How CreateProcessAsUser on Windows Using Delegated Credentials from SSPI? - c++

I work on a Kerberos logon infrastructure (Single Sign-On) with:
A client which is authenticated to the Kerberos Key Distribution
Center.
A principal service server using Kerberos as authentication.
Server Program is coded in C++.
I have no problem to create a context between my principal (client) and my service principal (server).
I also delegated my client credentials to the server, because I need to create a process on the server using client user credentials.
And this is my problem, on the server side, I have a SSPI context and I need to CreateProcessAsUser using a Windows type pHandle.
I do not know how to use my SSPI credentials to create on my server a process as the client user.
I take a look at LsaLogonUser, which seems to do what I want (create a handle from kerberos user credentials) but my problem is the same, I do not know how to use the SSPI Token with this LsaLogonUser.
Thanks in Advance, for your help

Though it is very late but you could obtain a token by doing following:
HANDLE tempHandle;
if (!QuerySecurityContextToken(hctxt, &tempHandle))
{
MyDbg("Could not obtain token for user");
}

I just posted a question regarding something related to what you are doing. I am using a session 0 Windows service to launch an application into session 1. The code I used (and asked about) is included in that post, and works well except that paths normally available to a user in session 1 are not accessible when launced this way. In any case, Even though I have some questions about this code, I hope it can start you on the right path.
Ryyker

I finally found a solution to my problem.
The best way to do it is to:
write delegated credentials in a temporary file.
set KRB5CCNAME environment variable to the path of this file.
It Works ;)

Related

is it possible to use LogonUser API without password?

I am developing a c++ application and this application runs as a windows service.
I need to impersonate the current user to access the network location and for this I am using Windows API LogonUser and ImpersonateLoggedOnUser.
The problem is that I only have username and domain information but not the password. So is it possible to call the LogonUser without providing the password to get the user handle?
No, that would be a rather obvious security leak.
You may however use a named pipe between a UI process for the current user and your service. Your service can then impersonate the other side of the named pipe. This is secure because you control both ends of the pipe.

adding username and password Token to WSSecurity web service call (.net client)

Hey there code warriors and stack exchangers.
I have been trying in vain to set credentials for a web service. I wrote the webservice in Websphere (java ee) and it requires a username and password in the header for any of the services to be called. I can run it fine in SOAP UI, but I need to be able to hit it from a .net web client.
So far I have tried setting the credentials like so...
dlc.ClientCredentials.UserName.UserName = "idiotCreds";
dlc.ClientCredentials.UserName.Password = "someWhackyPWD";
And so far I have just recieved this exception
security.wssecurity.WSSContextImpl.s02: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6500E: There is no caller identity candidate that can be used to login. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1#42304230
Which I am guessing is telling me that there are no credentials being set...
Even though I set the client credentials. Do I need to create and add a soap header manually here? I thought that was supposed to be handled by that client object? Any ideas fellas? Thanks
The question and answer in this SO thread will provide those who seek answers with the solutions they need.
https://stackoverflow.com/a/12159837/729820

Passing user credentials to a Webservice

We have a website that calls a remote web service. This web service is stateless and needs the credentials every time to get the data back. How do we pass the credentials back and forth? for example a call to
string GetAddress( userid,password)
Is it ok to store the credentials in a session and pass them across https in post ? What is the best way to do this?
According to me it is ok to use session as they will be at server.
another alternative as per me I dont know it will be useful to you or not but use XML to share credential. I have used such application on my previous project so on that basis I am suggesting you to use xml. OR session over ssl will also be good..
Check it if better way exists.

