Re: Why Does WinNT Re-Authenticate Users?
From: Eric Robinson (eric[no_spom)Date: 01/23/02
- Next message: Jovica Popovic: "Re: How safe is WinRoute?"
- Previous message: Kumar Pandit [MS]: "Re: Why Does WinNT Re-Authenticate Users?"
- In reply to: Kumar Pandit [MS]: "Re: Why Does WinNT Re-Authenticate Users?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: eric[no_spom]@pmcipa.com (Eric Robinson) Date: Wed, 23 Jan 2002 08:10:36 GMT
On 22 Jan 2002 15:05:21 -0800, kumarp@microsoft.com (Kumar Pandit
[MS]) wrote:
>
>If you logon to computerA interactively and then want to access a
>resource on computerB, you will need to re-authenticate to
>computerB. The reason is that computerB does not trust computerA to
>provide any information that it can use without verifying. If that
>were the case, if computerA is compromised it can generate an access
>token having domain admin SID in it and send to computerB and have a
>domain admin access on computerB. This is not what you would
>want. Because of this reason, access tokens are local; they are not
>transmitted on the wire. The remote machine will generate a new logon
>session based on the credentials that you provide.
>
Access tokens are local... not transmitted on the wire. I was
wondering about that since I did not seem to see anything that looked
like access tokens in my network traces. I'm going to have to chew on
that one a bit. Let's see... the purpose of an access token is to
attach to a process so that the Security Reference Monitor can
determine whether that process has rights to any resource protected by
an ACL, right? And as you say, tokens are only locally significant;
they do not get presented against remote resources. So when I use
Explorer from computerA to access \\computerB\share\file.txt, the
access token attached to my Explorer process on computerA actually
does not enter the picture at all? Okay, then I guess computerB would
create its own locally significant access token for any processes I
would run on that computer... except that I'm not running any
processes there, I'm just accessing a file remotely, so what does my
access token on computerB do, if one gets created there? Does
computerB associate a token with the file handle that it returns to
computerA? Or does it associate a token with my logon session? Is it
one token per logon session? That's beginning to sound right to me. I
hope I'm on the right track.
- Next message: Jovica Popovic: "Re: How safe is WinRoute?"
- Previous message: Kumar Pandit [MS]: "Re: Why Does WinNT Re-Authenticate Users?"
- In reply to: Kumar Pandit [MS]: "Re: Why Does WinNT Re-Authenticate Users?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
