Re: 'Perfect' Impersonation..
From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: Wed, 22 Oct 2003 17:49:23 -0700
This is the behavior as documented in the Platform SDK. Check out the first
paragraph in the "Remarks" section:
-- Drew Cooper [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. "Jason Robertson" <email@example.com> wrote in message news:firstname.lastname@example.org... > Hi - I'm trying to develop an application that basically > needs to be able to run in the context of an arbitrary > user, and ideally would run those applications exactly as > if the user had logged in on the console. > > I'm basically calling LogonUser with logon type > LOGON32_LOGON_NETWORK_CLEARTEXT, converting it to a > primary token, and calling CreateProcessAsUser. This > seems to work fine for most things, but I notice that > WNetOpenEnum and its ilk don't work in tihs context. > > For example, 'net use' returns an error that the > WorkstationService isn't running, and I get a similar > error when I try WNetOpenEnum programmatically in this > context. > > Supposedly the NETWORK_CLEARTEXT should give me network > access, and I've tried LOGON32_LOGON_INTERACTIVE and > BATCH to no avail. I even tried LsaLogonUser - same > thing. > > So how does one get a token identical to what you'd get > when you login interactively? Note that kerberos > delegation isn't an option for us... > > Thanks, > Jason