Security permissions for Win32 LogonUser call.

Discussion in 'ASP .Net Security' started by Ken Varn, Mar 28, 2005.

  1. Ken Varn

    Ken Varn Guest

    I am running my ASP.NET page under IIS in Windows 2000 Pro. I need to make
    a call to the Win32 LogonUser function to get a logon token. How can I get
    security permission to do this while running under the MACHINE account for
    ASP.NET?

    --
    -----------------------------------
    Ken Varn
    Senior Software Engineer
    Diebold Inc.

    EmailID = varnk
    Domain = Diebold.com
    -----------------------------------
    Ken Varn, Mar 28, 2005
    #1
    1. Advertising

  2. Under Windows 2000, an account needs the Act As Part of the Operating System
    privilege to call LogonUser. By default, only SYSTEM has this privilege as
    it is very powerful and not something you want to give out lightly.

    Another option you might want to consider in Win2K would be using SSPI.
    I've seen a few .NET wrappers out there that will allow you to get a logon
    token for a user without calling LogonUser. A Google search should turn
    something up.

    Alternately, you can also move to 2003 server where this restriction is
    lifted.

    Joe K.

    "Ken Varn" <nospam> wrote in message
    news:...
    >I am running my ASP.NET page under IIS in Windows 2000 Pro. I need to make
    > a call to the Win32 LogonUser function to get a logon token. How can I
    > get
    > security permission to do this while running under the MACHINE account for
    > ASP.NET?
    >
    > --
    > -----------------------------------
    > Ken Varn
    > Senior Software Engineer
    > Diebold Inc.
    >
    > EmailID = varnk
    > Domain = Diebold.com
    > -----------------------------------
    >
    >
    Joe Kaplan \(MVP - ADSI\), Mar 29, 2005
    #2
    1. Advertising

  3. Hello Joe,

    check this out for the SSPI workaround:
    http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATokenForAUser.html


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Under Windows 2000, an account needs the Act As Part of the Operating
    > System privilege to call LogonUser. By default, only SYSTEM has this
    > privilege as it is very powerful and not something you want to give
    > out lightly.
    >
    > Another option you might want to consider in Win2K would be using
    > SSPI. I've seen a few .NET wrappers out there that will allow you to
    > get a logon token for a user without calling LogonUser. A Google
    > search should turn something up.
    >
    > Alternately, you can also move to 2003 server where this restriction
    > is lifted.
    >
    > Joe K.
    >
    > "Ken Varn" <nospam> wrote in message
    > news:...
    >
    >> I am running my ASP.NET page under IIS in Windows 2000 Pro. I need
    >> to make
    >> a call to the Win32 LogonUser function to get a logon token. How can
    >> I
    >> get
    >> security permission to do this while running under the MACHINE
    >> account for
    >> ASP.NET?
    >> --
    >> -----------------------------------
    >> Ken Varn
    >> Senior Software Engineer
    >> Diebold Inc.
    >> EmailID = varnk
    >> Domain = Diebold.com
    >> -----------------------------------
    Dominick Baier [DevelopMentor], Mar 31, 2005
    #3
  4. Keith's SSPI sample uses NegotiateStream which is certainly cool, but
    definitely only in .NET 2.0 right now. 1.x users will need a p/invoke
    solution although I've seen several published here that should show up in a
    Google search.

    Joe K.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Joe,
    >
    > check this out for the SSPI workaround:
    > http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATokenForAUser.html
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Under Windows 2000, an account needs the Act As Part of the Operating
    >> System privilege to call LogonUser. By default, only SYSTEM has this
    >> privilege as it is very powerful and not something you want to give
    >> out lightly.
    >>
    >> Another option you might want to consider in Win2K would be using
    >> SSPI. I've seen a few .NET wrappers out there that will allow you to
    >> get a logon token for a user without calling LogonUser. A Google
    >> search should turn something up.
    >>
    >> Alternately, you can also move to 2003 server where this restriction
    >> is lifted.
    >>
    >> Joe K.
    >>
    >> "Ken Varn" <nospam> wrote in message
    >> news:...
    >>
    >>> I am running my ASP.NET page under IIS in Windows 2000 Pro. I need
    >>> to make
    >>> a call to the Win32 LogonUser function to get a logon token. How can
    >>> I
    >>> get
    >>> security permission to do this while running under the MACHINE
    >>> account for
    >>> ASP.NET?
    >>> --
    >>> -----------------------------------
    >>> Ken Varn
    >>> Senior Software Engineer
    >>> Diebold Inc.
    >>> EmailID = varnk
    >>> Domain = Diebold.com
    >>> -----------------------------------

    >
    >
    >
    Joe Kaplan \(MVP - ADSI\), Mar 31, 2005
    #4
  5. Hello Joe,

    whoops. Microsoft makes us live in the future, all the time :)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Keith's SSPI sample uses NegotiateStream which is certainly cool, but
    > definitely only in .NET 2.0 right now. 1.x users will need a p/invoke
    > solution although I've seen several published here that should show up
    > in a Google search.
    >
    > