Re: 'Perfect' Impersonation..

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 10/23/03 

Date: Wed, 22 Oct 2003 17:49:23 -0700

This is the behavior as documented in the Platform SDK. Check out the first
paragraph in the "Remarks" section:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/logonuser.asp 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Jason Robertson" <jason.v.robertson@intel.com> wrote in message
news:03e501c398e4$7bc8f9c0$a401280a@phx.gbl...
> Hi - I'm trying to develop an application that basically
> needs to be able to run in the context of an arbitrary
> user, and ideally would run those applications exactly as
> if the user had logged in on the console.
>
> I'm basically calling LogonUser with logon type
> LOGON32_LOGON_NETWORK_CLEARTEXT, converting it to a
> primary token, and calling CreateProcessAsUser.  This
> seems to work fine for most things, but I notice that
> WNetOpenEnum and its ilk don't work in tihs context.
>
> For example, 'net use' returns an error that the
> WorkstationService isn't running, and I get a similar
> error when I try WNetOpenEnum programmatically in this
> context.
>
> Supposedly the NETWORK_CLEARTEXT should give me network
> access, and I've tried LOGON32_LOGON_INTERACTIVE and
> BATCH to no avail.  I even tried LsaLogonUser - same
> thing.
>
> So how does one get a token identical to what you'd get
> when you login interactively?  Note that kerberos
> delegation isn't an option for us...
>
> Thanks,
> Jason

Relevant Pages