INTERACTIVE group missing after SSPI auth
From: Sami J. Lehtinen (sjl_at_ssh.com)
Date: 10/28/05
- Next message: S. Pidgorny
: "Re: Kerberos V5 Authentication for a Telnet Session" - Previous message: Steven L Umbach: "Re: Kerberos V5 Authentication for a Telnet Session"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Oct 2005 12:54:09 +0300
After SSPI-authentication (CompleteAuthToken() has returned
successfully) I get the user's access token by running
ImpersonateSecurityContext(), then getting the token with
OpenThreadToken(). I use DuplicateTokenEx() to make a primary token, so
I can use it with CreateProcessAsUser().
The problem I am encountering is that the access token is missing
INTERACTIVE token group. This group is required for regular users on
Windows 2003 Server to access the WINDOWS\System32 directory. Using the
access token gotten from the gss-api negotiation I cannot run cmd.exe
for the user, as I can after LogonUser().
Is it possible to add the INTERACTIVE group to the token somehow, or
otherwise instruct SSPI to give me a token with the group in there?
If no workaround is possible, can you direct me to documentation or
white-paper on this 2003 feature? If the token manipulation is
impossible, this becomes a known issue, and I'd like some formal
documentation why this has been changed in Windows 2003.
-- sjl@ssh.com
- Next message: S. Pidgorny
: "Re: Kerberos V5 Authentication for a Telnet Session" - Previous message: Steven L Umbach: "Re: Kerberos V5 Authentication for a Telnet Session"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
