Re: NTLM Win2000 and Impersonation

From: Ivan Brugiolo [MSFT] (ivanbrug_at_online.microsoft.com)
Date: 10/20/03

• Next message: Eric Perlin [MS]: "Re: Custom GINA"
• Previous message: Ash: "NTLM Win2000 and Impersonation"
• In reply to: Ash: "NTLM Win2000 and Impersonation"
• Next in thread: Ash: "Re: NTLM Win2000 and Impersonation"
• Reply: Ash: "Re: NTLM Win2000 and Impersonation"
• Reply: Ash: "Re: NTLM Win2000 and Impersonation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 19 Oct 2003 17:24:43 -0700

look at the docs for SeImpersonatePrivilege

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Ash" <margya_rahul@hotmail.com> wrote in message
news:03e301c3969d$cf51eaf0$a101280a@phx.gbl...
> Hi All,
>
> I am using NTLM in Win2000 to impersonate an Administrator
> on a standalone PC. When I run my software under an user
> account which is part of Administrator group everything
> works perfect. However when I run the same software
> (nothing changed) under an user account which is part of
> User or Power user group, impersonation does not work.
>
> Well, I have been debugging this for some time now. The
> calls to 'InitializeSecurityContext'
> and 'AcceptSecurityContext' work fine as 'SEC_E_OK' is
> returned at the end of these calls. However, when the
> returned security context is used to retrieve a token
> using 'OpenThreadToken', the token has an
> ImpersonationLevel of 'SecurityIdentification'. Under
> Administrator group account, the token returned has
> ImpersonationLevel of 'SecurityImpersonation', which is
> right.
>
> Consequently, when I am running the software under User
> group account, I cannot use the token retrieved to
> impersonate an Administrator.
>
> Ideally, I should be able to impersonation anyone under
> any account as long as I enter the correct username,
> password and domain.
>
> I would greatly appreciate anyones help on this. Thanks.

---

• Next message: Eric Perlin [MS]: "Re: Custom GINA"
• Previous message: Ash: "NTLM Win2000 and Impersonation"
• In reply to: Ash: "NTLM Win2000 and Impersonation"
• Next in thread: Ash: "Re: NTLM Win2000 and Impersonation"
• Reply: Ash: "Re: NTLM Win2000 and Impersonation"
• Reply: Ash: "Re: NTLM Win2000 and Impersonation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Out of Process execution and .NET ... "charlie" expressed in the message known ... I will impersonate a Domain ... security weakness of the highest sort. ... than a blanket Domain Admin account), ... (microsoft.public.dotnet.framework.aspnet.security) Re: How to use WindowsPrincipal properly?? ... > If you want to check if the user is in the local computers security group ... > used by the general public you have to use Basic Authentication of course. ... You can logon a set account ... > WindowsIndentity which is then used to Impersonate. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Security ... web.config file to impersonate a domain user that has access to the database ... registry the domain user and password. ... have Windows Integrated Security set. ... user while running the code under the impersonated account. ... (microsoft.public.dotnet.framework.aspnet) RE: Queryinterface Error ... AS for the problem you described, it is likely due to security issue. ... the current logon user account. ... IIS: Integrited windows? ... By default, if we didn't use impersonate, asp.net will run under the ... (microsoft.public.dotnet.framework.aspnet) Re: NTLM Win2000 and Impersonation ... >> account which is part of Administrator group everything ... >> returned security context is used to retrieve a token ... >> impersonate an Administrator. ... (microsoft.public.platformsdk.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)