Re: Delegation???

From: Garfield Lewis (galewis_at_SPAM-NO-MOREca.ibm.com)
Date: 11/11/03


Date: Tue, 11 Nov 2003 12:20:14 -0500

I have tried changing the client code to add the delegation privilege when I
open the named pipe. But all that does is give me the 1346 error on the
client instead so that has been abandoned. I've been told now over and over
that on Win2K I don't need the SecurityDelegation setting as long as I have
the "trusted for delegation" settings checked for the computer and user but
that is not working. At least with named pipes, I've seen other places where
others have indicated they are able to do this using other methods
(LogonUser w\ network option, SSPI, etc.) but still no one who has done it
with named pipes. I am starting to think this must be a limitation with
named pipes on Win2K.

-- 
Garfield A. Lewis
DB2 UDB Development,
IBM Canada Laboratory
"Richard Ward" <richardw@delete-yellow-dogs.com> wrote in message
news:vr0tf7dkpuuf39@corp.supernews.com...
>
> There's some overlap between the terms that you should be aware of.
> The security impersonation level in the token is a function of the quality
> of
> service granted by the client, as well as the capabilities of the system
> itself.  First, the SQOS.  When the client connects to a server, it
> specifies
> the SQOS.  This is an indication of how much it trusts the server process.
> By default, this is typically SecurityImpersonation or SecurityDelegation,
> but can be lower, say SecurityIdentification.  That allows a more
privileged
> process to call back into a less privileged process, and be assured that
the
> recipient can examine the token to determine the caller, and can even call
> AccessCheck() on an object within the server process, but not use that
> token to go outside of that process.  With a SecurityIdentification level
> token, you can't open a file, muck a registry key, etc.
>
> To make that work, of course, you can't change that level in the token,
> which
> is what you're trying to do below.  That's the source of the failure in
> DuplicateTokenEx().
>
> IIRC, if the kerberos authentication comes in with a forwarded TGT, the
> guts underlying delegation, then the resultant token will be set to
> SecurityDelegation, otherwise it will be SecurityImpersonation.
>
> "Dave Christiansen [MS]" <davidchr@online.microsoft.com> wrote in message
> news:ecGUqx$pDHA.1632@TK2MSFTNGP10.phx.gbl...
> > Is the account that is running the named pipe server trusted for
> delegation?
> > You can check this by using the MMC Users and Computers snapin, hunting
> down
> > the account itself, and checking its properties (there's a checkbox in
the
> > Account tab, IIRC).
> >
> > If the checkbox is clear, then the account isn't trusted, so Windows
> clients
> > won't delegate to it using standard delegation.  On Win2003, it's
possible
> > that an account granted other privileges may be able to delegate using
> other
> > methods, but only on Win2003.
> >
> > -- 
> > Dave Christiansen, Windows Core Security Testing
> > This message is provided "AS IS" with no warranties, and confers no
> rights.
> > This message originates in the State of Washington (USA), where
> unsolicited
> > commercial email is legally actionable (see
> > http://www.wa.gov/ago/junkemail).
> > Harvesting of this address for purposes of bulk email (including "spam")
> is
> > prohibited unless by my expressed prior request.  I retaliate viciously
> > against spammers and spam sites.
> >
> >
> >
> > "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message
> > news:eyQJNWLpDHA.2244@TK2MSFTNGP12.phx.gbl...
> > > Is it possible to do security delegation on Win2k? I have code that
does
> > the
> > > following:
> > >
> > > if ( !DuplicateTokenEx( m_hToken,
> > >                         TOKEN_ALL_ACCESS,
> > >                         NULL,
> > >                         SecurityDelegation,
> > >                         TokenPrimary,
> > >                         &m_hImpToken ) )
> > > {
> > >    MsgPrint( "DuplicateTokenEx failed -- rc=%ld\n",
> > > (m_dwRC=GetLastError( ) ) );
> > >
> > >    goto ErrorCondition;
> > > }
> > >
> > > The result is always:
> > >
> > > DuplicateTokenEx failed -- rc=1346
> > >
> > > However, if I take the same code and run it on a Win2k3 box then it
> > > succeeds. Is this supported for Win2k? In Michael Howard's book
> "Designing
> > > Secure Web-Based Applications for Microsoft Windows 2000" he speaks
> about
> > > doing delegation on Win2K but I have not been able to get it to work.
> > >
> > >
> > > The error text is as flollows:
> > >
> > > WSDB::F:\TestTools>net  helpmsg 1346
> > >
> > > Either a required impersonation level was not provided, or the
provided
> > > impersonation level is invalid.
> > >
> > >
> > >
> > > BTW, the m_hToken comes from an ImpersonateNamedPipeClient followed by
a
> > > OpenThreadToken. And I am on Win2k SP3, do in need SP4?
> > >
> > > Thx,
> > >
> > > -- 
> > > Garfield A. Lewis
> > > DB2 UDB Development,
> > > IBM Canada Laboratory
> > >
> > >
> > >
> >
> >
>
>


Relevant Pages

  • Re: Delegation???
    ... EFS in Win2k relies on delegation working over named pipes, ... client and server, where the server can connect to another server as well. ...
    (microsoft.public.platformsdk.security)
  • RE: File Server delegation
    ... client authenticated user identity double hop to downstream services, ... As for the kerberos delegation you current use, ... ** If your application runs under a custom domain account, ... kerberos as the authentication schema when establish connection ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Solaris 10, still difference in df / du output after patching
    ... NFS version 4 has the delegation feature on by default. ... server by delegating the access management to the client. ... Also after each delete of 100 files the number of "free files" from df ...
    (comp.unix.solaris)
  • RE: Event ID 3 Kerberos
    ... Confirm the cause by verifying the expiration time on the TGT. ... Server 2003 will recover from this automatically. ... Use Network Monitor to determine the SPN to which the client is attempting ... Click the Delegation tab. ...
    (microsoft.public.windows.server.active_directory)
  • Re: kerberos sudenly stop working on an IIS server
    ... D_DebugLogClient %wZ sent AS request with no server name\n") ... Windows XP and Windows Server 2003 will recover from this automatically. ... For information about setting up service accounts for delegation, ...
    (microsoft.public.windows.server.active_directory)