tags:

views:

270

answers:

2
Q: 

Network logon from an impersonation token

In a service impersonating a client (using ImpersonateNamedPipeClient), I try to call CreateProcessAsUser. The executable filename is a UNC path located on a third computer (neither the server, nor the client connected to the pipe).

The call fail with the error code 5 (ACCES DENIED). I tried to use WNetAddConnection2 to authenticate the client from the client (in the context of the token which will be impersonated) before the server calls ImpersonateNamedPipeClient but I still get the same error.

How may I authenticate the account impersonated (given the fact that the server only got the impersonation token) in order to gain access to the executable ?

A: 

My Win32 is rather rusty so this may be a shot in the dark, but have you tried using the CreateProcessAsUser function instead of CreateProcess? According to the MSDN Documentation it will operate on a restricted token. If I recall correctly, an impersonation token should suffice.

Hope that helps.

Jesse Squire  2009-08-28 16:21:33
I made a mistake in my question, of course I use CreateProcessAsUser. The point is that the token is get from ImpersonateNamedPipeClient cannot access the network. (I edited my question)
Manu  2009-08-28 17:31:07
The user being impersonated needs network access, as well as needs to have permissions on the third machine. Are both of those true in your case?
Remy Lebeau - TeamB  2009-09-02 00:34:41
A: 

CreateProcessAsUser() needs a primary token, not an impersonated token. You can use DuplicateTokenEx() to get a primary token from an impersonated token. The documentation for CreateProcessAsUser() even says as much.

Remy Lebeau - TeamB  2009-09-02 00:35:12
Thanks for your help. I already use DuplicateTokenEx. I've just changed the impersonation level from SecurityImpersonation to SecurityDelegation but I still get the same error if the executable is remote.
Manu  2009-09-02 12:55:17

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication