Re: Migrating from LogonUser to SSPI

From: "Alun Jones [MS-MVP - Windows Security]" <alun@xxxxxxxxxxxxx>
Date: Tue, 26 Sep 2006 21:15:34 -0700

"navels" <navels@xxxxxxxxx> wrote in message
news:1158204785.631948.279420@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Get the credentials of the shared folder account, and
2. Pass them to the client over TCP/IP for impersonation/process
creation.

Unfortunately this KB article, http://support.microsoft.com/kb/180548/,
says

"The end result of using the SSPI services to validate the credentials
is a logon that is analogous to calling the LogonUser API with the
LOGON32_LOGON_NETWORK logon type. The biggest downside to this type of
logon is that you cannot access remote network resources after
impersonating a network type logon."

So my question is . . . is there a way to use SSPI that will allow the
client to access a shared folder on the server? If so, I'd appreciate
a rough sketch of how to approach this, analogous to the steps 1-4
above. (I am totally new to SSPI...)

What you're asking for is more complex than perhaps you realise. Logon &
Impersonate allows you to pretend to be the user when accessing any
resource. SSPI services allow you to verify the identity of the user
accessing your local resources.

What you're looking for is something that will allow you to verify the
identity _and_ impersonate the user to other resources.

I believe that what you need is the ability to do delegation of authority.
I believe Kerberos provides that.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

.

References:
- Migrating from LogonUser to SSPI
  - From: navels

Prev by Date: Re: Winlogon notifications. Please help !!!
Next by Date: Re: Custom CSP in Office 2003?
Previous by thread: Migrating from LogonUser to SSPI
Next by thread: Re: Changing Integrity Level
Index(es):
- Date
- Thread

Relevant Pages

Re: Debugger not working in Vs.net 2003
... I check The "Impersonate a client after authentication" user right, aspnet ...
(microsoft.public.vsnet.debugging)
Re: help on caller credentials !! :-(
... the back end SQL server maybe. ... In fact I simply try to flow the client user until the database level. ... Hosting my remote object in IIS would be much more simple but thi is not my ... under windows 2000 and prefer mode should be "Impersonate". ...
(microsoft.public.dotnet.security)
Re: client impersonation
... While you are able to retrieve the login names of all current ... Why not create a simple client autostart ... tool that makes a request to the webservice with the user's login ... impersonate the client user to have the appropriate rights on the ...
(microsoft.public.win32.programmer.tapi)
Re: Remote Registry Problem
... I have checked the local policy and the setting for "Impersonate a client ... after authentication" has both Administrators and SERVICE defined. ...
(microsoft.public.windows.server.sbs)
Re: Installshield wizard was Interrupted on XP Home Edition
... Grants/Revokes NT-Rights to a user/group ... change the 'Impersonate a client after authentication' setting and thus can ...
(microsoft.public.windowsxp.help_and_support)