Re: Have a NTAccount, need FileSystem permissions



Hi,

to get the SID of a user - you simply need to construct a NTAccount object like

NTAccount acc = new NTAccount("domain\\user");

afterwards you translate to a SID:

SecurityIdentifier sid = (SecurityIdentifier)acc.Translate(typeof(NTAccount));

you get the SID now using:

sid.Value;

thats the equivalent of user.User.IdentityReference.

This eliminates the nees for the NegotiateStream handshake.


dominick


Hi NG,

I have just started doing .NET 2.0 and I am a bit curious about the
System.Security.Principal and System.Security.AccessControl namespaces
and their interaction.

I have a simple task: Given a NTAccount object (and a password), tell
me whether that account can execute a file or not. I have now spent
four hours to figure this out, and here is finally my solution (C#),
which I personally dislike for many reasons:

I am asking now the public how this should have been done. It goes
along the lines with this code (Maybe faulty, but I guess you get the
idea):

using System;
using System.IO;
using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.AccessControl;
using System.Security.Principal;
namespace Test
{
public class TestClass
{
public static bool CanExecute(NTAccount account, SecureString
password, string file, FileSystemRights right)
{
return TestClass.HasRight(account, password, file,
FileSystemRights.ExecuteFile);
}
private static bool HasRight(NTAccount account, SecureString
password, string file, FileSystemRights right)
{
WindowsIdentity user = TestClass.getUser(account,
password);
FileInfo info = new FileInfo(file);
FileSecurity fs = info.GetAccessControl();
foreach (FileSystemAccessRule rule in
fs.GetAccessRules(true, true, typeof(IdentityReference)))
{
if ((user.Groups.Contains(rule.IdentityReference)
|| user.User.Equals(rule.IdentityReference))
&&
rule.AccessControlType.Equals(AccessControlType.Allow)
&& ((rule.FileSystemRights & right) == right))
{
return true;
}
}
return false;
}
/* Taken and adapted from the net - credentials go to
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetAToke
nForAUser.html
*/
private static WindowsIdentity getUser(NTAccount account,
SecureString password)
{
// need a full duplex stream - loopback is easiest way to
get that
TcpListener tcpListener = new
TcpListener(IPAddress.Loopback, 0);
tcpListener.Start();
WindowsIdentity id = null;
tcpListener.BeginAcceptTcpClient(delegate(IAsyncResult
asyncResult)
{
try
{
using (NegotiateStream serverSide = new
NegotiateStream(
tcpListener.EndAcceptTcpClient(asyncResult).GetStream()))
{
serverSide.AuthenticateAsServer(CredentialCache.DefaultNetworkCredenti
als,
ProtectionLevel.None,
TokenImpersonationLevel.Impersonation);
id =
(WindowsIdentity)serverSide.RemoteIdentity;
}
}
catch
{ id = null; }
}, null);
TcpClient client = new TcpClient(new
IPEndPoint(IPAddress.Loopback,
((IPEndPoint)tcpListener.LocalEndpoint).Port));
using (NegotiateStream clientSide = new
NegotiateStream(client.GetStream()))
{
NetworkCredential netcred = new NetworkCredential();
netcred.UserName = account.ToString();
netcred.Password =
Marshal.PtrToStringUni(Marshal.SecureStringToBSTR(password));
clientSide.AuthenticateAsClient(netcred,
"", ProtectionLevel.None,
TokenImpersonationLevel.Impersonation);
}
return id;
}
}
}
Is there a better way to achieve this? The whole getUser method is
nothing other than a hack. I also dislike the way I have to check the
permissions myself. There must be an easier way.

(I am sorry should I have picked the wrong NG, in that case, can you
tell me the correct one)

Best regards,
Franz


.



Relevant Pages

  • Re: Have a NTAccount, need FileSystem permissions
    ... public static bool CanExecute(NTAccount account, ... password, string file, FileSystemRights right) ... WindowsIdentity user = TestClass.getUser(account, ... NegotiateStream( ...
    (microsoft.public.dotnet.security)
  • Have a NTAccount, need FileSystem permissions
    ... System.Security.Principal and System.Security.AccessControl namespaces ... public static bool CanExecute(NTAccount account, ... password, string file, FileSystemRights right) ... NegotiateStream( ...
    (microsoft.public.dotnet.security)
  • Re: EFS Decryption Problem
    ... Was it only used to match up to the backed up userprofile, ... I thought the account's SID and password was involved in generating the ... a new account is created). ... instance of Windows would have a different SID even after restoring the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Update still failing with 80240020 and 8024000c
    ... There is still indication that the SID ... reporting because I think that ultimately it is going to be their accounts ... with the System account yesterday. ... In your case the System account would be ...
    (microsoft.public.windowsupdate)
  • RE: Error 15401 using sp_grantlogin (not addressed by current KB articles)
    ... argument to get_sid, it returns a sid. ... The sysxlogins.name column stores the NT account ... One way to get SQL Server to agree with the renamed NT ... check "Script all objects", on the Formatting tab UNcheck "Generate the ...
    (microsoft.public.sqlserver.security)