No logon SID in access token coming from SSPI impersonation



It seems there is no logon SID in access token that come from an
SSPI/Kerberos impersonation.

The context: My programs [client/server] uses SSPI API for
impersonation. The SSPI part works well, both
InitializeSecurityContext() and AcceptSecurityContext() return
SEC_E_OK, and I can impersonate and act as the authenticated user on
server side. Now I want retrieve the logon SID of authenticated user:

So I use:
ImpersonateSecurityContext()
OpenThreadToken()

to retrieve authenticated user's impersonation access token.

Then I use:
DuplicateTokenEx()

to retrieve authenticated user's primary access token.
[This token is smart enough to be used in CreateProcessAsUser() and
that CreateProcessAsUser() call succeed, so it's a good strong primary
access token]

Then I use GetLogonSID from [1] to get logon SID referred by this
access token. But none element in TokenGroup's access token is of type
SE_GROUP_LOGON_ID. Thus no logon SID in this access token... and
GetLogonSID() call failed...

Display the logon session with 'logonsessions' tools give me:

C:\> logonsessions
[...]
[8] Logon session 00000000:01afaf46:
User name: STRASBOURG\user
Auth package: Kerberos
Logon type: Network
Session: 0
Sid: S-1-5-21-625047747-450033616-3515863536-1114
Logon time: 1/4/2007 11:27:06 AM
Logon server:
DNS Domain:
UPN:

Thus I have several question:

o I'm wrong doing that way or not?

o Is it possible that some kind of logon session doesn't have logon
SID? [For example non-interactive authentication logon session as
SSPI/Kerberos can do]

I cannot find any documentation focused on that point and all examples
I have found use LogonUser() or assimilate functions to retrieve access
token...

o Can we set a logon SID to an access token? Is it a good way?

o Are there other ways to find the logon SID of a logon session?

Thank

[1] Getting the Logon SID in C++:
http://msdn2.microsoft.com/en-us/library/aa446670.aspx

.



Relevant Pages

  • RE: No logon SID in access token coming from SSPI impersonation
    ... a quick scan of the code indicates that only tokens built from ... Now I want retrieve the logon SID of authenticated user: ... Is it possible that some kind of logon session doesn't have logon ...
    (microsoft.public.platformsdk.security)
  • Re: AppPool + secureConversation
    ... because it has a logon session. ... logon session(no additional interactive logon session exists), then, DPAPI ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Getting a list of logged on users and hosts
    ... Well technicaly all logon sessions are on local machine. ... On DC a network logon session _is_ created for every NT workstation logon. ... >> host of the user on whose behalf LsaLogonSession executes. ... > is always the user of the LSA that is responsible for "remote logon ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Getting a list of logged on users and hosts
    ... Well technicaly all logon sessions are on local machine. ... On DC a network logon session _is_ created for every NT workstation logon. ... >> host of the user on whose behalf LsaLogonSession executes. ... > is always the user of the LSA that is responsible for "remote logon ...
    (microsoft.public.win32.programmer.networks)
  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... Logon session 00000000:0327e6da: ... Logon type: Batch ... DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL ...
    (microsoft.public.inetserver.iis.security)