RE: Impersonation and remote registry access
- From: SteveS <SteveSpencer@xxxxxxxxxxxxxxxxx>
- Date: Wed, 7 Feb 2007 03:43:01 -0800
Reading "App Lockdown", I found that remote registry uses named pipes.
By using NetUseAdd and NetUseDel, I can connect to the IPC$ share, and get
access that way, but that means my app needs to retain the credentials in
memory for longer, which isn't a good thing.
In addition, I have discovered that for XP, using LogonUser(...,
LOGON32_LOGON_NEW_CREDENTIALS, ...) followed by ImpersonateLoggedOnUser()
does work correctly (there was a bug in my original code which was closing
the handle too soon (sorry about that!).
My question has therefore degenerated into a "what am I not doing via SSPI
(which seems to be dealing with the impersonation correctly, at least on a
local basis) that the call to LogonUser does. The code is pretty much based
on the KB article about validating username/passwords, and does the usual
InitializeSecurityContext / AcceptSecurityContext until both return complete
(or an error, which I'm NOT seeing), followed by ImpersonateSecurityContext,
then the usual OpenThreadToken/DuplicateToken stuff.
I'm confident (from examining the thread token during impersonation) that
the token identity is correct, and the impersonation is successful. Certainly
I am able to access otherwide unavailable local resources, such as secured
files.
I'd love to be able to forget the SSPI stuff, but unfortunately, the app has
to be able to run from anywhere on a mixed W2K Prof and XPSP2 Prof network.
It is just not possible (or desirable!) to grant SE_TCB_NAME to any accounts,
of course.
Hope the extra information is useful.
Steve S
Hi Steve,.
This is a quick note to let you know that I am performing research on this
issue and will get back to you as soon as possible. I appreciate your
patience.
Sincerely,
Walter Wang (wawang@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
- Follow-Ups:
- RE: Impersonation and remote registry access
- From: Walter Wang [MSFT]
- RE: Impersonation and remote registry access
- References:
- RE: Impersonation and remote registry access
- From: Walter Wang [MSFT]
- RE: Impersonation and remote registry access
- Prev by Date: Re: Vista Certificate Enrollment api
- Next by Date: Re: Smart Card Module Resource
- Previous by thread: RE: Impersonation and remote registry access
- Next by thread: RE: Impersonation and remote registry access
- Index(es):
Relevant Pages
|
