Migrating from LogonUser to SSPI

I am maintaining a C++ client/server app for distributed computing.
The client connects to the server over TCP/IP and requests and runs a
job. The job executable resides on the server in a shared folder. The
job writes its output to that same folder.

In the past, the client would run under the LocalSystem account and we
would have to configure the shared folder on the server for access from
null sessions so the client could access it. More recently, the server
shared folder is owned by a dedicated account, whose login information
(user name, domain, and password, encrypted) are passed to the client
when a job is requested. The client then does:

1. LogonUser (with LOGON32_LOGON_NETWORK_CLEARTEXT)
2. ImpersonateLoggedOnUser (to access the job executable)
3. CreateProcessAsUser
4. RevertToSelf

There are clearly some problems with this approach. For one, the
server has to have the password of the account that owns the shared
folder. It would be more desirable for the server to

1. Get the credentials of the shared folder account, and
2. Pass them to the client over TCP/IP for impersonation/process
creation.

Unfortunately this KB article, http://support.microsoft.com/kb/180548/,
says

"The end result of using the SSPI services to validate the credentials
is a logon that is analogous to calling the LogonUser API with the
LOGON32_LOGON_NETWORK logon type. The biggest downside to this type of
logon is that you cannot access remote network resources after
impersonating a network type logon."

So my question is . . . is there a way to use SSPI that will allow the
client to access a shared folder on the server? If so, I'd appreciate
a rough sketch of how to approach this, analogous to the steps 1-4
above. (I am totally new to SSPI...)

Thanks,
Lee

.

Relevant Pages

  • Cant delegate/share to a group
    ... I am running Exchange 2000 SP3 on SBS 2000 on a network with one server box. ... The client operation failed". ... Successful Network Logon: ...
    (microsoft.public.exchange2000.general)
  • Cant delegate/share to a group
    ... I am running Exchange 2000 SP3 on SBS 2000 on a network with one server box. ... The client operation failed". ... Successful Network Logon: ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • Re: Network Connection
    ... For the clients make sure that you use following policy to prevent logon with cached credentials: ... Additional post an unedited ipconfig /all from the DC/DNS server and a problem machine so we can exclude DNS configuration problems. ... From last December I have been experiencing network connection problem ... out client pc some with Vista and the rest with XP. ...
    (microsoft.public.windows.server.networking)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)