Re: LogonUser, but no password?
From: Alun Jones [MS MVP - Security] (alun_at_texis.invalid)
Date: 05/21/04
- Previous message: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
- In reply to: jheirtzl: "LogonUser, but no password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 May 2004 16:24:29 GMT
In article <OFH5NyiOEHA.3312@tk2msftngp13.phx.gbl>, "jheirtzl"
<jheirtzl@interwoven.com> wrote:
>My application currently calls LogonUser but I need to
>find a solution where we no longer supply the user's
>password. There are several reasons for this, having to
>do with security (we don't want to encrypt the password
>and store it, just for this) and other reasons, such as
>integrating with Single Sign On solutions.
Single Signon solutions do just this - they keep and encrypt the password
(or some other credential that they use to identify the user).
>If my application is trusted (say, has privilege to 'act as
>part of the operating system' or whatever else is needed,
>special DLLs, registry settings, etc) how can I tell
>Windows to let my application authenticate the user?
I'm pretty certain that you can't - you have to have _some_ credential of
the user's in order to impersonate the user. This could be a token received
across a network, for instance a client certificate, or a password, but even
the system isn't allowed to pretend to be a particular user.
This allows for auditing of "who did what".
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
-- Texas Imperial Software | Find us at http://www.wftpd.com or email 1602 Harvest Moon Place | alun@texis.com. Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
- Previous message: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
- In reply to: jheirtzl: "LogonUser, but no password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
