Re: ImpersonateLoggedOnUser with SSPI

From: Dave Christiansen [MS] (davidchr_at_online.microsoft.com)
Date: 01/10/04 

Date: Fri, 9 Jan 2004 17:40:18 -0800

What version of Windows are you running (XP, WS03...)?

Just to make sure we're on the same page, some assumptions may be called
for:
1. You're running Excel on MachineX as UserX
2. The Analysis Server is running on MachineY

...are MachineX and MachineY the same machine? If so, is Excel the process
that's trying to talk to the shares, or the Analysis Server? What error do
you get back when you try to talk to the other network shares?

My preliminary thought is that the credentials that are going into
CreateProcessWithLogon are somehow bad, but you're still able to talk to the
Analysis Server either because the guest account is enabled there, or
loopback authentication is happening (if it's the same machine). 

-- 
Dave Christiansen, Windows Core Security Testing
This message is provided "AS IS" with no warranties, and confers no rights.
This message originates in the State of Washington (USA), where unsolicited
commercial email is legally actionable (see
http://www.wa.gov/ago/junkemail).
Harvesting of this address for purposes of bulk email (including "spam") is
prohibited unless by my expressed prior request.  I retaliate viciously
against spammers and spam sites.
"Lionel Gomes" <lionelgomes@hotmail.com> wrote in message
news:uwie24uwDHA.1804@TK2MSFTNGP09.phx.gbl...
> Dave,
>     I'm trying to connect from Excel to a MS Analysis Services server with
a
> local remote user (not know on client computer). As MS AS uses Windows
> Integrated Security I would like to open a trusted connection to this
server
> with the credentials of the remote user.
>
> At first, I used Createprocesswithlogonw with the
LOGON_NETCREDENTIALS_ONLY
> options to start Excel and that worked fine for the connection to the
> server, but then the current logged  on user lost its rights on other
> servers from this Excel process  (shares, network printer, ...).
>
> So what I'm looking for is a way to imporsonate Excel.exe with a remote
> local user when accessing a specific server.
>
> Any Idea?
> Thanks,
> Lionel
>
> "Dave Christiansen [MS]" <davidchr@online.microsoft.com> wrote in message
> news:%2302IxiPwDHA.2304@TK2MSFTNGP12.phx.gbl...
> > When you call ImpersonateSecurityContext, the calling thread will
> > impersonate the identity of the caller.  Your process as a whole will
keep
> > its original identity, however.
> >
> > Note that some other operations may not assume the new identity, because
> > they may use the process token rather than the thread token.  What are
you
> > trying to do?
> >
> > -- 
> > Dave Christiansen, Windows Core Security Testing
> > This message is provided "AS IS" with no warranties, and confers no
> rights.
> > This message originates in the State of Washington (USA), where
> unsolicited
> > commercial email is legally actionable (see
> > http://www.wa.gov/ago/junkemail).
> > Harvesting of this address for purposes of bulk email (including "spam")
> is
> > prohibited unless by my expressed prior request.  I retaliate viciously
> > against spammers and spam sites.
> >
> >
> >
> > "Lionel Gomes" <lionelgomes@hotmail.com> wrote in message
> > news:uplWZOPwDHA.2520@TK2MSFTNGP10.phx.gbl...
> > > Hi,
> > >
> > >     I'm trying to impersonate a process by using SSPI in order to
access
> a
> > > remote app with a remote user identity.
> > >     I could authenticate the user by using :
> > >
> > >    AcquireCredentialsHandle
> > >    InitializeSecurityContext
> > >    AcceptSecurityContext
> > >
> > > Then I try to ImpersonateSecurityContext, OpenProcessToken and
> > > ImpersonateLoggedOnUser but it seems that my process is still running
as
> > the
> > > current logged on user.
> > >
> > > Any ideas or code sample would be greatly appreciated,
> > > Thanks
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Sharing your desktop, how do you do that nowadays?
    ... Not with Windows 2003 Server. ... clients) and the local host user doesn't even notice (in fact, ... > the local User A (or the remote User A) will be kicked out, ...
    (borland.public.delphi.non-technical)
  • Re: 10 simultaneous remote user limit in XP SP2
    ... just want to ask if it is possible to disable the 10 simultaneous remote user in Windows XP SP2 and how? ... Quickbooks for 20 users and installed it in a license XP SP2, they don't have enough budget for Server 2003, the problem is they can't maximize the 20, when they reach the 10 simultaneous users, it blocks the access and a message appears. ...
    (microsoft.public.windowsxp.general)
  • Re: Remote Desktop dedicated computer
    ... Mariette, if they only have one remote user, that scenario should work. ... then your remarks about a single RDP connection with XP comes into play. ... It seems that Windows XP SP2 will allow 2 concurrent ... > A better solution is to install a member server as dedicated terminal ...
    (microsoft.public.windows.server.sbs)
  • SecurityFocus Microsoft Newsletter #154
    ... MICROSOFT VULNERABILITY SUMMARY ... ISS RealSecure Server Sensor SSL Denial Of Service Vulnerabi... ... Roger Wilco Remote Server Side Buffer Overrun Vulnerability ... available for Microsoft Windows operating systems. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #49
    ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
    (Focus-Microsoft)