recovering password stored with reversible encryption?

E

Eric Pearson

I have a server application which needs to log on as a configurable local
user for anonymous access, exactly like IIS does with the IUSR_XXX account.
I understand local passwords can be stored with "reversible encryption".
My question is, how can I retrieve the plaintext password so I can perform
LogonUser with that user and retrieve a token?

Or if I know the username of a local account, how can I perform LogonUser
and retrieve a token
 
K

Karl Levinson

AFAIK, the "reversible encryption" scheme is not openly published outside of
Microsoft. In most cases, you should NOT be enabling it, it is for specific
uses.

As the article you posted shows, you can fix your problem if you "turn off
the "Enable Automatic Password Synchronization" option or "Allow IIS to
Control Password" option in the Internet Service Manager. Be sure that you
reset the password in User Manager to ensure that it is correct for this
user account."

But also note this:

http://securityadmin.info/faq.asp#iwam

Like the IUSR account, a copy of the IWAM account password is stored in the
IIS metabase, so that IIS can log on as the IWAM account. IIS cannot log on
as IWAM and/or IUSR if the password in the IIS metabase does not match the
actual password for that user ID in the Windows security database.

The ADSUTIL.VBS command can be used to retrieve or change the IWAM and/or
IUSR ID and/or password stored in the IIS metabase. For example, you may
need to use the command "ADSUTIL GET" to get the IWAM password from the
metabase, then use the Windows 2000 / XP / .NET Local Users and Groups MMC
to change the password on the IWAM account to match.

More information on using the ADSUTIL.VBS command can be found in the
articles below:

http://support.microsoft.com/?kbid=297989
http://support.microsoft.com/?kbid=296851
 
E

Eric Pearson

actually the article pointed out a much better solution... since I need to
get a login token for an account i create (not IUSER or IWAM), I can just
create a subauthentication module, so that when I call LogonUser, windows
in turn will call MY dll to perform the authentication.



Hello Karl,
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top