Re: CreateProcessWithLogonW Switching User Credential
From: Chuck Chopp (ChuckChopp_at_rtfmcsi.com)
Date: 10/31/03
- Next message: Ohaya: "Re: Does deleting a certificate cause private key deletion?"
- Previous message: Ash: "CreateProcessWithLogonW Switching User Credential"
- In reply to: Ash: "CreateProcessWithLogonW Switching User Credential"
- Next in thread: Ash: "Re: CreateProcessWithLogonW Switching User Credential"
- Reply: Ash: "Re: CreateProcessWithLogonW Switching User Credential"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Oct 2003 22:31:42 -0500
Ash wrote:
> Hi All,
>
> I currently have an application that
> uses "CreateProcessWithLogonW" to create a process
> with "LOGON_NETCREDENTIALS_ONLY" option set.
>
> This creates a process that uses a different set of
> credentials locally than it does remotely.
>
> However, while the process is running I want to be able to
> use "DESKTOP" user credentials on the fly to access
> network resources.
>
> Is it possible to SWITCH between user credentials (desktop
> user credential and network user credential)???
The whole point of using CreateProcessWithLogonW() is that you get to create
a process with some credentials that are different from your own, presumably
to gain admin right locally, but in some cases to simply use different
credentials for accessing remote resources. In either case, there is a
service running on the system [Win2K and newer, where this API function
exists] that actually performs the authethentication and creation of the
necessary access token on your behalf so that you don't have to be granted
dangerous privileges like "Act as part of the operating system", "Increase
quotas" and "Replace a process level token".
Prior to the advent of this API function and the background service that
does the work for you, you had to have those 3 elevated privileges granted
to you so that you could directly authenticate a set of credentials and
create an access token that could be used for impersonation. In that
situation, you would call a Win32 API function to begin impersonation using
the access token that you created, and then later on you could call the
Win32 API function RevertToSelf() to go back to your original credentials.
In the case of a process created using CreateProcessWithLogonW(), I don't
believe that the process has any original credentials to revert back to
because the only access token that it ever had was the one given to it when
it was created, and that access token is impersonating the credentials that
you passed in to CreateProcessWithLogonW() to begin with.
To really test it, try calling RevertToSelf() in your code that is being
executed in a process created by CreateProcessWithLogonW() and see what happens.
Another really quirky work around is that if you don't already have any sort
of authenticated connection to the server on which a remote resource is
located, then you can use one of the WNetConnect*() functions to pass in
credentials to be used when accessing that remote resource. In theory this
would let you use any credentials you desire to use but the caveat is that
you would in fact have to have the plain-text version of those credentials
available for use. This would mean that you would have to promnpt the user
for the credentials or else store them and retrieve them, none of which is a
good choice if you want to avoid impairing system security in any way.
HTH,
Chuck
-- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com ICQ # 22321532 RTFM Consulting Services Inc. 864 801 2795 voice & voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 800 774 0718 pager 8007740718 (at) skytel (dot) com Do not send me unsolicited commercial email.
- Next message: Ohaya: "Re: Does deleting a certificate cause private key deletion?"
- Previous message: Ash: "CreateProcessWithLogonW Switching User Credential"
- In reply to: Ash: "CreateProcessWithLogonW Switching User Credential"
- Next in thread: Ash: "Re: CreateProcessWithLogonW Switching User Credential"
- Reply: Ash: "Re: CreateProcessWithLogonW Switching User Credential"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
