Re: FindFirstFile and Impersonation

From: Dave Christiansen [MS] (davidchr_at_online.microsoft.com)
Date: 10/15/03 

Date: Tue, 14 Oct 2003 16:29:55 -0700

This is the problem:

> Token impersonation level:
> Impersonation

...the GALAXY\xxxx user successfully authenticated to you, which enables you
to impersonate him. However, he didn't delegate to you (in which case, the
token impersonation level would be "Delegation"). Delegation is necessary
to get out to the network, because the client is essentially trusting you to
authenticate to other sites using his credentials on the network.

You need to change whatever mechanism you used to authenticate your client
so that it uses delegation-- if you're using SSPI, it means the client needs
to pass ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH to InitializeSecurityContext,
and your server needs to pass similar ASC_REQ flags to
AcceptSecurityContext. There are comparable wrappers for RPC and DCOM, too.

For more information, consult the MSDN
 - general:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/htm/pgservices_security_3yer.asp
 - ... and ASP.NET:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT05.asp
 - ...and RPC:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/client_impersonation.asp
 - ...and COM:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/connecting_to_a_3rd_computer-delegation.asp 

-- 
This message is provided "AS IS" with no warranties, and confers no rights.
This message originates in the State of Washington (USA), where unsolicited
commercial email is legally actionable (see
http://www.wa.gov/ago/junkemail).
Harvesting of this address for purposes of bulk email (including "spam") is
prohibited unless by my expressed prior request.  I retaliate viciously
against spammers and spam sites.
"asmx" <asmx@hotmail.com> wrote in message
news:522dbdb4.0310140714.3012df22@posting.google.com...
> Hi
> I am impersonating a kerberos client. I have been successfully able to
> retrieve the client crendentials and impersonate.
> I cannot access any network resources, though the user I am
> impersonating is a domain user.
> Below, I list all the privileges.
> What else do I need to do a FindFirstFile(with wild card) on a network
> resource.
>
> thx!
>
> ----------- begin list of tokens -----------------
>   Token source: "Kerberos" (luid = 19912)
>   Token owner:
>     S-1-5-32-544 "BUILTIN\Administrators" (alias)
>   Token user:
>     S-1-5-21-1715567821-1965331169-1606980848-1166 "GALAXY\xxxxxx"
> (user)
>   Token impersonation level:
>     Impersonation
>   Token type:
>     Impersonation
>   Token primary group:
>     S-1-5-21-1715567821-1965331169-1606980848-513 "GALAXY\Domain
> Users" (group)
>   Token groups:
>     S-1-5-21-1715567821-1965331169-1606980848-513 "GALAXY\Domain
> Users" (group)
>     S-1-1-0 "Everyone" (well-known group)
>     S-1-5-32-544 "BUILTIN\Administrators" (alias)
>     S-1-5-32-545 "BUILTIN\Users" (alias)
>     S-1-5-2 "NT AUTHORITY\NETWORK" (well-known group)
>     S-1-5-11 "NT AUTHORITY\Authenticated Users" (well-known group)
>   Token Privileges: (17)
>     [0] SeChangeNotifyPrivilege - Bypass traverse checking
>     [1] SeSecurityPrivilege - Manage auditing and security log
>     [2] SeBackupPrivilege - Back up files and directories
>     [3] SeRestorePrivilege - Restore files and directories
>     [4] SeSystemtimePrivilege - Change the system time
>     [5] SeShutdownPrivilege - Shut down the system
>     [6] SeRemoteShutdownPrivilege - Force shutdown from a remote
> system
>     [7] SeTakeOwnershipPrivilege - Take ownership of files or other
> objects
>     [8] SeDebugPrivilege - Debug programs
>     [9] SeSystemEnvironmentPrivilege - Modify firmware environment
> values
>     [10] SeSystemProfilePrivilege - Profile system performance
>     [11] SeProfileSingleProcessPrivilege - Profile single process
>     [12] SeIncreaseBasePriorityPrivilege - Increase scheduling
> priority
>     [13] SeLoadDriverPrivilege - Load and unload device drivers
>     [14] SeCreatePagefilePrivilege - Create a pagefile
>     [15] SeIncreaseQuotaPrivilege - Increase quotas
>     [16] SeUndockPrivilege - Remove computer from docking station

Relevant Pages

  • Re: Application Flow / security issues
    ... impersonation and makes it possible for the server process to access remote ... resources while acting as the client." ... because i assume the root of this problem is the application pool. ... You can set impersonation in the web.config. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IWbemConfigureRefresher->AddEnum & AddObjectByPath return WBEM_E_ACCESS_DENIED
    ... and your process receives calls from external client. ... >From the point of view of the RPC binding handle, a leaked impersonation ... Do you smuggle Interface pointers from apartment to apartment? ... both the COM server process (that is getting the ...
    (microsoft.public.win32.programmer.wmi)
  • passing impersonation token to out-of-proc COM server
    ... The client application uses LogonUser and ImpersonateLoggedOnUser to ... COM server uses CoImpersonateClient to change identity. ... Has anyone an idea on how to pass impersonation ...
    (microsoft.public.win2000.security)
  • Re: Question about Permissions
    ... > thread that would have the permissions matching what ... The topic in question is called "Client ... Impersonation" and is quite broad. ... impersonate the client as the operating system knows full well who is at the ...
    (microsoft.public.win32.programmer.kernel)
  • Re: help on caller credentials !! :-(
    ... Then my server component is hosted in a windows service runnning on Vista ... Running my client will generate an InvaluidCredential Exception ... I am able to read client credential from my remote object ... The impersonation level your are talking about in previous post, ...
    (microsoft.public.dotnet.security)