Re: Framework v1.1 & LogonUser workaround
From: Bill Belliveau (anonymous_at_discussions.microsoft.com)
Date: 01/27/04
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
- Previous message: Steve: "Re: Network Credentials not passing in Authentication mode"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Jan 2004 08:46:06 -0800
Joe, thanks for the info it does help, mostly to let me know I'm on the right track.
I am curious though, which WindowsIdentity constructor takes a username/password? I didn’t see any constructors or examples. Even though we are targeting 2003, that would seem like a better method rather than calling unmanaged code (even though the same thing happens behind the curtain).
Bill
----- Joe Kaplan (MVP - ADSI) wrote: -----
In many ways, this is an OS issue. Win2K generally only lets the SYSTEM
account call LogonUser, as that is the only account by default with the
SE_TCB_NAME privilege (act as part of the OS), and that is a good thing. In
WinXP and 2003, LogonUser no longer requires SE_TCB_NAME, so many more
accounts may call it.
Framework 1.1 helps with this situation in that there is a nice overload on
the WindowsIdentity constructor that creates a new WindowsIdentity from
username/password, but it still doesn't defeat OS security rules.
The best thing you could do from a security perspective is move to 2K3
server so that you can call LogonUser without any real issues. On 2000, you
must run as SYSTEM (or given another account SE_TCB_NAME, essentially making
it SYSTEM if it wants to be) to do what you want. ASP.NET and IIS let you
do this, but it is better to avoid it.
The other thing to do would be to move away from Forms auth. so that you can
let IIS do the authentication for you, but that doesn't sound like what you
want.
I'm not sure if I helped, but hopefully this was useful.
Joe K.
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
- Previous message: Steve: "Re: Network Credentials not passing in Authentication mode"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
