Re: Impersonating Users

From: Jason (anonymous_at_discussions.microsoft.com)
Date: 09/03/04 

Date: Thu, 2 Sep 2004 17:02:47 -0700

Sorry for the late reply. Still doesn't seem to work.
After impersonating the user, and before the call to
CertOpenStore(), I make the call to LoadUserProfile(). It
returns non-zero which appears all good. However, the
PROFILEINFO hProfile member remains NULL after the call :
(. Maybe I am unable to search the certificate stores of
other users?

Regards,
Jason.

>-----Original Message-----
>i'm not sure about the cert store impl in NT, very
possibly it depends on
>the user profile being loaded. i suggest you try calling
LoadUserProfile()
>before the CertOpenStore ..., that may work. but be aware
that
>LoadUserProfile could take long.
>
>check MSDN for the usage of LoadUserProfile(). and you
can use the hProfile
>field as HKEY_CURRENT_USER which is cool.
>
>let me know if this solves your problem. NT is a quite
different animal. :-)
>
>- hao
>
>--
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>
>"Jason" <anonymous@discussions.microsoft.com> wrote in
message
>news:061201c48fef$cb5a6070$a401280a@phx.gbl...
>> Unfortunately, no good. I tried using the other options
in
>> LogonUser() that you suggested (_BATCH, _NETWORK and
>> _INTERACTIVE) but _BATCH didn't logon due to
insufficient
>> rights and the other two yielded the same result as
>> _SERVICE.
>>
>> I then tried calling RegOpenCurrentUser() and
RegOpenKeyEx
>> () but it looks like I don't have the correct
>> library/header file versions implementing that function.
>> The target platform is a WinNT machine so looks like I
>> cannot use this function.
>>
>> I can successfully impersonate any local user account
when
>> running the service as Local System Account, but the
call
>> to CertOpenStore() searching under
>> CERT_SYSTEM_STORE_CURRENT_USER fails to find the cert.
The
>> only time it works is if I log onto Windows under the
>> account being impersonated. Seems that I need to get the
>> HKEY_CURRENT_USER key to point to the correct
HKEY_USERS\%
>> SID% root, even for the CryptoAPI functions.
>>
>> My code is below (removing return value checks and
>> messageboxes):
>>
>> //Logon to user acount and Impersonate.
>> HANDLE hLogon;
>> LogonUser("test", ".", "test", LOGON32_LOGON_SERVICE,
>> LOGON32_PROVIDER_DEFAULT, &hLogon);
>> ImpersonateLoggedOnUser(hLogon);
>>
>> //Open Current User Certificate store and find valid
>> //certificate.
>> CertOpenStore(CERT_STORE_PROV_SYSTEM,
>> 0,
>> NULL,
>> CERT_SYSTEM_STORE_CURRENT_USER,
>> L"MY");
>>
>> //Some code to search through stores (omitted)
>>
>> //Cleanup
>> CloseHandle(hLogon);
>> RevertToSelf();
>>
>>
>>
>> Thanks for your time,
>> Jason.
>>
>>
>> >-----Original Message-----
>> >instead of LOGON32_LOGON_SERVICE i think you should use
>> LOGON32_LOGON_BATCH
>> >or _NETWORK or _INTERACTIVE. i'm not sure but suspect
>> _SERVICE may have a
>> >different security context.
>> >
>> >one thing to keep in mind is that you should avoid
using
>> HKCU _directly_ in
>> >the service (sorry that i should've been more prudent
>> yesterday when saying
>> >you'd be able to use it). use RegOpenCurrentUser() to
get
>> an equivalent key
>> >of HKCU then use RegOpenKey[Ex] with it. see MSDN on
>> RegOpenCurrentUser()
>> >for the reason.
>> >
>> >the cert store APIs doesnt have the problem above
AFAIK.
>> it is safe to call
>> >them in the service after the impersonation.
>> >
>> >let me know if it solves your problem.
>> >
>> >- hao
>> >
>> >--
>> >This posting is provided "AS IS" with no warranties,
and
>> confers no rights.
>> >
>> >
>> >
>> >"Jason" <anonymous@discussions.microsoft.com> wrote in
>> message
>> >news:349601c48f3f$1b80bd30$a601280a@phx.gbl...
>> >> Thanks for the reply Hao,
>> >>
>> >> On my Win2K box, I have tried using LogonUser(),
>> >> ImpersonateLoggedOnUser() and RevertToSelf() but with
>> >> mixed results. I am using LogonUser() to logon to
local
>> >> account 'A' with the parameters LOGON32_LOGON_SERVICE
>> and
>> >> LOGON32_PROVIDER_DEFAULT. Checking the return value
from
>> >> the above functions the following is what I am
getting:
>> >>
>> >> Logging onto Windows with account 'A' and running my
>> >> service as Local System Account, I can successfully
log
>> >> onto account 'A', successfully impersonate
account 'A'
>> and
>> >> find the cert for account 'A'. This is good.
>> >>
>> >> Logging onto Windows with account 'B' and running my
>> >> service as Local System Account, I can successfully
log
>> >> onto account 'A', successfully impersonate
account 'A'
>> but
>> >> cannot find the cert for account 'A'.
>> >>
>> >> Do I have to load the hive for account 'A'? I don't
know
>> >> how to do this programmatically and cannot seem to
>> access
>> >> the Q168877 article from the Microsoft website.
>> >>
>> >> Thanks,
>> >> Jason.
>> >>
>> >>
>> >>
>> >> >-----Original Message-----
>> >> >you have to retrieve the user token of the user you
>> wish
>> >> to impersonate,
>> >> >using APIs such as LogonUser(). then you can
>> >> ImpersonateLoggedOnUser() with
>> >> >that user token. now the thread called
>> >> ImpersonateLoggedOnUser() acts the
>> >> >same way as in the context of the logged on user and
>> you
>> >> can use
>> >> >HKEY_CURRENT_USER in it.
>> >> >
>> >> >- hao
>> >> >--
>> >> >This posting is provided "AS IS" with no warranties,
>> and
>> >> confers no rights.
>> >> >
>> >> >
>> >> >
>> >> >"Jason" <anonymous@discussions.microsoft.com> wrote
in
>> >> message
>> >> >news:1cfd01c48cea$343f0e00$a501280a@phx.gbl...
>> >> >> Hi,
>> >> >>
>> >> >> With my service logged on as a Local System
Account
>> I am
>> >> >> trying to access the Current User certificate
store
>> of a
>> >> >> specific user. With a service running under the
Local
>> >> >> System Account, as far as I know, it accesses the
>> >> >> HKEY_CURRENT_USER key of the default user. To
access
>> the
>> >> >> HKEY_CURRENT_USER key of another user account I
have
>> to
>> >> >> impersonate that desired user.
>> >> >>
>> >> >> Can someone let me know if I am on the right
track,
>> and
>> >> >> if so, the basic steps required to impersonate the
>> user
>> >> >> programmatically.
>> >> >>
>> >> >> Thanks a heap,
>> >> >> Jason.
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages

