Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   Security permissions for Win32 LogonUser call. (http://www.velocityreviews.com/forums/t767288-security-permissions-for-win32-logonuser-call.html)

Ken Varn 03-28-2005 06:10 PM
Security permissions for Win32 LogonUser call.
 
I am running my ASP.NET page under IIS in Windows 2000 Pro. I need to make
a call to the Win32 LogonUser function to get a logon token. How can I get
security permission to do this while running under the MACHINE account for
ASP.NET?

--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.

EmailID = varnk
Domain = Diebold.com
-----------------------------------

Joe Kaplan \(MVP - ADSI\) 03-29-2005 03:51 PM
Re: Security permissions for Win32 LogonUser call.
 
Under Windows 2000, an account needs the Act As Part of the Operating System
privilege to call LogonUser. By default, only SYSTEM has this privilege as
it is very powerful and not something you want to give out lightly.

Another option you might want to consider in Win2K would be using SSPI.
I've seen a few .NET wrappers out there that will allow you to get a logon
token for a user without calling LogonUser. A Google search should turn
something up.

Alternately, you can also move to 2003 server where this restriction is
lifted.

Joe K.

"Ken Varn" <nospam> wrote in message
news:uJre1F8MFHA.2576@TK2MSFTNGP10.phx.gbl...
>I am running my ASP.NET page under IIS in Windows 2000 Pro. I need to make
> a call to the Win32 LogonUser function to get a logon token. How can I
> get
> security permission to do this while running under the MACHINE account for
> ASP.NET?
>
> --
> -----------------------------------
> Ken Varn
> Senior Software Engineer
> Diebold Inc.
>
> EmailID = varnk
> Domain = Diebold.com
> -----------------------------------
>
>

Dominick Baier [DevelopMentor] 03-31-2005 11:40 AM
Re: Security permissions for Win32 LogonUser call.
 
Hello Joe,

check this out for the SSPI workaround:
http://pluralsight.com/wiki/default....nForAUser.html


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Under Windows 2000, an account needs the Act As Part of the Operating
> System privilege to call LogonUser. By default, only SYSTEM has this
> privilege as it is very powerful and not something you want to give
> out lightly.
>
> Another option you might want to consider in Win2K would be using
> SSPI. I've seen a few .NET wrappers out there that will allow you to
> get a logon token for a user without calling LogonUser. A Google
> search should turn something up.
>
> Alternately, you can also move to 2003 server where this restriction
> is lifted.
>
> Joe K.
>
> "Ken Varn" <nospam> wrote in message
> news:uJre1F8MFHA.2576@TK2MSFTNGP10.phx.gbl...
>
>> I am running my ASP.NET page under IIS in Windows 2000 Pro. I need
>> to make
>> a call to the Win32 LogonUser function to get a logon token. How can
>> I
>> get
>> security permission to do this while running under the MACHINE
>> account for
>> ASP.NET?
>> --
>> -----------------------------------
>> Ken Varn
>> Senior Software Engineer
>> Diebold Inc.
>> EmailID = varnk
>> Domain = Diebold.com
>> -----------------------------------

Joe Kaplan \(MVP - ADSI\) 03-31-2005 03:32 PM
Re: Security permissions for Win32 LogonUser call.
 
Keith's SSPI sample uses NegotiateStream which is certainly cool, but
definitely only in .NET 2.0 right now. 1.x users will need a p/invoke
solution although I've seen several published here that should show up in a
Google search.

Joe K.

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:205957632478732355935744@news.microsoft.com.. .
> Hello Joe,
>
> check this out for the SSPI workaround:
> http://pluralsight.com/wiki/default....nForAUser.html
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Under Windows 2000, an account needs the Act As Part of the Operating
>> System privilege to call LogonUser. By default, only SYSTEM has this
>> privilege as it is very powerful and not something you want to give
>> out lightly.
>>
>> Another option you might want to consider in Win2K would be using
>> SSPI. I've seen a few .NET wrappers out there that will allow you to
>> get a logon token for a user without calling LogonUser. A Google
>> search should turn something up.
>>
>> Alternately, you can also move to 2003 server where this restriction
>> is lifted.
>>
>> Joe K.
>>
>> "Ken Varn" <nospam> wrote in message
>> news:uJre1F8MFHA.2576@TK2MSFTNGP10.phx.gbl...
>>
>>> I am running my ASP.NET page under IIS in Windows 2000 Pro. I need
>>> to make
>>> a call to the Win32 LogonUser function to get a logon token. How can
>>> I
>>> get
>>> security permission to do this while running under the MACHINE
>>> account for
>>> ASP.NET?
>>> --
>>> -----------------------------------
>>> Ken Varn
>>> Senior Software Engineer
>>> Diebold Inc.
>>> EmailID = varnk
>>> Domain = Diebold.com
>>> -----------------------------------
>
>
>

Dominick Baier [DevelopMentor] 03-31-2005 06:48 PM
Re: Security permissions for Win32 LogonUser call.
 
Hello Joe,

whoops. Microsoft makes us live in the future, all the time :)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Keith's SSPI sample uses NegotiateStream which is certainly cool, but
> definitely only in .NET 2.0 right now. 1.x users will need a p/invoke
> solution although I've seen several published here that should show up
> in a Google search.
>
> Joe K.
>
> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:205957632478732355935744@news.microsoft.com.. .
>
>> Hello Joe,
>>
>> check this out for the SSPI workaround:
>> http://pluralsight.com/wiki/default....k/HowToGetATok
>> enForAUser.html
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Under Windows 2000, an account needs the Act As Part of the
>>> Operating System privilege to call LogonUser. By default, only
>>> SYSTEM has this privilege as it is very powerful and not something
>>> you want to give out lightly.
>>>
>>> Another option you might want to consider in Win2K would be using
>>> SSPI. I've seen a few .NET wrappers out there that will allow you to
>>> get a logon token for a user without calling LogonUser. A Google
>>> search should turn something up.
>>>
>>> Alternately, you can also move to 2003 server where this restriction
>>> is lifted.
>>>
>>> Joe K.
>>>
>>> "Ken Varn" <nospam> wrote in message
>>> news:uJre1F8MFHA.2576@TK2MSFTNGP10.phx.gbl...
>>>> I am running my ASP.NET page under IIS in Windows 2000 Pro. I need
>>>> to make
>>>> a call to the Win32 LogonUser function to get a logon token. How
>>>> can
>>>> I
>>>> get
>>>> security permission to do this while running under the MACHINE
>>>> account for
>>>> ASP.NET?
>>>> --
>>>> -----------------------------------
>>>> Ken Varn
>>>> Senior Software Engineer
>>>> Diebold Inc.
>>>> EmailID = varnk
>>>> Domain = Diebold.com
>>>> -----------------------------------


All times are GMT. The time now is 10:21 AM.

Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57