Re: Delegation question
From: Garfield Lewis (galewis_at_SPAM-NO-MOREca.ibm.com)
Date: 01/24/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Previous message: Patrick Tronnier: "Certutil -sign with more then one valid CA cert"
- In reply to: Garfield Lewis: "Delegation question"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Jan 2005 13:26:16 -0500
Are there no takers on this question? Should I be asking this questoin on a
different news group?
-- Garfield A. Lewis IBM Canada Laboratory "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message news:eBpnx27$EHA.2584@TK2MSFTNGP09.phx.gbl... > Hi All, > > I am trying to figure out if some delegation issues I am seeing are working > as designed or is in fact a bug introduced by one or more of the security > patches that have been applied to Win2K. Here is the basic design of my > application. We have 2 client machines (CL1 and CL2 lets say) and a 3rd > machine which is a domain controller (DC). The client machines have been > setup in the domain so that they have been enabled for delegation. > > 1. on CL1 there is a network share called \\CL1\SHARE1 > 2. on CL2 I am running a named pipe server (NPS) that receives requests then > Impersonates the named pipe user (via the ImpersonateNamedPipeUser API) and > then runs the request from the user (using CreateProcessAsUser). > 3. on CL1 there is a client app that actually issues the request to the NPS > server on CL2 > 4. if I send the following request to across "dir \\CL1\SHARE1" I get the > following results: > > 1. If all 3 machines are all either Win2K or Win2K3 then everything works > 2. If the DC is Win2K and the 2 clients CL1 and CL2 are Win2K3 then I get an > error of "Access is denied" > > Since it all seems to work in a homogeneous environment I don't believe that > this is a generic setup problem. So it must be one of 2 things: > > 1. somehow the setup for a heterogeneous environment is somewhat different > than for a homogeneous one and I just don't understand how to do this or > 2. one or more of the many patches applied to the Win2K domain controller > has now broken this feature because I am certain this worked before because > we have not upgraded our domain controllers to Win2K3 and our test team has > just began reporting this problem after the Christmas break. We have also > verified that it's not a Win2K3 patch that has broken this because we also > tried and failed with 2 client Win2K3 machines having no patches at all > applied. We are trying to do the same with a Win2K domain controller but > have not gotten around to doing that as yet. > > Has anyone else seen this or know if this a know problem? > > BTW, if anyone from Microsoft is willing to look into this I can send them a > testcase so they could run the tests themselves. There really isn't much to > reproducing this problem. > > Thx, > > -- > Garfield A. Lewis > IBM Canada Laboratory > >
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Previous message: Patrick Tronnier: "Certutil -sign with more then one valid CA cert"
- In reply to: Garfield Lewis: "Delegation question"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
