Re: Security permissions for Win32 LogonUser call.

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 03/29/05

• Next message: Brock Allen: "Re: why not SQL Authentication?"
• Previous message: szhang: "Impersonation problem."
• In reply to: Ken Varn: "Security permissions for Win32 LogonUser call."
• Next in thread: Dominick Baier [DevelopMentor]: "Re: Security permissions for Win32 LogonUser call."
• Reply: Dominick Baier [DevelopMentor]: "Re: Security permissions for Win32 LogonUser call."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 29 Mar 2005 09:51:51 -0600

Under Windows 2000, an account needs the Act As Part of the Operating System
privilege to call LogonUser. By default, only SYSTEM has this privilege as
it is very powerful and not something you want to give out lightly.

Another option you might want to consider in Win2K would be using SSPI.
I've seen a few .NET wrappers out there that will allow you to get a logon
token for a user without calling LogonUser. A Google search should turn
something up.

Alternately, you can also move to 2003 server where this restriction is
lifted.

Joe K.

"Ken Varn" <nospam> wrote in message
news:uJre1F8MFHA.2576@TK2MSFTNGP10.phx.gbl...
>I am running my ASP.NET page under IIS in Windows 2000 Pro. I need to make
> a call to the Win32 LogonUser function to get a logon token. How can I
> get
> security permission to do this while running under the MACHINE account for
> ASP.NET?
>
> --
> -----------------------------------
> Ken Varn
> Senior Software Engineer
> Diebold Inc.
>
> EmailID = varnk
> Domain = Diebold.com
> -----------------------------------
>
>

• Next message: Brock Allen: "Re: why not SQL Authentication?"
• Previous message: szhang: "Impersonation problem."
• In reply to: Ken Varn: "Security permissions for Win32 LogonUser call."
• Next in thread: Dominick Baier [DevelopMentor]: "Re: Security permissions for Win32 LogonUser call."
• Reply: Dominick Baier [DevelopMentor]: "Re: Security permissions for Win32 LogonUser call."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Logon API on Windows 2000 with ASP.NET 1.1 ... Also remember, under Win2K, the current account running the LogonUser code ... MUST have the "Act as part of the operating system" privilege to call ... (microsoft.public.dotnet.framework.aspnet.security) Unable to assign SeTcbPrivilege (SE_TCB_NAME)!?!? ... it seems the process token making the call to LogonUser ... "Act as part of the operating system" aka SeTcbPrivilege aka SE_TCB_NAME... ... I see that my process token still does not have the desired privilege ... (microsoft.public.security) Unable to assign SeTcbPrivilege (SE_TCB_NAME)!?!? ... it seems the process token making the call to LogonUser ... "Act as part of the operating system" aka SeTcbPrivilege aka SE_TCB_NAME... ... I see that my process token still does not have the desired privilege ... (microsoft.public.win2000.security) Re: Unable to assign SeTcbPrivilege (SE_TCB_NAME)!?!? ... > I'm making a call to LogonUser and it fails with error 1314 "A ... > required privilege is not held by the client"... ... > and here I select the "Act as part of the operating system" policy ... the Effective Setting is none. ... (microsoft.public.security) Re: Unable to assign SeTcbPrivilege (SE_TCB_NAME)!?!? ... > I'm making a call to LogonUser and it fails with error 1314 "A ... > required privilege is not held by the client"... ... > and here I select the "Act as part of the operating system" policy ... the Effective Setting is none. ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint