Re: LsaLogonUser - access to network resources



Thank you for your advice I'll try to get it working this way as soon as fix
new problem I got. It seems I changed something wrong, now I get Access
Denied from LsaLogonUser all the time, I should fix it first.
--Christine


"Joe Kaplan (MVP - ADSI)" wrote:

> To delegate an S4U token, you must have "trusted to authenticate for
> delegation", not the standard "trusted for delegation" and the SPNs of the
> target services must be specified (msds-allowedToDelegateTo). In other
> words, you need to use the "trusted for delegation with any protocol"
> setting in AD U&C and you must configure constrained delegation. You cannot
> use S4U with unconstrained delegation.
>
> That said, it does work once you get it set up.
>
> Joe K.
>
> "Christine_kh" <Christinekh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:72EFC98D-01FA-4E07-A749-C1406B132218@xxxxxxxxxxxxxxxx
> > "Richard Ward" wrote:
> >
> >> S4U is designed to give you a local token that matches one that
> >> would have been created had the user done kerberos auth to your
> >> service. It is still constrained by the presence of credentials. If you
> >> are not trusted for delegation, why do you think that you should be
> >> able to go anywhere else on the network?
> >
> > Thank you for your answer. I thought so because I was trusted for
> > delegation
> > and I managed to get access to the same network resources using
> > interactive
> > logon on that machine (Ctrl-Ald-Del and logon as domain user with the same
> > credentials) and using the LogonUser (with password). If I understand you
> > right that local token which we got using S4U(Kerb.) and LsaLogonUser has
> > that special network access limitation by design?
> >
> >>
> >> "Christine_kh" <Christinekh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:415E4F6D-FF17-4527-883F-97DB6DB8FF19@xxxxxxxxxxxxxxxx
> >> > Hi All,
> >> >
> >> > I used S4U auth and LsaLogonUser() function to receives the new user
> >> > access
> >> > token for client session and it works but it seems that using Network
> >> > logon
> >> > type logged domain user cannot get access to domain network resources -
> >> > is
> >> > it
> >> > known issue and done "by security design" or exist any other way how to
> >> > solve
> >> > this problem. I tried to change Network logon type on Interactive and
> >> > function returned code 1367 (ERROR_INVALID_LOGON_TYPE) . I tried to use
> >> > LogonUser instead and Interactive logon type - it gave to user access
> >> > to
> >> > network resources, but I'd like to get the same behavior for
> >> > LsaLogonUser,
> >> > but I cannot ;(. Any help is very appreciated :)
> >> >
> >> > --Christine
> >>
> >>
> >>
>
>
>
.



Relevant Pages

  • Re: Impersonation/Delegation security considerations
    ... security risk example. ... delegation you mean passing ... >only pass user's credentials to a SQL Server running on ... >Create a fake internal Web site. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation/Delegation security considerations
    ... Our AD/network guys illustrated a potential security issue using the ... I assume that by delegation you mean passing ... only pass user's credentials to a SQL Server running on the same machine. ... Web site to the CEO ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: access to network file server through web server denied
    ... Before I check with the network team to ... see whether the network has been configured with "Delegation", ... On our local developer's web server (It can be IIS 5 on Windows XP ...
    (microsoft.public.inetserver.iis.security)
  • Re: Login failed for user . The user is not associated with a trusted SQL Server connection.
    ... he never mentioned he is impersonating in asp.net - so no delegation needed. ... Cassini runs with the credentials of the interactive user - which seems to have access to sql - in contrast to the local ASPNET account - which i am trying to tell him since 2 days.... ... yes - use explicit credentials and enable mixed mode auth in sql server to get this to work. ...
    (microsoft.public.dotnet.security)
  • Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.
    ... I need the KRB5CCNAME so I can login to my OpenLDAP SASL based server and PostgreSQL with kerberos. ... Storing credentials in a krb5 cache pointing to KRB5CCNAME has nothing to do with delegation. ... You only need delegation if you wnat that Apache logs into a backend application with the users ID. ... Now Search log events and configuration files using AJAX and a browser. ...
    (comp.protocols.kerberos)