Re: A service's threads outgoing security:how to manage?
From: Willy Denoyette [MVP] (willy.denoyette_at_telenet.be)
Date: 11/23/05
- Next message: Manfred Braun: "Re: A service's threads outgoing security:how to manage?"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: ADSI - Adding a user and enabling them (can add can't enable)"
- In reply to: Manfred Braun: "Re: A service's threads outgoing security:how to manage?"
- Next in thread: Manfred Braun: "Re: A service's threads outgoing security:how to manage?"
- Reply: Manfred Braun: "Re: A service's threads outgoing security:how to manage?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Nov 2005 10:30:56 +0100
Use LogongUser with LOGON32_LOGON_NEW_CREDENTIALS (dwLogonType = 9) as
logontype, this logontype clones the current token and uses the credentials
specified (username, machinename and password), for outbound connections
only.
Say, your current process runs as "BOB" and you call LogonUser specifying
ALICE's credentials, after impersonating local resources will be accessed
using BOB's token while remote resources will be accessed using ALICE's
token.
Willy.
PS note that this requires W2K, XP, W2K3 or higher.
"Manfred Braun" <aa@bb.cc> wrote in message
news:u7oJhVG8FHA.3544@TK2MSFTNGP09.phx.gbl...
> Hi Willy,
>
> you could possibly help. In my situation, I cannot use "LogonUser",
> because
> the credentials I have to access the remote machine, are not valid
> locally.
> The service is running with an account, which is autorized to access some
> remote machines [domain members from my domain] and in this case, I have
> just nothing to do. And for the others, I cannot manage [from my security
> privileges] the trust-relationship between the domains. But with the known
> credentails, I can access network resources manually, like shares, from my
> domain. What I need is a method to access a registry remotely and I have
> to
> write to the remote eventlog; I'll not use WMi for this [which would allow
> to impersonate]. I want just something like to establish a secure
> channel/logon to the remote box so that I can access difefrent resources
> there.
>
> Any help would be really great!
> Is this type of funtionality possibly part of .Net 2.0 ??
>
> Thanks so far
> and best regards,
> Manfred
>
> "Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message
> news:eDGnQTs7FHA.3636@TK2MSFTNGP09.phx.gbl...
>> Manfred,
>> Your thread doesn't run as the user you specified for your DirectoryEntry
>> call, the call only creates a network logon session for the connection
> with
>> remComp, that is, the client thread uses the token obtained to connect
>> and
>> accessing the network resource, but this token is not carried over to
>> your
>> threadpool thread, TP threads always use the process token unless you are
>> explicitely impersonating (calling LogonUser(), Impersonate()). So, what
> you
>> need to do is or impersonate or run your service as a dedicated user with
>> appropriate access privileges to all remote server.
>>
>> Willy.
>>
>> "Manfred Braun" <aa@bb.cc> wrote in message
>> news:u9qf2Js7FHA.3804@TK2MSFTNGP12.phx.gbl...
>> > Hallo Dave
>> >
>> > and much thanks first. But the problem is another. Because there are
> truts
>> > between the domains, the running user is not of any importence and I
> need
>> > to
>> > explicitely specify credentials [which are different for different
>> > computers
>> > I connect to]. I create a session with:
>> >
>> > DirectoryEntry de = new DirectoryEntry("WinNT://remComp,computer",
>> > user,
>> > pass, AuthenticationTypes.Secure);
>> >
>> > This works well and I can read the properties of the computer-object
> from
>> > the remote box, even my running user does not have [implicit]
> permissions.
>> > Now, with the establishes session, I try to modify the remote registry
>> > with:
>> >
>> > System.Diagnostics.EventLog.CreateEventSource
>> > (
>> > ec.dynConf.eventlogSourcename,
>> > "Application",
>> > "remComp")
>> > );
>> > which fails with "General Access Denied Error". So my thread [which is
>> > from
>> > the threadpool], lost the permissions anywhere !!!!
>> >
>> > Thanks so far and
>> > best regards,
>> > Manfred
>> >
>> > "D. Yates" <foeman@hotmail.com> wrote in message
>> > news:OD85Yur7FHA.1140@tk2msftngp13.phx.gbl...
>> >> Manfred,
>> >>
>> >> The problem is probably the service's permissions. You need to have
> your
>> >> service run as a user with permission to access the remote computer.
> Do
>> >> a
>> >> google search on Service Permission and you will get a lot of hits.
>> >>
>> >> Dave
>> >>
>> >> "Manfred Braun" <aa@bb.cc> wrote in message
>> >> news:%23G94Agp7FHA.1864@TK2MSFTNGP12.phx.gbl...
>> >> > Hello All!
>> >> >
>> >> > I am writing a management application, which has to access remote
>> > machines
>> >> > registry via System.Diagnostics.EventLog.CreateEventSource [which is
>> >> > efficiently a registry access].
>> >> >
>> >> > For each machine, I connect to, I create a DirectoryEntry and
>> >> > connect
>> >> > to
>> >> > that machine specifying credentials. That's becauase the running
>> >> > user
>> > does
>> >> > not has the right permissions [working with different domains, no
>> > trusts].
>> >> > The application is written in C# and the action taken is done with
>> > threads
>> >> > from the threadpool.
>> >> > After I created the "secure channel" with the help of the
>> >> > DirectoryEntry
>> >> > object , I do the CreateEventSource call, which fails with "General
>> > Access
>> >> > Denied Error".
>> >> >
>> >> > But this works fine, if the application runs - while testing - as a
>> >> > console application, but fails, if it runs as a service!!!! It does
>> >> > also
>> >> > not work, if I run the app temporarely with the Taskscheduler.
>> >> >
>> >> > Because I cannot specify explicit credentials while access the
>> >> > registry,
>> > I
>> >> > have no idea, what to do now. Access to the remote WMI service is
> well
>> >> > done specifying explicit credentials.
>> >> >
>> >> > I am running Windows Server 2003,en,SP1 and framework 1.1, SP1
>> >> >
>> >> > Any help would be great!!
>> >> > Sorry for crossposting;I am not sure, what's the right/best group.
>> >> >
>> >> > Thanks so far and
>> >> > best regards,
>> >> > Manfred
>> >> > Mannheim
>> >> > Germany
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Manfred Braun: "Re: A service's threads outgoing security:how to manage?"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: ADSI - Adding a user and enabling them (can add can't enable)"
- In reply to: Manfred Braun: "Re: A service's threads outgoing security:how to manage?"
- Next in thread: Manfred Braun: "Re: A service's threads outgoing security:how to manage?"
- Reply: Manfred Braun: "Re: A service's threads outgoing security:how to manage?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
