Delegation question
From: Garfield Lewis (galewis_at_SPAM-NO-MOREca.ibm.com)
Date: 01/21/05
- Previous message: Daniel James: "Re: Using smartcard as certificate store"
- Next in thread: Garfield Lewis: "Re: Delegation question"
- Reply: Garfield Lewis: "Re: Delegation question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Jan 2005 08:33:23 -0500
Hi All,
I am trying to figure out if some delegation issues I am seeing are working
as designed or is in fact a bug introduced by one or more of the security
patches that have been applied to Win2K. Here is the basic design of my
application. We have 2 client machines (CL1 and CL2 lets say) and a 3rd
machine which is a domain controller (DC). The client machines have been
setup in the domain so that they have been enabled for delegation.
1. on CL1 there is a network share called \\CL1\SHARE1
2. on CL2 I am running a named pipe server (NPS) that receives requests then
Impersonates the named pipe user (via the ImpersonateNamedPipeUser API) and
then runs the request from the user (using CreateProcessAsUser).
3. on CL1 there is a client app that actually issues the request to the NPS
server on CL2
4. if I send the following request to across "dir \\CL1\SHARE1" I get the
following results:
1. If all 3 machines are all either Win2K or Win2K3 then everything works
2. If the DC is Win2K and the 2 clients CL1 and CL2 are Win2K3 then I get an
error of "Access is denied"
Since it all seems to work in a homogeneous environment I don't believe that
this is a generic setup problem. So it must be one of 2 things:
1. somehow the setup for a heterogeneous environment is somewhat different
than for a homogeneous one and I just don't understand how to do this or
2. one or more of the many patches applied to the Win2K domain controller
has now broken this feature because I am certain this worked before because
we have not upgraded our domain controllers to Win2K3 and our test team has
just began reporting this problem after the Christmas break. We have also
verified that it's not a Win2K3 patch that has broken this because we also
tried and failed with 2 client Win2K3 machines having no patches at all
applied. We are trying to do the same with a Win2K domain controller but
have not gotten around to doing that as yet.
Has anyone else seen this or know if this a know problem?
BTW, if anyone from Microsoft is willing to look into this I can send them a
testcase so they could run the tests themselves. There really isn't much to
reproducing this problem.
Thx,
-- Garfield A. Lewis IBM Canada Laboratory
- Previous message: Daniel James: "Re: Using smartcard as certificate store"
- Next in thread: Garfield Lewis: "Re: Delegation question"
- Reply: Garfield Lewis: "Re: Delegation question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
