Token from SSPI is ANONYMOUS LOGON after kerberos logon

From: Joseph Galbraith (galb_at_vandyke.com)
Date: 10/15/03


Date: Wed, 15 Oct 2003 11:57:34 -0600

Hello all,

I have a server application that can use SSPI to
authenticate users using Kerberos.

After the SSPI exchange completes, I call
QuerySecurityContextToken() to get a token
I can use to start processes [via
CreateProcessAsUser().]

This all works great in most situations; however,
at one customer site, for one particular user, the
TokenUser SID in the token is ANONYMOUS LOGON. This
causes our server to fail the login (and rightly
so.)

When I do QueryContextAttributes(SECPKG_ATTR_NAMES)
I get back the users username, i.e.,
mydomain.com\username, so the context is for the
correct principle.

The client in this case is running on a unix workstation
that is using the Active Directory controller as
it's KDC. The user has run kinit, and a klist shows
them as having a ticket for username@mydomain.com.

Does anyone have any clue why the token is being
returned for ANONYMOUS LOGON user instead of for
the real user?

I'm scratching my head trying to figure where to
even look for a possible cause.

Thanks,

Joseph



Relevant Pages