Re: Delegation???
From: Richard Ward (richardw_at_delete-yellow-dogs.com)
Date: 11/12/03
- Next message: Ralf Buschmann: "Re: How can I show a dialog box "Run As Other User" under Windows2000?"
- Previous message: Marco: "Can I call LsaOpenPolicy() under guest account?"
- In reply to: Garfield Lewis: "Re: Delegation???"
- Next in thread: Garfield Lewis: "Re: Delegation???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Nov 2003 22:02:30 -0800
EFS in Win2k relies on delegation working over named pipes, so I don't think
that is the problem. Here's a quick test for you, involving two machines, a
client
and a DC (DCs are always marked as ok-for-delegation). Create a named pipe
client and server, where the server can connect to another server as well.
Run
the server on the DC, and on the client. From the client, connect to the
server on
the DC. In the server process, impersonate and confirm the client identity.
>From that server process, connect back to the server process on the client
machine.
Impersonate and confirm the user identity. If you are able to confirm the
identity,
then you have successfully delegated. There should be no need to try to
manipulate
the token through DuplicateTokenEx at all.
"Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message
news:uv5uUgHqDHA.2584@TK2MSFTNGP09.phx.gbl...
> I have tried changing the client code to add the delegation privilege when
I
> open the named pipe. But all that does is give me the 1346 error on the
> client instead so that has been abandoned. I've been told now over and
over
> that on Win2K I don't need the SecurityDelegation setting as long as I
have
> the "trusted for delegation" settings checked for the computer and user
but
> that is not working. At least with named pipes, I've seen other places
where
> others have indicated they are able to do this using other methods
> (LogonUser w\ network option, SSPI, etc.) but still no one who has done it
> with named pipes. I am starting to think this must be a limitation with
> named pipes on Win2K.
>
> --
> Garfield A. Lewis
> DB2 UDB Development,
> IBM Canada Laboratory
>
>
> "Richard Ward" <richardw@delete-yellow-dogs.com> wrote in message
> news:vr0tf7dkpuuf39@corp.supernews.com...
> >
> > There's some overlap between the terms that you should be aware of.
> > The security impersonation level in the token is a function of the
quality
> > of
> > service granted by the client, as well as the capabilities of the system
> > itself. First, the SQOS. When the client connects to a server, it
> > specifies
> > the SQOS. This is an indication of how much it trusts the server
process.
> > By default, this is typically SecurityImpersonation or
SecurityDelegation,
> > but can be lower, say SecurityIdentification. That allows a more
> privileged
> > process to call back into a less privileged process, and be assured that
> the
> > recipient can examine the token to determine the caller, and can even
call
> > AccessCheck() on an object within the server process, but not use that
> > token to go outside of that process. With a SecurityIdentification
level
> > token, you can't open a file, muck a registry key, etc.
> >
> > To make that work, of course, you can't change that level in the token,
> > which
> > is what you're trying to do below. That's the source of the failure in
> > DuplicateTokenEx().
> >
> > IIRC, if the kerberos authentication comes in with a forwarded TGT, the
> > guts underlying delegation, then the resultant token will be set to
> > SecurityDelegation, otherwise it will be SecurityImpersonation.
> >
> > "Dave Christiansen [MS]" <davidchr@online.microsoft.com> wrote in
message
> > news:ecGUqx$pDHA.1632@TK2MSFTNGP10.phx.gbl...
> > > Is the account that is running the named pipe server trusted for
> > delegation?
> > > You can check this by using the MMC Users and Computers snapin,
hunting
> > down
> > > the account itself, and checking its properties (there's a checkbox in
> the
> > > Account tab, IIRC).
> > >
> > > If the checkbox is clear, then the account isn't trusted, so Windows
> > clients
> > > won't delegate to it using standard delegation. On Win2003, it's
> possible
> > > that an account granted other privileges may be able to delegate using
> > other
> > > methods, but only on Win2003.
> > >
> > > --
> > > Dave Christiansen, Windows Core Security Testing
> > > This message is provided "AS IS" with no warranties, and confers no
> > rights.
> > > This message originates in the State of Washington (USA), where
> > unsolicited
> > > commercial email is legally actionable (see
> > > http://www.wa.gov/ago/junkemail).
> > > Harvesting of this address for purposes of bulk email (including
"spam")
> > is
> > > prohibited unless by my expressed prior request. I retaliate
viciously
> > > against spammers and spam sites.
> > >
> > >
> > >
> > > "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message
> > > news:eyQJNWLpDHA.2244@TK2MSFTNGP12.phx.gbl...
> > > > Is it possible to do security delegation on Win2k? I have code that
> does
> > > the
> > > > following:
> > > >
> > > > if ( !DuplicateTokenEx( m_hToken,
> > > > TOKEN_ALL_ACCESS,
> > > > NULL,
> > > > SecurityDelegation,
> > > > TokenPrimary,
> > > > &m_hImpToken ) )
> > > > {
> > > > MsgPrint( "DuplicateTokenEx failed -- rc=%ld\n",
> > > > (m_dwRC=GetLastError( ) ) );
> > > >
> > > > goto ErrorCondition;
> > > > }
> > > >
> > > > The result is always:
> > > >
> > > > DuplicateTokenEx failed -- rc=1346
> > > >
> > > > However, if I take the same code and run it on a Win2k3 box then it
> > > > succeeds. Is this supported for Win2k? In Michael Howard's book
> > "Designing
> > > > Secure Web-Based Applications for Microsoft Windows 2000" he speaks
> > about
> > > > doing delegation on Win2K but I have not been able to get it to
work.
> > > >
> > > >
> > > > The error text is as flollows:
> > > >
> > > > WSDB::F:\TestTools>net helpmsg 1346
> > > >
> > > > Either a required impersonation level was not provided, or the
> provided
> > > > impersonation level is invalid.
> > > >
> > > >
> > > >
> > > > BTW, the m_hToken comes from an ImpersonateNamedPipeClient followed
by
> a
> > > > OpenThreadToken. And I am on Win2k SP3, do in need SP4?
> > > >
> > > > Thx,
> > > >
> > > > --
> > > > Garfield A. Lewis
> > > > DB2 UDB Development,
> > > > IBM Canada Laboratory
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Ralf Buschmann: "Re: How can I show a dialog box "Run As Other User" under Windows2000?"
- Previous message: Marco: "Can I call LsaOpenPolicy() under guest account?"
- In reply to: Garfield Lewis: "Re: Delegation???"
- Next in thread: Garfield Lewis: "Re: Delegation???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
