Re: Trouble using DuplicateToken for a delegation-capable token

From: Tony Chow (tchow@bluetentacle.com)
Date: 09/18/02


From: "Tony Chow" <tchow@bluetentacle.com>
Date: Wed, 18 Sep 2002 08:18:00 -0700


Thanks for the reply.

But when is a delegation token needed? What privileges do I need to get
one? Thanks.

"Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message
news:u#8vc5xXCHA.1828@tkmsftngp08...
> You don't need a delegation token to access remote network resources,
simply call LogonUser with LOGON32_LOGON_NETWORK_CLEARTEXT and
> the token obtained will have network access.
>
> Willy.
>
> "Tony Chow" <tchow@bluetentacle.com> wrote in message
news:exFeJRnXCHA.720@tkmsftngp12...
> > Win32 gurus, I need your help.
> >
> > I am trying to enable delegation in ASP.NET, so that the server may act
on
> > behalf of the impersonated user to access network resources. Here's my
> > setup:
> >
> > - ASPNET_WP.EXE is running under the system context (for now)
> > - The server is running in an Active Directory environment
> > - The server's computer account is configured to be trusted for
delegation
> > (that would mean that aspnet_wp.exe is trusted for delegation since it
runs
> > in the system context, correct?)
> > - The user account that I'm trying to impersonate is not prohibited from
> > being delegated in Active Directory
> > - I've imported all necessary Win32 functions.
> >
> > I first call Logonuser to log in to the AD domain, making sure that the
> > authentication provider is LOGON32_PROVIDER_WINNT50 (Kerberos), and that
the
> > logon type is LOGON32_LOGON_NETWORK_CLEARTEXT:
> >
> > LogonUser(username, domain, password, 8, 0, 3 out token);
> >
> > This successfully returns a token. Then, using this token thus
obtained, I
> > try to assign the delegation right to this token by calling
DuplicateToken:
> >
> > DuplicateToken(token, 3, out token2);
> >
> > The value 3 being the SecurityDelegation option.
> >
> > Here the function fails. The call to DuplicateToken persistently
returns
> > error 1346, "Either a required impersonation level was not provided, or
the
> > provided impersonation level is invalid".
> >
> > What am I doing wrong? What does it take to get a token that can be
> > delegated? Thanks for any help!
> >
> >
>
>



Relevant Pages

  • Re: token elevation
    ... the user's security context. ... Do you know if you have Kerberos delegation enabled for the machine account? ... into problems when my service required access to network files. ... Perhaps it would be better to not impersonate the user for the ...
    (microsoft.public.dotnet.security)
  • Delegation with S4U or How to use S4U to impersonate a user on a remote server?
    ... How to use S4U to impersonate a user on a remote server ... A Client computer, an application computer, one or more backend servers ... The Application uses Services 4 user to obtain an delegation ... I did setup the AD to trust the application server and since I am able ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Encryption Across Network File Shares
    ... EFS must impersonate the user to obtain access to the necessary public ... The computer must be trusted for delegation. ... "Rick Blake" wrote in message ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Can I impersonate without the user logon token.
    ... 2003 with constrained delegation. ... If you looking to impersonate ... a user with an interactive logon and a superuser account, ...
    (microsoft.public.win2000.security)
  • Re: troubleshooting shared EFS on Windows XP
    ... "the requested operation requires delegation to be ... > account in ADSIEdit to see if the setting had taken, ... at this point I'm not sure why the remote ... EFS must impersonate the user to obtain access to the necessary ...
    (microsoft.public.windowsxp.security_admin)