Re: token elevation
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 16 Dec 2006 11:07:58 -0600
If you enable Kerberos delegation correctly, you should be able to
impersonate the authenticated user to access the remote network files with
the user's security context. You could also do your impersonation
programmatically so that some of your operations were conducted with the
SYSTEM account.
Do you know if you have Kerberos delegation enabled for the machine account?
That is the account that delegation will be applied to when the SYSTEM
account attempts to access network resources.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Scewbedew" <Scewbedew@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A937FD24-0F25-4BA9-A41E-56D2ABDF7316@xxxxxxxxxxxxxxxx
My initial intention was to run everything in the SYSTEM context, but ran
into problems when my service required access to network files. My service
requires SYSTEM rights and cannot run as NetworkService.
I haven't found a way to access the network files using the delegated user
token while still running in SYSTEM context locally, but I'd be more than
happy to implement such a solution.
The idea of elevating the rights of the user token was my final(?) hope of
finding a solution to my network access problem.
"Joe Kaplan" wrote:
You can't do this in .NET, but might be able to do something like this
with
the low level token APIs by virtue of the fact that you are running as
SYSTEM. Are you sure you want to do this though? The design sounds very
strange. Perhaps it would be better to not impersonate the user for the
operations that require system and just let system do the work?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Scewbedew" <Scewbedew@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F715EEDD-EF34-421E-A131-B0963B4B02F5@xxxxxxxxxxxxxxxx
Can I elevate the rights of a delegated user token?
I have a .net service running in LocalSystem context, that is called
from
a
user context program via IPC. The service has a copy of the user token
and
can impersonate the user when required.
My problem is that my service either runs as LocalSystem or as the
user;
what I really need is to impersonate the user *with the LocalSystem
rights
included*. Can I in some way add the LocalSystem rights to the
delegated
user
token without adding the user account to the local Administrators
group?
This could possibly be done by adding the system or administrators sid
to
the delegated user token (not to the user account itself), but I can't
find
any class that can do this.
Is it in any way possible to do this?
.
- References:
- Re: token elevation
- From: Joe Kaplan
- Re: token elevation
- Prev by Date: Validate Signed XML against X.509 Certificate in .NET
- Next by Date: Re: Validate Signed XML against X.509 Certificate in .NET
- Previous by thread: Re: token elevation
- Next by thread: ASP.NET Medium Trust Level, and passing mixed parameters to C# functions
- Index(es):
Relevant Pages
|