KRB_AP_REQ ticket from SSPI

I have a Linux server application that is using Kerberos for client authentication and client that needs to run on Windows. Kerberos tickets are issued by Windows Active Directory. Client authenticates successfully on server if I use MIT KfW 3.2.2. API for retrieving AS and TGS tickets from Kerberos server and store them in kerberos credentials store. But the problem with this approach is that user needs to input his credentials again.
The solution would be to access MS LSA store but this does not work. Neither does ms2mit.exe application. It does not matter if I run it as normal user or as administrator, or if I disable UAC completely.
This is why I would like to use SSPI on client to make the KRB_AP_REQ message which I would send to server. Is that possible. If yes how can it be done? IF no, what are my other options? Please note that server is already built and it would require significant effort to change it, therefore I would like to find a solution on windows.
You can use the AquireCredentialsHandle and InitializeSecurityContext functions of the windows SSPI subsystem to get a valid ticket and authenticate against a Linux based server.
First use AcquireCredentialsHandle() and than use multiple calls to InitializeSecurityContext with the tokens you get from your server until your authenticated.

Using DefaultCredentials and DefaultNetworkCredentials

We're having a hard time figuring how these credentials objects work. In fact, they may not work how we expected them to work. Here's an explanation of the current issue.
We got 2 servers that needs to talk with each other through webservices. The first one (let's call it Server01) has a Windows Service running as the NetworkService account. The other one Server02 has ReportingServices running with IIS 6.0. The Windows Service on Server01 is trying to use the Server02 ReportingServices WebService to generate reports and send them by email.
So, here's what we tried so far.
Setting the credentials at runtime (This works perfectly fine):
rs.Credentials = new NetworkCredentials("user", "pass", "domain");
Now, if we could use a generic user all would be fine, however... we are not allowed to. So, we are trying to use the DefaultCredetials or DefaultNetworkCredentials and pass it to the RS Webservice:
rs.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials
Or:
rs.Credentials = System.Net.CredentialCache.DefaultCredentials
Either way won't work. We're always getting 401 Unauthrorized from IIS. Now, what we know is that if we want to give access to a resource logged as NetworkService, we need to grant it to DOMAIN\MachineName$ (http://msdn.microsoft.com/en-us/library/ms998320.aspx):
Granting Access to a Remote SQL Server
If you are accessing a database on another server in the same domain (or in a trusted domain), the Network Service account's network credentials are used to authenticate to the database. The Network Service account's credentials are of the form DomainName\AspNetServer$, where DomainName is the domain of the ASP.NET server and AspNetServer is your Web server name.
For example, if your ASP.NET application runs on a server named SVR1 in the domain CONTOSO, the SQL Server sees a database access request from CONTOSO\SVR1$.
We assumed that granting access the same way with IIS would work. However, it does not. Or at least, something is not set properly for it to authenticate correctly.
So, here are some questions:
We've read about "Impersonating Users" somewhere, do we need to set this somewhere in the Windows Service ?
Is it possible to grant access to the NetworkService built-in account to a remote IIS server ?
Thanks for reading!
All details you need are included in this very old article
In short, when you find it confusing to troubleshoot issues like this, you should first review the technical details behind ASP.NET impersonation carefully.
Here are some things you could check out:
- set an SPN (Service Principal Name) for the reporting service; you can find good examples in google;
- Allow delegation (ClientCredentials.Windows.AllowImpersonationLevel)
Is the problem that you're failing to authenticate to IIS, or failing to authenticate to SSRS? The DOMAIN\MachineName$ account may need to be granted permission in SSRS to run the report you're trying to automate.
SSRS usually does a pretty good job of getting IIS configured correctly, so you shouldn't need to mess with those settings. I double-checked my installation (which is SSRS 2005, things may have worked differently in SSRS 2000 and you didn't say which version you're running), and it's set to use Windows authentication and has impersonation enabled. That means IIS should basically just be authenticating your credentials (validating a correct username/password), not authorizing (determining whether that user has permission to run the report in question). IIS then passes the credentials on to SSRS, which has its own settings for determining what accounts have permission to view reports.
Also, you can automate sending reports on a scheduled basis directly in SSRS, so you may not need the Windows service at all if your scheduling is fairly basic (i.e., daily, weekly, etc.).