '05 #9

P: n/a
I am a domain admin, so that shouldn't be a problem.
Could it be that impersonation using the techniques in SSPLogonUser is
disallowed on PDCs?

Nils Magne

"Ronald Laeremans [MSFT]" <ro*****@online.microsoft.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
Interactive logons for non domain admin users are disallowed on PDCs. Maybe that is related to the issue you are seeing.

Ronald Laeremans

"Nils M. Lunde" <ni****@options.no> wrote in message
news:eC**************@TK2MSFTNGP11.phx.gbl...
Ok, I've tested my Web Service on other Win2k Servers, and it appears to
work on every computer except from the pdc.
Anyone who knows why SSPLogonUser fails on our Win2k Server pdc?

-Nils Magne

"Nils M. Lunde" <ni****@options.no> wrote in message
news:op**************@news.microsoft.com...
I mean that after impersonating with that token, I only have guest
privilegies on this computer.
On WinXP, 2003Server and 2000Pro I can impersonate any domain user, and have access to the same resources as if I was loged in as this user. On Win2000Server I only have guest privilegies no matter who I'm
impersonating.

The 2000Server I'm using is the pdc of our domain.
Could that be the reason?

Nils Magne

On Tue, 13 Jan 2004 17:05:32 +0100, Willy Denoyette [MVP]
<wi*************@pandora.be> wrote:

> What exactly do you mean with "I don't have access to anything"?
> Note that the token obtained has not network credentials, so network
> resources are not accessible when impersonating.
>
> Willy.
>
> "Nils M. Lunde" <ni****@options.no> wrote in message
> news:op**************@news.microsoft.com...
>> Thanks!
>> I got i to work on Win2000 Professional.
>> Now I only have to find a way to get it to work on Win2000 Server.
>> It seems as if the token is somewhat invalid, and I don't have access
to
>> anything after impersonating using it.
>>
>> Nils Magne
>>
>> On Mon, 12 Jan 2004 13:39:44 +0100, Willy Denoyette [MVP]
>> <wi*************@pandora.be> wrote:
>>
>> > When calling QuerySecurityContextToken , you have to pass the adress >> of
>> > the
>> > Server context handle (&asServer.hctxt), you could make this call
> before
>> > returning from SSPLogonUser and return the access token obtained
by >> > calling
>> > QuerySecurityContextToken, or you could implement another function >> that
>> > takes the context handle and returns the token? it's up to you ;-) >> >
>> > Willy.
>> >
>> >
>> > "Nils M. Lunde" <ni****@nospam.options.no> wrote in message
>> > news:op**************@news.microsoft.com...
>> >> Ok, I see.
>> >> Is there an easy way for me to obtain the security context that is >> used
>> >> as
>> >> input to this function, or do I have to make the SSPLogonUser return >> >> this
>> >> context?
>> >>
>> >> -Nils Magne
>> >>
>> >> On Fri, 9 Jan 2004 14:11:14 +0100, Willy Denoyette [MVP]
>> >> <wi*************@pandora.be> wrote:
>> >>
>> >> > You should call QuerySecurityContextToken to obtain a token from >> the
>> >> > security package.
>> >> > Note however that this token has no network credentials.
>> >> >
>> >> > Willy.
>> >> >
>> >> >
>> >> > "Nils M. Lunde" <ni****@nospam.options.no> wrote in message
>> >> > news:op**************@news.microsoft.com...
>> >> >> Hi!
>> >> >>
>> >> >> I've made a Web Service using C# that is using impersonation.
>> >> >> The WS is working fine on WinXP and Win2003Server, but I'm having >> >> >> problem
>> >> >> getting it to work on Win2000.
>> >> >>
>> >> >> The problem is that in order to use LogonUser on Win2000, you have
> to
>> >> >> have
>> >> >> the SE_TCB_NAME privilege.
>> >> >> Therefore I'm using the SSPLogonUser
>> >> >>
>> >> >
>> >
>

