Re: Delegation???
From: Garfield Lewis (galewis_at_SPAM-NO-MOREca.ibm.com)
Date: 11/11/03
- Next message: anonymous_at_discussions.microsoft.com: "Re: ICF on Win2k3 blocking website access"
- Previous message: Eric Perlin [MS]: "Re: How to get past the reset on Infineon 4428 cards"
- In reply to: Richard Ward: "Re: Delegation???"
- Next in thread: Richard Ward: "Re: Delegation???"
- Reply: Richard Ward: "Re: Delegation???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Nov 2003 12:20:14 -0500
I have tried changing the client code to add the delegation privilege when I
open the named pipe. But all that does is give me the 1346 error on the
client instead so that has been abandoned. I've been told now over and over
that on Win2K I don't need the SecurityDelegation setting as long as I have
the "trusted for delegation" settings checked for the computer and user but
that is not working. At least with named pipes, I've seen other places where
others have indicated they are able to do this using other methods
(LogonUser w\ network option, SSPI, etc.) but still no one who has done it
with named pipes. I am starting to think this must be a limitation with
named pipes on Win2K.
-- Garfield A. Lewis DB2 UDB Development, IBM Canada Laboratory "Richard Ward" <richardw@delete-yellow-dogs.com> wrote in message news:vr0tf7dkpuuf39@corp.supernews.com... > > There's some overlap between the terms that you should be aware of. > The security impersonation level in the token is a function of the quality > of > service granted by the client, as well as the capabilities of the system > itself. First, the SQOS. When the client connects to a server, it > specifies > the SQOS. This is an indication of how much it trusts the server process. > By default, this is typically SecurityImpersonation or SecurityDelegation, > but can be lower, say SecurityIdentification. That allows a more privileged > process to call back into a less privileged process, and be assured that the > recipient can examine the token to determine the caller, and can even call > AccessCheck() on an object within the server process, but not use that > token to go outside of that process. With a SecurityIdentification level > token, you can't open a file, muck a registry key, etc. > > To make that work, of course, you can't change that level in the token, > which > is what you're trying to do below. That's the source of the failure in > DuplicateTokenEx(). > > IIRC, if the kerberos authentication comes in with a forwarded TGT, the > guts underlying delegation, then the resultant token will be set to > SecurityDelegation, otherwise it will be SecurityImpersonation. > > "Dave Christiansen [MS]" <davidchr@online.microsoft.com> wrote in message > news:ecGUqx$pDHA.1632@TK2MSFTNGP10.phx.gbl... > > Is the account that is running the named pipe server trusted for > delegation? > > You can check this by using the MMC Users and Computers snapin, hunting > down > > the account itself, and checking its properties (there's a checkbox in the > > Account tab, IIRC). > > > > If the checkbox is clear, then the account isn't trusted, so Windows > clients > > won't delegate to it using standard delegation. On Win2003, it's possible > > that an account granted other privileges may be able to delegate using > other > > methods, but only on Win2003. > > > > -- > > Dave Christiansen, Windows Core Security Testing > > This message is provided "AS IS" with no warranties, and confers no > rights. > > This message originates in the State of Washington (USA), where > unsolicited > > commercial email is legally actionable (see > > http://www.wa.gov/ago/junkemail). > > Harvesting of this address for purposes of bulk email (including "spam") > is > > prohibited unless by my expressed prior request. I retaliate viciously > > against spammers and spam sites. > > > > > > > > "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message > > news:eyQJNWLpDHA.2244@TK2MSFTNGP12.phx.gbl... > > > Is it possible to do security delegation on Win2k? I have code that does > > the > > > following: > > > > > > if ( !DuplicateTokenEx( m_hToken, > > > TOKEN_ALL_ACCESS, > > > NULL, > > > SecurityDelegation, > > > TokenPrimary, > > > &m_hImpToken ) ) > > > { > > > MsgPrint( "DuplicateTokenEx failed -- rc=%ld\n", > > > (m_dwRC=GetLastError( ) ) ); > > > > > > goto ErrorCondition; > > > } > > > > > > The result is always: > > > > > > DuplicateTokenEx failed -- rc=1346 > > > > > > However, if I take the same code and run it on a Win2k3 box then it > > > succeeds. Is this supported for Win2k? In Michael Howard's book > "Designing > > > Secure Web-Based Applications for Microsoft Windows 2000" he speaks > about > > > doing delegation on Win2K but I have not been able to get it to work. > > > > > > > > > The error text is as flollows: > > > > > > WSDB::F:\TestTools>net helpmsg 1346 > > > > > > Either a required impersonation level was not provided, or the provided > > > impersonation level is invalid. > > > > > > > > > > > > BTW, the m_hToken comes from an ImpersonateNamedPipeClient followed by a > > > OpenThreadToken. And I am on Win2k SP3, do in need SP4? > > > > > > Thx, > > > > > > -- > > > Garfield A. Lewis > > > DB2 UDB Development, > > > IBM Canada Laboratory > > > > > > > > > > > > > > >
- Next message: anonymous_at_discussions.microsoft.com: "Re: ICF on Win2k3 blocking website access"
- Previous message: Eric Perlin [MS]: "Re: How to get past the reset on Infineon 4428 cards"
- In reply to: Richard Ward: "Re: Delegation???"
- Next in thread: Richard Ward: "Re: Delegation???"
- Reply: Richard Ward: "Re: Delegation???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
