Re: LsaLogonUser - access to network resources
- From: Christine_kh <Christinekh@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 14 Dec 2005 00:01:02 -0800
Thank you for your advice I'll try to get it working this way as soon as fix
new problem I got. It seems I changed something wrong, now I get Access
Denied from LsaLogonUser all the time, I should fix it first.
"Joe Kaplan (MVP - ADSI)" wrote:
> To delegate an S4U token, you must have "trusted to authenticate for
> delegation", not the standard "trusted for delegation" and the SPNs of the
> target services must be specified (msds-allowedToDelegateTo). In other
> words, you need to use the "trusted for delegation with any protocol"
> setting in AD U&C and you must configure constrained delegation. You cannot
> use S4U with unconstrained delegation.
> That said, it does work once you get it set up.
> Joe K.
> "Christine_kh" <Christinekh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > "Richard Ward" wrote:
> >> S4U is designed to give you a local token that matches one that
> >> would have been created had the user done kerberos auth to your
> >> service. It is still constrained by the presence of credentials. If you
> >> are not trusted for delegation, why do you think that you should be
> >> able to go anywhere else on the network?
> > Thank you for your answer. I thought so because I was trusted for
> > delegation
> > and I managed to get access to the same network resources using
> > interactive
> > logon on that machine (Ctrl-Ald-Del and logon as domain user with the same
> > credentials) and using the LogonUser (with password). If I understand you
> > right that local token which we got using S4U(Kerb.) and LsaLogonUser has
> > that special network access limitation by design?
> >> "Christine_kh" <Christinekh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:415E4F6D-FF17-4527-883F-97DB6DB8FF19@xxxxxxxxxxxxxxxx
> >> > Hi All,
> >> >
> >> > I used S4U auth and LsaLogonUser() function to receives the new user
> >> > access
> >> > token for client session and it works but it seems that using Network
> >> > logon
> >> > type logged domain user cannot get access to domain network resources -
> >> > is
> >> > it
> >> > known issue and done "by security design" or exist any other way how to
> >> > solve
> >> > this problem. I tried to change Network logon type on Interactive and
> >> > function returned code 1367 (ERROR_INVALID_LOGON_TYPE) . I tried to use
> >> > LogonUser instead and Interactive logon type - it gave to user access
> >> > to
> >> > network resources, but I'd like to get the same behavior for
> >> > LsaLogonUser,
> >> > but I cannot ;(. Any help is very appreciated :)
> >> >
> >> > --Christine
- Prev by Date: GetEffectiveRightsFromAcl fails with OBJECT_AND_SID trustee
- Next by Date: Re: GinaStub: Suddenly only "Administrator" can logon!
- Previous by thread: Re: LsaLogonUser - access to network resources
- Next by thread: removing group membership from token