recovering password stored with reversible encryption?

Discussion in 'ASP .Net Security' started by Eric Pearson, Jun 2, 2006.

  1. Eric Pearson

    Eric Pearson Guest

    I have a server application which needs to log on as a configurable local
    user for anonymous access, exactly like IIS does with the IUSR_XXX account.
    I understand local passwords can be stored with "reversible encryption".
    My question is, how can I retrieve the plaintext password so I can perform
    LogonUser with that user and retrieve a token?

    Or if I know the username of a local account, how can I perform LogonUser
    and retrieve a token
    Eric Pearson, Jun 2, 2006
    #1
    1. Advertising

  2. Eric Pearson

    Eric Pearson Guest

    nevermind, a colleague pointed me to this handy link

    http://support.microsoft.com/?id=216828





    > I have a server application which needs to log on as a configurable
    > local
    > user for anonymous access, exactly like IIS does with the IUSR_XXX
    > account.
    > I understand local passwords can be stored with "reversible
    > encryption".
    > My question is, how can I retrieve the plaintext password so I can
    > perform
    > LogonUser with that user and retrieve a token?
    > Or if I know the username of a local account, how can I perform
    > LogonUser and retrieve a token?
    >
    Eric Pearson, Jun 2, 2006
    #2
    1. Advertising

  3. AFAIK, the "reversible encryption" scheme is not openly published outside of
    Microsoft. In most cases, you should NOT be enabling it, it is for specific
    uses.

    As the article you posted shows, you can fix your problem if you "turn off
    the "Enable Automatic Password Synchronization" option or "Allow IIS to
    Control Password" option in the Internet Service Manager. Be sure that you
    reset the password in User Manager to ensure that it is correct for this
    user account."

    But also note this:

    http://securityadmin.info/faq.asp#iwam

    Like the IUSR account, a copy of the IWAM account password is stored in the
    IIS metabase, so that IIS can log on as the IWAM account. IIS cannot log on
    as IWAM and/or IUSR if the password in the IIS metabase does not match the
    actual password for that user ID in the Windows security database.

    The ADSUTIL.VBS command can be used to retrieve or change the IWAM and/or
    IUSR ID and/or password stored in the IIS metabase. For example, you may
    need to use the command "ADSUTIL GET" to get the IWAM password from the
    metabase, then use the Windows 2000 / XP / .NET Local Users and Groups MMC
    to change the password on the IWAM account to match.

    More information on using the ADSUTIL.VBS command can be found in the
    articles below:

    http://support.microsoft.com/?kbid=297989
    http://support.microsoft.com/?kbid=296851


    "Eric Pearson" <> wrote in message
    news:...
    > nevermind, a colleague pointed me to this handy link
    >
    > http://support.microsoft.com/?id=216828
    >
    >
    >
    >
    >
    >> I have a server application which needs to log on as a configurable
    >> local
    >> user for anonymous access, exactly like IIS does with the IUSR_XXX
    >> account.
    >> I understand local passwords can be stored with "reversible
    >> encryption".
    >> My question is, how can I retrieve the plaintext password so I can
    >> perform
    >> LogonUser with that user and retrieve a token?
    >> Or if I know the username of a local account, how can I perform
    >> LogonUser and retrieve a token?
    >>

    >
    >
    Karl Levinson, Jun 3, 2006
    #3
  4. Eric Pearson

    Eric Pearson Guest

    actually the article pointed out a much better solution... since I need to
    get a login token for an account i create (not IUSER or IWAM), I can just
    create a subauthentication module, so that when I call LogonUser, windows
    in turn will call MY dll to perform the authentication.



    Hello Karl,

    > AFAIK, the "reversible encryption" scheme is not openly published
    > outside of Microsoft. In most cases, you should NOT be enabling it,
    > it is for specific uses.
    >
    > As the article you posted shows, you can fix your problem if you "turn
    > off the "Enable Automatic Password Synchronization" option or "Allow
    > IIS to Control Password" option in the Internet Service Manager. Be
    > sure that you reset the password in User Manager to ensure that it is
    > correct for this user account."
    >
    > But also note this:
    >
    > http://securityadmin.info/faq.asp#iwam
    >
    > Like the IUSR account, a copy of the IWAM account password is stored
    > in the IIS metabase, so that IIS can log on as the IWAM account. IIS
    > cannot log on as IWAM and/or IUSR if the password in the IIS metabase
    > does not match the actual password for that user ID in the Windows
    > security database.
    >
    > The ADSUTIL.VBS command can be used to retrieve or change the IWAM
    > and/or IUSR ID and/or password stored in the IIS metabase. For
    > example, you may need to use the command "ADSUTIL GET" to get the IWAM
    > password from the metabase, then use the Windows 2000 / XP / .NET
    > Local Users and Groups MMC to change the password on the IWAM account
    > to match.
    >
    > More information on using the ADSUTIL.VBS command can be found in the
    > articles below:
    >
    > http://support.microsoft.com/?kbid=297989
    > http://support.microsoft.com/?kbid=296851
    > "Eric Pearson" <> wrote in message
    > news:...
    >
    >> nevermind, a colleague pointed me to this handy link
    >>
    >> http://support.microsoft.com/?id=216828
    >>
    >>> I have a server application which needs to log on as a configurable
    >>> local
    >>> user for anonymous access, exactly like IIS does with the IUSR_XXX
    >>> account.
    >>> I understand local passwords can be stored with "reversible
    >>> encryption".
    >>> My question is, how can I retrieve the plaintext password so I can
    >>> perform
    >>> LogonUser with that user and retrieve a token?
    >>> Or if I know the username of a local account, how can I perform
    >>> LogonUser and retrieve a token
    Eric Pearson, Jun 7, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Micah
    Replies:
    2
    Views:
    326
    Micah
    Jun 2, 2006
  2. Replies:
    15
    Views:
    611
    Ben Bacarisse
    Oct 14, 2007
  3. Reversible random generator ?

    , Oct 9, 2007, in forum: C Programming
    Replies:
    19
    Views:
    718
    Ben Bacarisse
    Oct 14, 2007
  4. Patrick Sabin

    Reversible Debugging

    Patrick Sabin, Jul 3, 2009, in forum: Python
    Replies:
    0
    Views:
    214
    Patrick Sabin
    Jul 3, 2009
  5. Patrick Sabin

    Re: Reversible Debugging

    Patrick Sabin, Jul 4, 2009, in forum: Python
    Replies:
    5
    Views:
    274
    Vilya Harvey
    Jul 4, 2009
Loading...

Share This Page