Re: Win2000 Impersonation weirdness? (or is it a conundrum?)

From: Colin Reinhardt (colinrei@oz.net)
Date: 07/20/02 

From: "Colin Reinhardt" <colinrei@oz.net>
Date: Sat, 20 Jul 2002 10:52:42 -0700

Hi,

Yes, actually both test servers (the XP and the Win2K) are part of a
Windows2000 domain.
But why does the XP box work (allowing LogonUser calls from a process
running without SE_TCB_NAME) while the Win2K does not?
Did the behavior intentionally change? If so, what was the rationale for
the change?

And what specifically do you mean by "system privileges"? Which specific
privileges are you referring to?

Ultimately, my goal is to have a component which runs in Inetinfo (a .NET C#
component) impersonate using a more privileged account context to make calls
to the database. Does this mean I need to enable SE_TCB_NAME for the
Inetinfo process (or for the ASP.NET surrogate process)?
And is this a security risk (which I'm trying to avoid)...?

Thank you.

"D. Cross [MS]" <vaq130@hotmail.com> wrote in message
news:OSCdIHBMCHA.2368@tkmsftngp10...
> Is the server joined to a domain? I believe you will require system
> priveleges to impersonate in a domain.
>
> --
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Colin Reinhardt" <colinrei@oz.net> wrote in message
> news:#J8HQ64LCHA.2656@tkmsftngp13...
> > On Win2K Server (SP1), it seems that I cannot successfully call
> LogonUser( )
> > if the process is
> > running as a security context which does not already have the
SE_TCB_NAME
> > privilege
> > (aka "Act as part of the operating system"). The privilege need not be
> > enabled, just must be on the token...
> >
> > How then can I do the following: I want to have a process which runs by
> > default as an unprivileged account (for example, Inetinfo process).
> > This process receives logon requests from users, and when they securely
> > provide their account credentials, it impersonates them using a
> potentially
> > more privileged account (based on the credentials they provide) by
making
> a
> > call to LogonUser and creating an impersonating thread...
> >
> > This scenario works "correctly" in XP Pro. How can I make the same work
> in
> > Win2K Server?
> >
> > Please help!
> >
> > Colin Reinhardt
> > software engineer
> > colinr@transenda.com
> >
> >
> >
> >
>
>

Relevant Pages

  • Re: Win2000 Impersonation weirdness? (or is it a conundrum?)
    ... But why does the XP box work (allowing LogonUser calls from a process ... running without SE_TCB_NAME) while the Win2K does not? ... And what specifically do you mean by "system privileges"? ... > Is the server joined to a domain? ...
    (microsoft.public.security)
  • Re: NT Server - 98 WkStn Highschool Lab - Help!
    ... NT Server - 98 WkStn Highschool Lab - Help! ... Now they are at Win2k. ... you will have no luck using Windows 98. ...
    (Focus-Microsoft)
  • Re: SBS2003 + tombstoned WIN2K DC
    ... Last replication recieved from WIN2K at 2006-10-22 ... First you'll need to demote the 2nd DC (NOT the SBS server), ... computer shows up in the SBS server. ... I'm worried that if I remove the AD from WIN2K then everything will ...
    (microsoft.public.windows.server.sbs)
  • Re: e-mail
    ... Select the ones you want to allow, in your list imap server and pop3 ... For example lets say that your user name on your Suse is 'fred'. ... I will tell you all about procmail and fetchmail after lunch. ... on server rather than my win2k box which dual boots into opensuse10.2. ...
    (alt.os.linux.suse)
  • Re: DNS Problems adding Win2K3 Server to Existing Win2K Domain
    ... As I have understand, there are only one win2k server plays the DC, file ... The win2k server is called Dharma, DNS name is Dharma.org, it is also the ... Do you mean you have installed the DNS on win2k3 server? ...
    (microsoft.public.windows.server.migration)