Hi all, There are lots of examples of using the LogonUser Win 32 API for impersonation/delegation. What I can't seem to extrapolate from all of this is what sort of security token is returned from LogonUser when I set the logonType LOGON32_LOGON_INTERACTIVE. All I know is that it doesn't seem to work with Integrated Windows Authentication.
Here is what I am trying to do in a nutshell: I have set up a Trusted Facade in our DMZ. It basically exposes a web method which wraps another web method targeting an endpoint within the inTRAnet. The Trusted Facade is an ASP.NET web service which requires a u/n and pw in the SOAP header. The SSL cert is mapped to an account that allows me to invoke PInvoke functions. ASP.NET impersonates this account. I don't want to invoke the inner web method call with this account so I need to impersonate an account that allows me to connect directly to the endpoint in the inTRAnet. The endpoint in the inTRAnet is IIS which is set to perform Integrated Windows Authentication. So I need to authenticate the u/n and pw in the SOAP header. Impersonate a identity that will allow me to make a call to the internal endpoint and be authenticated by the Integrated Windows Authentication. LogonUser seems like they way to go...but...
Apparently the session pointer reference from LogonUser does not provide me with the correct security token that will pass Integrated Windows Authentication (IWA). It works when I turn IWA off in IIS on the internal endpoint.
So one, is there a better way to do this or two, is there a way to get LogonUser to return a interactive session that will pass IWA in IIS on the web server in the inTRAnet I am calling to from the DMZ web server?
Thanks in advance.