Re: Accessing security information from an authentication provider

Corinna Vinschen wrote:
What null account? The LSA itself is running in SYSTEM context, AFAIK,
and the logon application is running under a privileged domain account.
Nevertheless, the GetAuthDataForUser only works for machine local
accounts and never asks AD, apparently.

The LSA is running as the system user on the local machine, yes. But it
has no identity in the domain. Windows domains do not assume the
physical security of all domain members, so having system access on a
workstation would not necessarily imply having any kind of privileges on
the domain.

See http://support.microsoft.com/default.aspx?scid=kb;en-us;246261 for
information on restricting the NULL account. There is apparently a
setting for preventing it from enumerating SAM accounts and names, and
one to prevent it from having any access at all. I'm curious if changing
this on your domain controller helps at all.

I am NOT concerned that ConvertAuthDataToToken doesn't set up network
credentials immediately. In fact, it's clear to me that it can't.
Nothing I can do on a client machine should be able to give me access
to network shares and such without somehow authenticating to a domain
controller. I realize that.

Isn't that the task of the AP? I mean, the user has authenticated by
some other means. The AP is supposedly a trusted part of the OS. Why
should a user who authenticated against that AP *not* be able to access
network resources?

Because network resources are not part of the OS. Maybe we're
miscommunicating here, but it's obvious to me that if you want to access
a network resource, you'll need to convince *that* server, not the
workstation you are working on, that you have permission to do it. The
LSA only matters on the local system, so inherently it can do nothing to
convince some other system of your identity. Otherwise, I could write an
authentication provider for my laptop that lets me be anybody I like, and
plug it into someone else's network, and access a bunch of private files
on their Windows domain. If the LSA is going to give you access to your
network shares, it would have to do something to convince those other
servers that you've got the necessary permissions. Given that
authentication uses Kerberos in Windows domains, that would probably mean
obtaining a TGT (ticket granting ticket) that the system can use later to
obtain tickets for those other servers' resources.

That's my understanding of the situation, but don't take it as gospel by
any means. I'm pretty new to this.

--
Chris Smith
.

Relevant Pages

  • Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection
    ... in which case that account is ... > that the account name is anthony-devbox$. ... > if you have SNEGO as the authentication package, ... What "network resources" do these AccessChecks get applied to? ...
    (microsoft.public.win32.programmer.wmi)
  • Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection
    ... in which case that account is ... > that the account name is anthony-devbox$. ... > if you have SNEGO as the authentication package, ... What "network resources" do these AccessChecks get applied to? ...
    (microsoft.public.windows.server.security)
  • Re: map drive w/o login ?
    ... > is not logged in to a particular account? ... access to resources including logon to a machine. ... not a prerequisite for authentication. ... normally have access to network resources but as of Win2000 ...
    (microsoft.public.windows.server.networking)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... Just as a check I used NET USER /ADD on my test account and as expected ... The password dialog is supposed to appear for Basic authentication ... Thinking more esoterically now -- what are the login rights assigned ... IIS uses a specific login type, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... Everytime I attempt to login under Basic Authentication, ... IUSR_blah account. ... the anonymous user impersonated by the IIS Server is the ... > Event Viewer Security log. ...
    (microsoft.public.inetserver.iis.security)