Re: Win2000 Impersonation weirdness? (or is it a conundrum?)

From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 07/22/02 

From: "Joe Richards [MVP]" <humorexpress@hotmail.com>
Date: Sun, 21 Jul 2002 18:02:35 -0400

They changed the functionality in XP. In W2K the ID running the code must
have the SE_TCB_NAME privilege prior to logging in so that the token has the
right security context info. 

--
Joe Richards
www.joeware.net
---
"Colin Reinhardt" <colinrei@oz.net> wrote in message
news:#2LHOaBMCHA.2200@tkmsftngp08...
> Hi,
>
> Yes, actually both test servers (the XP and the Win2K) are part of a
> Windows2000 domain.
> But why does the XP box work (allowing LogonUser calls from a process
> running without SE_TCB_NAME) while the Win2K does not?
> Did the behavior intentionally change?  If so, what was the rationale for
> the change?
>
> And what specifically do you mean by "system privileges"?  Which specific
> privileges are you referring to?
>
> Ultimately, my goal is to have a component which runs in Inetinfo (a .NET
C#
> component) impersonate using a more privileged account context to make
calls
> to the database.  Does this mean I need to enable SE_TCB_NAME for the
> Inetinfo process (or for the ASP.NET surrogate process)?
> And is this a security risk (which I'm trying to avoid)...?
>
> Thank you.
>
>
> "D. Cross [MS]" <vaq130@hotmail.com> wrote in message
> news:OSCdIHBMCHA.2368@tkmsftngp10...
> > Is the server joined to a domain?  I believe you will require system
> > priveleges to impersonate in a domain.
> >
> > --
> >
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > "Colin Reinhardt" <colinrei@oz.net> wrote in message
> > news:#J8HQ64LCHA.2656@tkmsftngp13...
> > > On Win2K Server (SP1), it seems that I cannot successfully call
> > LogonUser( )
> > > if the process is
> > > running as a security context which does not already have the
> SE_TCB_NAME
> > > privilege
> > > (aka "Act as part of the operating system").  The privilege need not
be
> > > enabled, just must be on the token...
> > >
> > > How then can I do the following:  I want to have a process which runs
by
> > > default as an unprivileged account (for example, Inetinfo process).
> > > This process receives logon requests from users, and when they
securely
> > > provide their account credentials, it impersonates them using a
> > potentially
> > > more privileged account (based on the credentials they provide) by
> making
> > a
> > > call to LogonUser and creating an impersonating thread...
> > >
> > > This scenario works "correctly" in XP Pro.  How can I make the same
work
> > in
> > > Win2K Server?
> > >
> > > Please help!
> > >
> > > Colin Reinhardt
> > > software engineer
> > > colinr@transenda.com
> > >
> > >
> > >
> > >
> >
> >
>
>