Re: LsaLogonUser - access to network resources

To delegate an S4U token, you must have "trusted to authenticate for
delegation", not the standard "trusted for delegation" and the SPNs of the
target services must be specified (msds-allowedToDelegateTo). In other
words, you need to use the "trusted for delegation with any protocol"
setting in AD U&C and you must configure constrained delegation. You cannot
use S4U with unconstrained delegation.

That said, it does work once you get it set up.

Joe K.

"Christine_kh" <Christinekh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:72EFC98D-01FA-4E07-A749-C1406B132218@xxxxxxxxxxxxxxxx
> "Richard Ward" wrote:
>
>> S4U is designed to give you a local token that matches one that
>> would have been created had the user done kerberos auth to your
>> service. It is still constrained by the presence of credentials. If you
>> are not trusted for delegation, why do you think that you should be
>> able to go anywhere else on the network?
>
> Thank you for your answer. I thought so because I was trusted for
> delegation
> and I managed to get access to the same network resources using
> interactive
> logon on that machine (Ctrl-Ald-Del and logon as domain user with the same
> credentials) and using the LogonUser (with password). If I understand you
> right that local token which we got using S4U(Kerb.) and LsaLogonUser has
> that special network access limitation by design?
>
>>
>> "Christine_kh" <Christinekh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:415E4F6D-FF17-4527-883F-97DB6DB8FF19@xxxxxxxxxxxxxxxx
>> > Hi All,
>> >
>> > I used S4U auth and LsaLogonUser() function to receives the new user
>> > access
>> > token for client session and it works but it seems that using Network
>> > logon
>> > type logged domain user cannot get access to domain network resources -
>> > is
>> > it
>> > known issue and done "by security design" or exist any other way how to
>> > solve
>> > this problem. I tried to change Network logon type on Interactive and
>> > function returned code 1367 (ERROR_INVALID_LOGON_TYPE) . I tried to use
>> > LogonUser instead and Interactive logon type - it gave to user access
>> > to
>> > network resources, but I'd like to get the same behavior for
>> > LsaLogonUser,
>> > but I cannot ;(. Any help is very appreciated :)
>> >
>> > --Christine
>>
>>
>>


.

Relevant Pages

  • Re: access to network file server through web server denied
    ... Before I check with the network team to ... see whether the network has been configured with "Delegation", ... On our local developer's web server (It can be IIS 5 on Windows XP ...
    (microsoft.public.inetserver.iis.security)
  • Re: Listing files on network share
    ... If delegation isn't working in your environment, ... One solution is to run the ASPNET worker process under a domain ... network hop. ... >a network shre be displayed on the site. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Troubleshoot Security Issues
    ... You can put a trace on the network -or- you can dump out all the values ... NTLM then NTLM was used. ... impersonate="true"> and set authentication to Windows then it should ... I'm trying to set up a delegation secnario, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: impersonate/delegate problem
    ... you don't have delegation so I'm not sure if you have ... > webserver from within AD users and computers) to pass the ... > on our production network. ... > request process from ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Constrained delegation question!
    ... remote server running the services in terms of the security audits on the ... AUTHORITY\ANONYMOUS LOGON event. ... you won't be able to get Kerb delegation to ...
    (microsoft.public.dotnet.framework.aspnet.security)