Re: Security permissions for Win32 LogonUser call.

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 03/31/05 

Date: Thu, 31 Mar 2005 03:40:37 -0800

Hello Joe,

check this out for the SSPI workaround:
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATokenForAUser.html

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Under Windows 2000, an account needs the Act As Part of the Operating
> System privilege to call LogonUser. By default, only SYSTEM has this
> privilege as it is very powerful and not something you want to give
> out lightly.
>
> Another option you might want to consider in Win2K would be using
> SSPI. I've seen a few .NET wrappers out there that will allow you to
> get a logon token for a user without calling LogonUser. A Google
> search should turn something up.
>
> Alternately, you can also move to 2003 server where this restriction
> is lifted.
>
> Joe K.
>
> "Ken Varn" <nospam> wrote in message
> news:uJre1F8MFHA.2576@TK2MSFTNGP10.phx.gbl...
>
>> I am running my ASP.NET page under IIS in Windows 2000 Pro. I need
>> to make
>> a call to the Win32 LogonUser function to get a logon token. How can
>> I
>> get
>> security permission to do this while running under the MACHINE
>> account for
>> ASP.NET?
>> --
>> -----------------------------------
>> Ken Varn
>> Senior Software Engineer
>> Diebold Inc.
>> EmailID = varnk
>> Domain = Diebold.com
>> -----------------------------------