Re: Impersonating Users
From: Hao Zhuang [MSFT] (hzhuang_at_online.microsoft.com)
Date: 09/01/04
- Previous message: Hao Zhuang [MSFT]: "Re: Different security ObjectTypes, and the "Full Control" right"
- In reply to: Jason: "Re: Impersonating Users"
- Next in thread: Jason: "Re: Impersonating Users"
- Reply: Jason: "Re: Impersonating Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 1 Sep 2004 01:00:37 -0700
i'm not sure about the cert store impl in NT, very possibly it depends on
the user profile being loaded. i suggest you try calling LoadUserProfile()
before the CertOpenStore ..., that may work. but be aware that
LoadUserProfile could take long.
check MSDN for the usage of LoadUserProfile(). and you can use the hProfile
field as HKEY_CURRENT_USER which is cool.
let me know if this solves your problem. NT is a quite different animal. :-)
- hao
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Jason" <anonymous@discussions.microsoft.com> wrote in message
news:061201c48fef$cb5a6070$a401280a@phx.gbl...
> Unfortunately, no good. I tried using the other options in
> LogonUser() that you suggested (_BATCH, _NETWORK and
> _INTERACTIVE) but _BATCH didn't logon due to insufficient
> rights and the other two yielded the same result as
> _SERVICE.
>
> I then tried calling RegOpenCurrentUser() and RegOpenKeyEx
> () but it looks like I don't have the correct
> library/header file versions implementing that function.
> The target platform is a WinNT machine so looks like I
> cannot use this function.
>
> I can successfully impersonate any local user account when
> running the service as Local System Account, but the call
> to CertOpenStore() searching under
> CERT_SYSTEM_STORE_CURRENT_USER fails to find the cert. The
> only time it works is if I log onto Windows under the
> account being impersonated. Seems that I need to get the
> HKEY_CURRENT_USER key to point to the correct HKEY_USERS\%
> SID% root, even for the CryptoAPI functions.
>
> My code is below (removing return value checks and
> messageboxes):
>
> //Logon to user acount and Impersonate.
> HANDLE hLogon;
> LogonUser("test", ".", "test", LOGON32_LOGON_SERVICE,
> LOGON32_PROVIDER_DEFAULT, &hLogon);
> ImpersonateLoggedOnUser(hLogon);
>
> //Open Current User Certificate store and find valid
> //certificate.
> CertOpenStore(CERT_STORE_PROV_SYSTEM,
> 0,
> NULL,
> CERT_SYSTEM_STORE_CURRENT_USER,
> L"MY");
>
> //Some code to search through stores (omitted)
>
> //Cleanup
> CloseHandle(hLogon);
> RevertToSelf();
>
>
>
> Thanks for your time,
> Jason.
>
>
> >-----Original Message-----
> >instead of LOGON32_LOGON_SERVICE i think you should use
> LOGON32_LOGON_BATCH
> >or _NETWORK or _INTERACTIVE. i'm not sure but suspect
> _SERVICE may have a
> >different security context.
> >
> >one thing to keep in mind is that you should avoid using
> HKCU _directly_ in
> >the service (sorry that i should've been more prudent
> yesterday when saying
> >you'd be able to use it). use RegOpenCurrentUser() to get
> an equivalent key
> >of HKCU then use RegOpenKey[Ex] with it. see MSDN on
> RegOpenCurrentUser()
> >for the reason.
> >
> >the cert store APIs doesnt have the problem above AFAIK.
> it is safe to call
> >them in the service after the impersonation.
> >
> >let me know if it solves your problem.
> >
> >- hao
> >
> >--
> >This posting is provided "AS IS" with no warranties, and
> confers no rights.
> >
> >
> >
> >"Jason" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:349601c48f3f$1b80bd30$a601280a@phx.gbl...
> >> Thanks for the reply Hao,
> >>
> >> On my Win2K box, I have tried using LogonUser(),
> >> ImpersonateLoggedOnUser() and RevertToSelf() but with
> >> mixed results. I am using LogonUser() to logon to local
> >> account 'A' with the parameters LOGON32_LOGON_SERVICE
> and
> >> LOGON32_PROVIDER_DEFAULT. Checking the return value from
> >> the above functions the following is what I am getting:
> >>
> >> Logging onto Windows with account 'A' and running my
> >> service as Local System Account, I can successfully log
> >> onto account 'A', successfully impersonate account 'A'
> and
> >> find the cert for account 'A'. This is good.
> >>
> >> Logging onto Windows with account 'B' and running my
> >> service as Local System Account, I can successfully log
> >> onto account 'A', successfully impersonate account 'A'
> but
> >> cannot find the cert for account 'A'.
> >>
> >> Do I have to load the hive for account 'A'? I don't know
> >> how to do this programmatically and cannot seem to
> access
> >> the Q168877 article from the Microsoft website.
> >>
> >> Thanks,
> >> Jason.
> >>
> >>
> >>
> >> >-----Original Message-----
> >> >you have to retrieve the user token of the user you
> wish
> >> to impersonate,
> >> >using APIs such as LogonUser(). then you can
> >> ImpersonateLoggedOnUser() with
> >> >that user token. now the thread called
> >> ImpersonateLoggedOnUser() acts the
> >> >same way as in the context of the logged on user and
> you
> >> can use
> >> >HKEY_CURRENT_USER in it.
> >> >
> >> >- hao
> >> >--
> >> >This posting is provided "AS IS" with no warranties,
> and
> >> confers no rights.
> >> >
> >> >
> >> >
> >> >"Jason" <anonymous@discussions.microsoft.com> wrote in
> >> message
> >> >news:1cfd01c48cea$343f0e00$a501280a@phx.gbl...
> >> >> Hi,
> >> >>
> >> >> With my service logged on as a Local System Account
> I am
> >> >> trying to access the Current User certificate store
> of a
> >> >> specific user. With a service running under the Local
> >> >> System Account, as far as I know, it accesses the
> >> >> HKEY_CURRENT_USER key of the default user. To access
> the
> >> >> HKEY_CURRENT_USER key of another user account I have
> to
> >> >> impersonate that desired user.
> >> >>
> >> >> Can someone let me know if I am on the right track,
> and
> >> >> if so, the basic steps required to impersonate the
> user
> >> >> programmatically.
> >> >>
> >> >> Thanks a heap,
> >> >> Jason.
> >> >>
> >> >>
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
- Previous message: Hao Zhuang [MSFT]: "Re: Different security ObjectTypes, and the "Full Control" right"
- In reply to: Jason: "Re: Impersonating Users"
- Next in thread: Jason: "Re: Impersonating Users"
- Reply: Jason: "Re: Impersonating Users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
