INTERACTIVE group missing after SSPI auth
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
INTERACTIVE group missing after SSPI auth

 
Post new topic   Reply to topic    Windows Server Forum Index -> Security
Author Message
Sami J. Lehtinen
Guest
Posted: Wed Nov 02, 2005 1:50 pm    Post subject: INTERACTIVE group missing after SSPI auth Reply with quote
Resending with the generated MSDN email address
---

After SSPI-authentication (CompleteAuthToken() has returned
successfully) I get the user's access token by running
ImpersonateSecurityContext(), then getting the token with
OpenThreadToken(). I use DuplicateTokenEx() to make a primary token, so
I can use it with CreateProcessAsUser().

The problem I am encountering is that the access token is missing
INTERACTIVE token group. This group is required for regular users on
Windows 2003 Server to access the WINDOWS\System32 directory. Using the
access token gotten from the gss-api negotiation I cannot run cmd.exe
for the user, as I can after LogonUser().

Is it possible to add the INTERACTIVE group to the token somehow, or
otherwise instruct SSPI to give me a token with the group in there?

If no workaround is possible, can you direct me to documentation or
white-paper on this 2003 feature? If the token manipulation is
impossible, this becomes a known issue, and I'd like some formal
documentation why this has been changed in Windows 2003.

--
sjl@ssh.com
Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> Security All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB