Re: A service's threads outgoing security:how to manage?
From: Willy Denoyette [MVP] (willy.denoyette_at_telenet.be)
Date: 11/23/05
- Next message: ronmotta_at_globo.com: "How to Check SQL 7 Encryption is Working?"
- Previous message: Mark Randall: "Re: BRILLIANT!!"
- In reply to: Manfred Braun: "Re: A service's threads outgoing security:how to manage?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Nov 2005 20:09:46 +0100
Glad to help you out with this.
Note that it's better to use LOGON32_PROVIDER_WINNT50 in all cases, that way
you are sure Kerberos is used as protocol.
Willy.
"Manfred Braun" <aa@bb.cc> wrote in message
news:OyjjAGS8FHA.252@TK2MSFTNGP15.phx.gbl...
> Hello Willy!
>
> Thank you very, very much! That saved my soul. Under Windows 2003 Server,
> this works with the LOGON32_PROVIDER_DEFAULT, but under Windows 2000 I
> have
> to use LOGON32_PROVIDER_WINNT50. My code can now access the registry
> remotely!!
>
> Much thansk and
> best regards,
> Manfred
>
> "Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message
> news:e1%23xRnN8FHA.744@TK2MSFTNGP10.phx.gbl...
>> Use LogongUser with LOGON32_LOGON_NEW_CREDENTIALS (dwLogonType = 9) as
>> logontype, this logontype clones the current token and uses the
> credentials
>> specified (username, machinename and password), for outbound connections
>> only.
>>
>> Say, your current process runs as "BOB" and you call LogonUser specifying
>> ALICE's credentials, after impersonating local resources will be accessed
>> using BOB's token while remote resources will be accessed using ALICE's
>> token.
>>
>> Willy.
>> PS note that this requires W2K, XP, W2K3 or higher.
>>
>>
>> "Manfred Braun" <aa@bb.cc> wrote in message
>> news:u7oJhVG8FHA.3544@TK2MSFTNGP09.phx.gbl...
>> > Hi Willy,
>> >
>> > you could possibly help. In my situation, I cannot use "LogonUser",
>> > because
>> > the credentials I have to access the remote machine, are not valid
>> > locally.
>> > The service is running with an account, which is autorized to access
> some
>> > remote machines [domain members from my domain] and in this case, I
>> > have
>> > just nothing to do. And for the others, I cannot manage [from my
> security
>> > privileges] the trust-relationship between the domains. But with the
> known
>> > credentails, I can access network resources manually, like shares, from
> my
>> > domain. What I need is a method to access a registry remotely and I
>> > have
>> > to
>> > write to the remote eventlog; I'll not use WMi for this [which would
> allow
>> > to impersonate]. I want just something like to establish a secure
>> > channel/logon to the remote box so that I can access difefrent
>> > resources
>> > there.
>> >
>> > Any help would be really great!
>> > Is this type of funtionality possibly part of .Net 2.0 ??
>> >
>> > Thanks so far
>> > and best regards,
>> > Manfred
>> >
>> > "Willy Denoyette [MVP]" <willy.denoyette@telenet.be> wrote in message
>> > news:eDGnQTs7FHA.3636@TK2MSFTNGP09.phx.gbl...
>> >> Manfred,
>> >> Your thread doesn't run as the user you specified for your
> DirectoryEntry
>> >> call, the call only creates a network logon session for the connection
>> > with
>> >> remComp, that is, the client thread uses the token obtained to connect
>> >> and
>> >> accessing the network resource, but this token is not carried over to
>> >> your
>> >> threadpool thread, TP threads always use the process token unless you
> are
>> >> explicitely impersonating (calling LogonUser(), Impersonate()). So,
> what
>> > you
>> >> need to do is or impersonate or run your service as a dedicated user
> with
>> >> appropriate access privileges to all remote server.
>> >>
>> >> Willy.
>> >>
>> >> "Manfred Braun" <aa@bb.cc> wrote in message
>> >> news:u9qf2Js7FHA.3804@TK2MSFTNGP12.phx.gbl...
