Re: URGENT: Pipe server security question

From: John Duddy (jduddy_at_idontwantyourunsolicitedmsgDOTstbernard.com)
Date: 10/28/03 

Date: Tue, 28 Oct 2003 08:53:07 -0800

You'll need to be using Kerberos authentication for starters. NTLM
authentication is explicitly not-delegatable.

JD

"Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message
news:e8Ur#MPnDHA.1072@TK2MSFTNGP09.phx.gbl...
> Hi Drew,
>
> We need to impersonate because the service account typically has admin
> privileges and/or is LocalSystem. If we don't impersonate then we are
> effectively giving everyone who can interact with this service
administrator
> privileges. The share does give "Everyone" read access. I am not using
logon
> user I am running a Named Pipe server so I am doing
> ImpersonateNamedPipeClient then duping the thread token. I think what I
need
> to do is to get a delegation token, however, whenever I pass
> SecurityDelegation to DuplicateTokenEx I always get a 1346
> (ERROR_BAD_IMPERSONATION_LEVEL) error from that API. I would appreciate it
> if someone could provide me with some sample code that will do what I am
> asking. Namely using Named Pipes to run a delegatable service in a domain
> environment on Win2K SP3.
>
> Thx,
>
> --
> Garfield A. Lewis
> DB2 UDB Development,
> IBM Canada Laboratory
>
>
> "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> wrote in message
> news:eZyihfOnDHA.2064@TK2MSFTNGP11.phx.gbl...
> > Check out the documentation for LogonUser. I suspect that this caveat
in
> > the SDK covers your scenario:
> >
> > . . . if you convert the token to a primary token and use it in
> > CreateProcessAsUser to start a process, the new process will not be able
> to
> > access other network resources, such as remote servers or printers,
> through
> > the redirector. An exception is that if the network resource is not
> > access-controlled, then the new process will be able to access it.
> >
> >
> > Why not grant your service account access to the share? No need to
> > impersonate then.
> > --
> > Drew Cooper [MSFT]
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message
> > news:OAZ9LcjmDHA.392@TK2MSFTNGP11.phx.gbl...
> > > Hi,
> > >
> > > I'm writing a pipe server service that will allow me to run remote
> > commands
> > > on a machine. The server works like a charm if I don't add client
> > > impersonation. Even with client impersonation it works most of the
time.
> > The
> > > problem I'm having is this, i've got the service running on 2 machines
> > > (machineA and machineB). I've created a network share on machineA
called
> > > \\machineA\myshare. Now if I request that the server do the following
> from
> > > machineA, dir \\machineA\myshare, then everything works fine. However,
> if
> > I
> > > send this same command to machineB from machineB then I get an "Access
> is
> > > denied" error (rc=5). If I go to machineB and do this directly from a
> > > command window then everything is fine. When I issue the commands I am
> > > logged into the same domain account on both boxes so the
authentication
> > > should be identical. The share was created giving "Everyone" full
> control,
> > I
> > > later added "Authenticated Users" and "Anonymous" with the same full
> > control
> > > but that has not made any difference. Here is some psudo-code of how I
> > doing
> > > the impersonation, I would really appreciate some help on this.
> > >
> > > - give client access to process window station
> > > - give client access to thread desktop
> > > - impersonate named pipe client
> > > - open thread token
> > > - use DuplicateTokenEx to get a primary token (using
> > SecurityImpersonation,
> > > also tried SecurityDelegation but CreateProcessAsUser complained about
> > that)
> > > - use CreateProcessAsUser to run the command
> > >
> > > What do I need to do to make the remote client running as a service
see
> > the
> > > network share? I've tried various things to do with loading the
profile
> > but
> > > nothing seems to work. If I issue the command from machineB then that
> > works
> > > but I suppose that's because that's because it's machineA's share.
> > >
> > > --
> > > Garfield A. Lewis
> > > DB2 UDB Development,
> > > IBM Canada Laboratory
> > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: LDAP Authentication for Single Sign On
    ... So no authentication is required when performing bind operations only ... If I do find that I have to create a service account can you steer me ... If the client doesn't support anything other than a simple ... That isn't really necessarily part of the authentication though. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Debugger not working in Vs.net 2003
    ... I check The "Impersonate a client after authentication" user right, aspnet ...
    (microsoft.public.vsnet.debugging)
  • Re: How to use WindowsPrincipal properly??
    ... I mixed up the administrator account versus the group. ... used by the general public you have to use Basic Authentication of course. ... WindowsIndentity which is then used to Impersonate. ... You don't have to validate the user at all normally. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to use WindowsPrincipal properly??
    ... I mixed up the administrator account versus the group. ... > used by the general public you have to use Basic Authentication of course. ... > WindowsIndentity which is then used to Impersonate. ... >> it need to get the user password, in windows integrated authentication, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation ASPNET SQL Server
    ... I think you need to impersonate those user accounts in asp.net ... !Subject: Re: Impersonation ASPNET SQL Server ... Authentication, and Secure Communication is just one ...
    (microsoft.public.dotnet.framework.aspnet.security)