Re: Accessing security information from an authentication provider

Chris Smith wrote:
I just want to say thanks SO much for everyone's help on this. I have
been away and haven't been able to answer as reliably as I'd like.

It looks like the combination of OpenSamUser, GetAuthDataForUser, and
ConvertAuthDataToToken is exactly what I was looking for, at least for
the first bits here. I'm somewhat concerned by Corinna's comment that it
doesn't seem to work for domain accounts, though. The documentation of
these functions seems to suggest that it should. Is this perhaps due to
someone disabling or restricting the null account, as is sometimes
suggested in various tutorials on how to secure Windows domains?

What null account? The LSA itself is running in SYSTEM context, AFAIK,
and the logon application is running under a privileged domain account.
Nevertheless, the GetAuthDataForUser only works for machine local
accounts and never asks AD, apparently.

I am NOT concerned that ConvertAuthDataToToken doesn't set up network
credentials immediately. In fact, it's clear to me that it can't.
Nothing I can do on a client machine should be able to give me access to
network shares and such without somehow authenticating to a domain
controller. I realize that.

Isn't that the task of the AP? I mean, the user has authenticated by
some other means. The AP is supposedly a trusted part of the OS.
Why should a user who authenticated against that AP *not* be able to
access network resources?


Corinna

--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat
.

Relevant Pages

  • Re: POP3 DNS problem?
    ... Make sure you are authenticating using the logon email address that is under ... The Exchange server had been spitting out ... >> the LogOn account of the Exchange POP3 service, ... It would seem that the connection is getting through to the ...
    (microsoft.public.exchange.admin)
  • Re: Dial up, how to authenticate to workplace corp network ?
    ... If the Cisco device is authenticating to an Interlink RADIUS server, ... or any other newsreader), and configure a news account, pointing to ... This is a direct link to the Microsoft Public ...
    (microsoft.public.windows.server.networking)
  • Re: User cannot change password?
    ... Enable auditing on account logon's and check to see if/what type of error is ... They must change the password from the Citrix> prompt. ... >>This kinda sounds like they really aren't authenticating> onto the domain, ... >>> to change them when logging in on the local PC. ...
    (microsoft.public.win2000.active_directory)
  • Re: Forcing Domain User account to authenticate to only one DC
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... I have an issue with a domain user account that is critical to our ... to the head DC in Australia instead of authenticating to our local DC ...
    (microsoft.public.windows.server.active_directory)
  • Re: IIS6 & ASP: accessing network files with FSO fails
    ... I'm still not convinced that you are authenticating the way you ... > positive that anonymous access is disabled? ... > includes accounts that Server2 knows about. ... > account on Server1. ...
    (microsoft.public.inetserver.asp.general)