Re: Accessing security information from an authentication provider
- From: Yannick <yannick@xxxxxxxxxx>
- Date: Wed, 06 Aug 2008 21:34:38 +0100
Hi,
Thanks for your answer Corinna.
I've tried to play around with the SAM database on Vista and the result
is disappointing.
So I used the OpenSamUser function to get a user handle and I invariably got a "0xC00000BB" error which means: "STATUS_NOT_SUPPORTED". I tried with local and domain users. It didn't change anything.
I didn't find anything on the web about this. Any ideas anyone? Am I doing something wrong? Is Vista implementing properly this function?
Cheers,
Yannick
Corinna Vinschen wrote:
Yannick wrote:.Hi,
Thanks Corrina for your answer.
s/Corrina/Corinna/
Corinna Vinschen wrote:The returned token should have the INTERACTIVE group in the groupSo I've quickly tried to implement this in my AP. I'm using the code from the MSDN example here:
list. I don't know if S4U returns a token with NETWORK or INTERACTIVE
group and I have deleted my testcase in the meantime, sorry. You
should just try it, the code to use S4U from a logon application is
really simple.
Disadvantage: S4U only works on server machines, not on clients.
http://msdn.microsoft.com/en-us/magazine/cc188757.aspx
I can get a token on a client machine, it works fine. Then I've
Weird. Running this on Windows XP domain member machine failed for me,
running it on the 2008 domain controller worked.
basically tried to re-create a token from the token handle I got from LsaLogonUser. This using the GetTokenInformation function. This is where my problem starts. As far as I know (tell me if I'm wrong) the token has to be in a contiguous memory block. And since LSA_TOKEN_INFORMATION_V2 contains some pointer like PTOKEN_GROUPS I've allocated a larger memory block with LsaAllocateHeap and made PTOKEN_GROUPS pointing after the structure but still in the memory block I've allocated. The same for PTOKEN_PRIVILEGES.
However I've just realized that for example TOKEN_USER contains pointers as well. Should I also do the same with these pointers? I always get some access violation error from lsasrv.exe, so I guess this problem comes from some bad pointer.
Yes, that's definitely necessary.
I'll be really interested to know how you did this Corrina.
I'm creating a datastructure which is basically a LSA_TOKEN_INFORMATION_V2
plus buffer. To get its size I'm going through all token information and
compute the size necessary for the entire data which all pointers point
to. The rest is dutyfully copy data, set the pointer, copy data, set the
pointer... It's not actually complex, it's just a lot of code.
However, CVSNT is under GPL so you should make sure you're not taintingI meant: it seems to be working for them so we should maybe look at the method they use. I tried to integrate their code in my AP to see what happens. The token creation seems to work fine (even though I have to give SeTcbPrivilege to Everyone on my machine to make it work) but then again I've got some weird error from lsasrv.exe or winlogon.exe.
your own licensing by using that code as foundation.
Apart from the weird error which I can't say anything about, ouch! You
must not call LsaLogonUser from the application which is run by normal
users. Rather, create a logon application which is supposed to run as
service under a privileged account (SYSTEM for a start) which has the
Tcb privilege. From the user application call the service by some IPC
method. That's how it works in Cygwin. sshd is only capable of
switching the user context when it's running under a privileged account,
so it's typically running as service application.
Corinna
- Prev by Date: Re: IIS+SSL how to send cross certificate?
- Next by Date: Re: SSL connection failing with Smart Card Minidriver(BaseCSP) on Vista
- Previous by thread: SSL connection failing with Smart Card Minidriver(BaseCSP) on Vista
- Next by thread: CryptVerifySignature fails with error NTE_BAD_SIGNATURE
- Index(es):
Relevant Pages
|
