Token from SSPI is ANONYMOUS LOGON after kerberos logon
From: Joseph Galbraith (galb_at_vandyke.com)
Date: 10/15/03
- Next message: Frank: "Smartcard"
- Previous message: Michael Virgil: "PF_KEY - RFC 2367"
- Next in thread: Xin Huang [MSFT]: "RE: Token from SSPI is ANONYMOUS LOGON after kerberos logon"
- Reply: Xin Huang [MSFT]: "RE: Token from SSPI is ANONYMOUS LOGON after kerberos logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 15 Oct 2003 11:57:34 -0600
Hello all,
I have a server application that can use SSPI to
authenticate users using Kerberos.
After the SSPI exchange completes, I call
QuerySecurityContextToken() to get a token
I can use to start processes [via
CreateProcessAsUser().]
This all works great in most situations; however,
at one customer site, for one particular user, the
TokenUser SID in the token is ANONYMOUS LOGON. This
causes our server to fail the login (and rightly
so.)
When I do QueryContextAttributes(SECPKG_ATTR_NAMES)
I get back the users username, i.e.,
mydomain.com\username, so the context is for the
correct principle.
The client in this case is running on a unix workstation
that is using the Active Directory controller as
it's KDC. The user has run kinit, and a klist shows
them as having a ticket for username@mydomain.com.
Does anyone have any clue why the token is being
returned for ANONYMOUS LOGON user instead of for
the real user?
I'm scratching my head trying to figure where to
even look for a possible cause.
Thanks,
Joseph
- Next message: Frank: "Smartcard"
- Previous message: Michael Virgil: "PF_KEY - RFC 2367"
- Next in thread: Xin Huang [MSFT]: "RE: Token from SSPI is ANONYMOUS LOGON after kerberos logon"
- Reply: Xin Huang [MSFT]: "RE: Token from SSPI is ANONYMOUS LOGON after kerberos logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