(http://support.microsoft.com/default....microsoft.com
>> >> > :80/support/kb/articles/Q180/5/48.asp&NoWebContent=1)
>> >> >> to authenticate the user.
>> >> >> This is working.
>> >> >>
>> >> >> To be able to impersonate, I use the DuplicateToken API function. >> >> >> This function takes a token as parameter, and I don't know
how to >> > obtain
>> >> >> that token.
>> >> >> When using the LogonUser function, you get a token in return, so >> on
>> >> >> WinXP
>> >> >> and Win2003Server the problem doesn't arise.
>> >> >>
>> >> >> I tried using WindowsIdentity.GetCurrent() after calling
>> >> SSPLogonUser,
>> >> >> but
>> >> >> it seems as if the token I'm getting is the wrong one.
>> >> >>
>> >> >> Does anyone have an idea on how I can obtain this token?
>> >> >>
>> >> >> Thanks in advance!
>> >> >>
>> >> >> Regards,
>> >> >> Nils Magne Lunde
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Using M2, Opera's revolutionary e-mail client:
>> http://www.opera.com/m2/
>> >
>> >
>>
>>
>>
>> --
>> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ >
>

--
Using M2, Opera's revolutionary e-mail client:

http://www.opera.com/m2/


Nov 15 '05 #10

P: n/a
Make sure HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\ForceGuest
is disabled (value 0).

Willy.

"Nils M. Lunde" <ni****@options.no> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
I am a domain admin, so that shouldn't be a problem.
Could it be that impersonation using the techniques in SSPLogonUser is
disallowed on PDCs?

Nils Magne

Nov 15 '05 #11

P: n/a
This value does not exist in the registry.
Wasn't the ForceGuest value introduced in WinXP?
I tried to add it anyway, but it made no difference.

The strange thing is that the WS running on my test server (Windows 2000
Server SP 4 also), is working fine.
It has to be something with the security policies for PDCs.
Maybe there is another registry key I could change??

Thanks anyway!
-Nils Magne

"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:Ox**************@TK2MSFTNGP09.phx.gbl...
Make sure HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\ForceGuest is disabled (value 0).

Willy.

"Nils M. Lunde" <ni****@options.no> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
I am a domain admin, so that shouldn't be a problem.
Could it be that impersonation using the techniques in SSPLogonUser is
disallowed on PDCs?

Nils Magne


Nov 15 '05 #12

P: n/a
Ok, I finally got it to work!
I'm not sure if it is the best solution, but what I did was:

1. Open the Domain Controller Security Policy snap-in
2. In the User Rights Assignment page, add DOMAIN\IWAM_Computername to the
"Impersonate a client after authentication" policy.

I also got it working when running the process as the system identity by
changing to

<processModel userName="SYSTEM" password="AutoGenerate" />

in machine.config, but because this approach has serious security
implications, I desided not to go with it.

If anyone knows of a better method, please tell me!
-Nils Magne
"Nils M. Lunde" <ni****@options.no> wrote in message
news:ej*************@TK2MSFTNGP12.phx.gbl...
This value does not exist in the registry.
Wasn't the ForceGuest value introduced in WinXP?
I tried to add it anyway, but it made no difference.

The strange thing is that the WS running on my test server (Windows 2000
Server SP 4 also), is working fine.
It has to be something with the security policies for PDCs.
Maybe there is another registry key I could change??

Thanks anyway!
-Nils Magne

"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:Ox**************@TK2MSFTNGP09.phx.gbl...
Make sure

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\ForceGuest
is disabled (value 0).

Willy.

"Nils M. Lunde" <ni****@options.no> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
I am a domain admin, so that shouldn't be a problem.
Could it be that impersonation using the techniques in SSPLogonUser is
disallowed on PDCs?

Nils Magne



Nov 15 '05 #13

This discussion thread is closed

Replies have been disabled for this discussion.