Re: WindowsIdentity.Impersonate() vs ImpersonateLoggedOnUser()
From: Willy Denoyette [MVP] (willy.denoyette_at_pandora.be)
Date: 02/22/05
- Next message: DalePres: "Re: SQL Parameters"
- Previous message: Manfred Braun: "Re: WindowsIdentity.Impersonate() vs ImpersonateLoggedOnUser()"
- In reply to: BLiTZWiNG: "Re: WindowsIdentity.Impersonate() vs ImpersonateLoggedOnUser()"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 23 Feb 2005 00:49:33 +0100
See inline ***
Willy.
"BLiTZWiNG" <BLiTZWiNG@discussions.microsoft.com> wrote in message
news:FBF2AE74-5B9D-40C4-8528-2507A1314ECA@microsoft.com...
> To answer your questions:
>
> I refer to the DLL import functions as unmanaged, though this is probably
> incorrect to do so. So LogonUser, ImpersonateLoggedOnUser and RevertToSelf
> I
> refer to as unmanaged, and the .NET classes as managed.
>
*** No problem, just to be sure we are talking about the same thing.
> The OS I am connecting to is Windows 2003 Server in all cases. I assume
> the
> server is setup in a valid manner as I can copy files to it from my
> machine
> but only if I use unmanaged (I should start referring to it as imported)
> code.
>
> Note that I have since modified my code in the posted example to better
> handle the errors returned.
>
> Ok, structured test results:
>
> When calling LogonUser with LOGON32_LOGON_NETWORK (3) or
> LOGON32_LOGON_NETWORK_CLEARTEXT (8) and either 0 or 3 as the provider, the
> code fails at LogonUser with GetLastWin32Error being 1326 (Logon failure).
>
> When using a WindowsIdentity class and calling LogonUser with
> LOGON32_LOGON_NEW_CREDENTIALS (9) and either 0 or 3 as the provider, the
> code
> fails on WindowsIdentity.Impersonate(). The error code from
> GetLastWin32Error
> is 0, and the exception message is "Unable to impersonate user" on Windows
> XP. On Windows 2000 Professional the code fails at LogonUser with error
> code
> 1314 "A required privilege is not held by the client."
***
1. Not sure why WindowsIdentity.Impersonate(). works for me on XP SP2
running .NET v1.1 SP1, will try to investigate why it throws on you. Note
that LogonUser didn't fail, but aparantly Impersonate doesn't like the token
returned.
2. Windows 2000 needs the "Act as part of the operating system" privilege
(also called TCB privilege) in order to call LogonUser, this super privilege
is no longer required on XP and W2K3. This is very unfortunate, but unless
you are willing to spend some hard time to interop with the SSP API's there
is no other way to call LogonUser than enabling the TCB privilege for the
calling user account..
>
> When using DLL imported code ImpersonateLoggedOnUser and calling LogonUser
> with LOGON32_LOGON_NEW_CREDENTIALS (9) and either 0 or 3 as the provider,
> the
> code succeeds at copying the file on Windows XP. On Windows 2000
> Professional
> the code fails at LogonUser with error code 1314 "A required privilege is
> not
> held by the client."
*** See above for privilege error on W2K.
>
> This is the latest set of results, which now seem to be consistent as this
> whole testing process has had to suffer my learning curve. I was
> previously
> getting different errors on the 2k pro box, but it seems now that I know I
> need to use (9) that I can consistently get 1314 at LogonUser, which if I
> could fix would solve my immediate issue of needing to get the code
> working.
> However I still don't understand why WindowsIdentity.Impersonate() always
> fails.
*** To resume:
- Call LogonUser with Logontype 9 and preferaby specifying the Kerberos
authentication provider (3).
- Add user account to the TCB when running your code on W2K :-(
>
> Thanks.
>
> "Willy Denoyette [MVP]" wrote:
- Next message: DalePres: "Re: SQL Parameters"
- Previous message: Manfred Braun: "Re: WindowsIdentity.Impersonate() vs ImpersonateLoggedOnUser()"
- In reply to: BLiTZWiNG: "Re: WindowsIdentity.Impersonate() vs ImpersonateLoggedOnUser()"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
