Re: Impersonating Users
From: Jason (anonymous_at_discussions.microsoft.com)
Date: 09/01/04
- Next message: Richard Ward: "Re: Authentication Package crash when using LsaLogonUser in GINA"
- Previous message: Hao Zhuang [MSFT]: "Re: CertOpenStore problem"
- In reply to: Hao Zhuang [MSFT]: "Re: Impersonating Users"
- Next in thread: Hao Zhuang [MSFT]: "Re: Impersonating Users"
- Reply: Hao Zhuang [MSFT]: "Re: Impersonating Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 31 Aug 2004 23:49:14 -0700
Unfortunately, no good. I tried using the other options in
LogonUser() that you suggested (_BATCH, _NETWORK and
_INTERACTIVE) but _BATCH didn't logon due to insufficient
rights and the other two yielded the same result as
_SERVICE.
I then tried calling RegOpenCurrentUser() and RegOpenKeyEx
() but it looks like I don't have the correct
library/header file versions implementing that function.
The target platform is a WinNT machine so looks like I
cannot use this function.
I can successfully impersonate any local user account when
running the service as Local System Account, but the call
to CertOpenStore() searching under
CERT_SYSTEM_STORE_CURRENT_USER fails to find the cert. The
only time it works is if I log onto Windows under the
account being impersonated. Seems that I need to get the
HKEY_CURRENT_USER key to point to the correct HKEY_USERS\%
SID% root, even for the CryptoAPI functions.
My code is below (removing return value checks and
messageboxes):
//Logon to user acount and Impersonate.
HANDLE hLogon;
LogonUser("test", ".", "test", LOGON32_LOGON_SERVICE,
LOGON32_PROVIDER_DEFAULT, &hLogon);
ImpersonateLoggedOnUser(hLogon);
//Open Current User Certificate store and find valid
//certificate.
CertOpenStore(CERT_STORE_PROV_SYSTEM,
0,
NULL,
CERT_SYSTEM_STORE_CURRENT_USER,
L"MY");
//Some code to search through stores (omitted)
//Cleanup
CloseHandle(hLogon);
RevertToSelf();
Thanks for your time,
Jason.
>-----Original Message-----
>instead of LOGON32_LOGON_SERVICE i think you should use
LOGON32_LOGON_BATCH
>or _NETWORK or _INTERACTIVE. i'm not sure but suspect
_SERVICE may have a
>different security context.
>
>one thing to keep in mind is that you should avoid using
HKCU _directly_ in
>the service (sorry that i should've been more prudent
yesterday when saying
>you'd be able to use it). use RegOpenCurrentUser() to get
an equivalent key
>of HKCU then use RegOpenKey[Ex] with it. see MSDN on
RegOpenCurrentUser()
>for the reason.
>
>the cert store APIs doesnt have the problem above AFAIK.
it is safe to call
>them in the service after the impersonation.
>
>let me know if it solves your problem.
>
>- hao
>
>--
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>
>"Jason" <anonymous@discussions.microsoft.com> wrote in
message
>news:349601c48f3f$1b80bd30$a601280a@phx.gbl...
>> Thanks for the reply Hao,
>>
>> On my Win2K box, I have tried using LogonUser(),
>> ImpersonateLoggedOnUser() and RevertToSelf() but with
>> mixed results. I am using LogonUser() to logon to local
>> account 'A' with the parameters LOGON32_LOGON_SERVICE
and
>> LOGON32_PROVIDER_DEFAULT. Checking the return value from
>> the above functions the following is what I am getting:
>>
>> Logging onto Windows with account 'A' and running my
>> service as Local System Account, I can successfully log
>> onto account 'A', successfully impersonate account 'A'
and
>> find the cert for account 'A'. This is good.
>>
>> Logging onto Windows with account 'B' and running my
>> service as Local System Account, I can successfully log
>> onto account 'A', successfully impersonate account 'A'
but
>> cannot find the cert for account 'A'.
>>
>> Do I have to load the hive for account 'A'? I don't know
>> how to do this programmatically and cannot seem to
access
>> the Q168877 article from the Microsoft website.
>>
>> Thanks,
>> Jason.
>>
>>
>>
>> >-----Original Message-----
>> >you have to retrieve the user token of the user you
wish
>> to impersonate,
>> >using APIs such as LogonUser(). then you can
>> ImpersonateLoggedOnUser() with
>> >that user token. now the thread called
>> ImpersonateLoggedOnUser() acts the
>> >same way as in the context of the logged on user and
you
>> can use
>> >HKEY_CURRENT_USER in it.
>> >
>> >- hao
>> >--
>> >This posting is provided "AS IS" with no warranties,
and
>> confers no rights.
>> >
>> >
>> >
>> >"Jason" <anonymous@discussions.microsoft.com> wrote in
>> message
>> >news:1cfd01c48cea$343f0e00$a501280a@phx.gbl...
>> >> Hi,
>> >>
>> >> With my service logged on as a Local System Account
I am
>> >> trying to access the Current User certificate store
of a
>> >> specific user. With a service running under the Local
>> >> System Account, as far as I know, it accesses the
>> >> HKEY_CURRENT_USER key of the default user. To access
the
>> >> HKEY_CURRENT_USER key of another user account I have
to
>> >> impersonate that desired user.
>> >>
>> >> Can someone let me know if I am on the right track,
and
>> >> if so, the basic steps required to impersonate the
user
>> >> programmatically.
>> >>
>> >> Thanks a heap,
>> >> Jason.
>> >>
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>
- Next message: Richard Ward: "Re: Authentication Package crash when using LsaLogonUser in GINA"
- Previous message: Hao Zhuang [MSFT]: "Re: CertOpenStore problem"
- In reply to: Hao Zhuang [MSFT]: "Re: Impersonating Users"
- Next in thread: Hao Zhuang [MSFT]: "Re: Impersonating Users"
- Reply: Hao Zhuang [MSFT]: "Re: Impersonating Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
