Re: LocalSystem service, share, null session, ...

From: Pavel Lebedinsky (m_pll)
Date: 05/15/04 

Date: Fri, 14 May 2004 19:48:42 -0700

In a native Win2K domain the default authentication
protocol should be Kerberos, which allows LocalSystem
to authenticate over network using the machine AD
account (DOMAIN\MACHINENAME$).

If this is what happens in your case then your service
is not actually using NULL sessions - it's authenticating
just like any regular account would.

In the case where it doesn't work it could be because
the domain is not native Win2K (e.g. you have NT4 DCs),
or something else prevents Kerberos from being used.

If you enable auditing of account logons you should be
able to get more information in the security event log,
such as what authentication protocol is used
(kerberos/ntlm), what account is the service trying to
authenticate as etc.

"Nicolas Cadilhac" wrote:

> Hi,
>
> this is a tricky problem I have, related to the network (made of w2k
> machines). Here it is:
>
> On our corporate network, I have a service that I developed that runs as
> LocalSystem. This service uses CreateProcess to run a tool that accesses a
> remote share. It works, knowing that the share has "everyone" in its
> permissions. Maybe the fact that null sessions are allowed helps (I see
that
> in the local policies in the administrative tools, or directly in the
> registry).
>
> On another side, I have a customer that installs my service but the tool
> that is ran by CreateProcess fails somewhere (the share is also for
> everyone). I wonder if his network configuration is different... When he
> uses the service as a user, it works. If I give him a standalone version
of
> the service ran by the user, it works.
> On my machine where the share is, I tried to disable null session access
> (wanting to reproduce his problem), but the service still continues to
work
> while accessing the share !! (a call to net use \\machine\ipc$ "" /user:""
> fails).
> Why does it continue to work ?
>
> Except the problem of allowing or not null sessions, what else could I
check
> to see differences on both networks ?
>
> Thanks a lot for your help
>
> Nicolas
>
>

Relevant Pages

  • Re: Kerberos machine authentication - apparent authentication failures
    ... When you joined your computer to the domain your wireless network card was ... denied access until you can authenticate to a domain controller as a user. ... While kerberos is the default authentication protocol of choice, ...
    (microsoft.public.windows.server.security)
  • Re: SAMBA and XP
    ... I use Samba to access shares from network 'nix boxes from ... In Windows, when you're a member of a Domain, you sent your authentication ... the home directory and drive mapping, ... and give it the same name and password as the account they ...
    (RedHat)
  • Re: EAP-Kerberos
    ... considering Authentication is the mobile connectivity which is ... properties make wireless clients different from fixed IP clients. ... think that proxying Kerberos is not specific to ... borders (like in Dial-In network access providers). ...
    (comp.protocols.kerberos)
  • Re: Windows Integrated Authentication and Kerberos
    ... That will cause Kerberos Auth to fail. ... I'm having problems with setting up the Kerberos Authentication. ... The computer account for the member server has the "Trust this computer for delegation to any service " option enabled in Active Directory. ... Successful Network Logon: ...
    (microsoft.public.inetserver.iis.security)
  • Re: Symbol Wifi Card changes my laptop network settings
    ... is present a Kerberos domain server in a kerberos domain: ... Kerberos is a network authentication protocol. ... the card don't do this change. ...
    (microsoft.public.pocketpc.wireless)