  • Re: Problem Printing using IWebBrowser2 from IWAM Account on Server 2003
    ... logon session of the ASP process account? ... LoadUserProfile first before calling the SetDefaultPrinter? ... | Subject: Re: Problem Printing using IWebBrowser2 from IWAM Account on ... |> component or just the code that your construct the WEBbrowser control, ...
    (microsoft.public.dotnet.framework.aspnet.webcontrols)
  • Re: Problem Printing using IWebBrowser2 from IWAM Account on Server 2003
    ... > |> account. ... I am successfully calling LoadUserProfile and then UnLoadUserProfile in the ... fails to suppress the printer selection dialog., even if I try it again ... > BOOL LoadUserProfile( ...
    (microsoft.public.dotnet.framework.aspnet.webcontrols)
  • Re: problem writing a file
    ... if you are impersonating depends on the impersonate=true/false switch in web.config. ... trust for delegation is a active directory setting. ... Dominick Baier - DevelopMentor ... The local ASPNET account has no network credentials on another ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: creating a new user in Active Directory
    ... If not check the "Local Security Policy" ... Does the impersonating account have kerberos delegation enabled? ... > settings and ensure that logon failures are enabled under local audit ...
    (microsoft.public.dotnet.general)
  • Re: User.IsInRole is always FALSE
    ... > account the thread is running under. ... > the client. ... By default this would be ASPNET on IIS 5.0. ... If you are impersonating - WindowsIdentity.GetCurrent ...
    (microsoft.public.dotnet.security)