>> >> > Hallo Dave
>> >> >
>> >> > and much thanks first. But the problem is another. Because there are
>> > truts
>> >> > between the domains, the running user is not of any importence and I
>> > need
>> >> > to
>> >> > explicitely specify credentials [which are different for different
>> >> > computers
>> >> > I connect to]. I create a session with:
>> >> >
>> >> > DirectoryEntry de = new DirectoryEntry("WinNT://remComp,computer",
>> >> > user,
>> >> > pass, AuthenticationTypes.Secure);
>> >> >
>> >> > This works well and I can read the properties of the computer-object
>> > from
>> >> > the remote box, even my running user does not have [implicit]
>> > permissions.
>> >> > Now, with the establishes session, I try to modify the remote
> registry
>> >> > with:
>> >> >
>> >> > System.Diagnostics.EventLog.CreateEventSource
>> >> > (
>> >> > ec.dynConf.eventlogSourcename,
>> >> > "Application",
>> >> > "remComp")
>> >> > );
>> >> > which fails with "General Access Denied Error". So my thread [which
> is
>> >> > from
>> >> > the threadpool], lost the permissions anywhere !!!!
>> >> >
>> >> > Thanks so far and
>> >> > best regards,
>> >> > Manfred
>> >> >
>> >> > "D. Yates" <foeman@hotmail.com> wrote in message
>> >> > news:OD85Yur7FHA.1140@tk2msftngp13.phx.gbl...
>> >> >> Manfred,
>> >> >>
>> >> >> The problem is probably the service's permissions. You need to
>> >> >> have
>> > your
>> >> >> service run as a user with permission to access the remote
>> >> >> computer.
>> > Do
>> >> >> a
>> >> >> google search on Service Permission and you will get a lot of hits.
>> >> >>
>> >> >> Dave
>> >> >>
>> >> >> "Manfred Braun" <aa@bb.cc> wrote in message
>> >> >> news:%23G94Agp7FHA.1864@TK2MSFTNGP12.phx.gbl...
>> >> >> > Hello All!
>> >> >> >
>> >> >> > I am writing a management application, which has to access remote
>> >> > machines
>> >> >> > registry via System.Diagnostics.EventLog.CreateEventSource [which
> is
>> >> >> > efficiently a registry access].
>> >> >> >
>> >> >> > For each machine, I connect to, I create a DirectoryEntry and
>> >> >> > connect
>> >> >> > to
>> >> >> > that machine specifying credentials. That's becauase the running
>> >> >> > user
>> >> > does
>> >> >> > not has the right permissions [working with different domains, no
>> >> > trusts].
>> >> >> > The application is written in C# and the action taken is done
>> >> >> > with
>> >> > threads
>> >> >> > from the threadpool.
>> >> >> > After I created the "secure channel" with the help of the
>> >> >> > DirectoryEntry
>> >> >> > object , I do the CreateEventSource call, which fails with
> "General
>> >> > Access
>> >> >> > Denied Error".
>> >> >> >
>> >> >> > But this works fine, if the application runs - while testing - as
> a
>> >> >> > console application, but fails, if it runs as a service!!!! It
> does
>> >> >> > also
>> >> >> > not work, if I run the app temporarely with the Taskscheduler.
>> >> >> >
>> >> >> > Because I cannot specify explicit credentials while access the
>> >> >> > registry,
>> >> > I
>> >> >> > have no idea, what to do now. Access to the remote WMI service is
>> > well
>> >> >> > done specifying explicit credentials.
>> >> >> >
>> >> >> > I am running Windows Server 2003,en,SP1 and framework 1.1, SP1
>> >> >> >
>> >> >> > Any help would be great!!
>> >> >> > Sorry for crossposting;I am not sure, what's the right/best
>> >> >> > group.
>> >> >> >
>> >> >> > Thanks so far and
>> >> >> > best regards,
>> >> >> > Manfred
>> >> >> > Mannheim
>> >> >> > Germany
>> >> >> >
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: ronmotta_at_globo.com: "How to Check SQL 7 Encryption is Working?"
- Previous message: Mark Randall: "Re: BRILLIANT!!"
- In reply to: Manfred Braun: "Re: A service's threads outgoing security:how to manage?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
