Re: Security permissions for Win32 LogonUser call.

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 03/31/05 

Date: Thu, 31 Mar 2005 09:32:46 -0600

Keith's SSPI sample uses NegotiateStream which is certainly cool, but
definitely only in .NET 2.0 right now. 1.x users will need a p/invoke
solution although I've seen several published here that should show up in a
Google search.

Joe K.

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:205957632478732355935744@news.microsoft.com...
> Hello Joe,
>
> check this out for the SSPI workaround:
> http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATokenForAUser.html
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Under Windows 2000, an account needs the Act As Part of the Operating
>> System privilege to call LogonUser. By default, only SYSTEM has this
>> privilege as it is very powerful and not something you want to give
>> out lightly.
>>
>> Another option you might want to consider in Win2K would be using
>> SSPI. I've seen a few .NET wrappers out there that will allow you to
>> get a logon token for a user without calling LogonUser. A Google
>> search should turn something up.
>>
>> Alternately, you can also move to 2003 server where this restriction
>> is lifted.
>>
>> Joe K.
>>
>> "Ken Varn" <nospam> wrote in message
>> news:uJre1F8MFHA.2576@TK2MSFTNGP10.phx.gbl...
>>
>>> I am running my ASP.NET page under IIS in Windows 2000 Pro. I need
>>> to make
>>> a call to the Win32 LogonUser function to get a logon token. How can
>>> I
>>> get
>>> security permission to do this while running under the MACHINE
>>> account for
>>> ASP.NET?
>>> --
>>> -----------------------------------
>>> Ken Varn
>>> Senior Software Engineer
>>> Diebold Inc.
>>> EmailID = varnk
>>> Domain = Diebold.com
>>> -----------------------------------
>
>
>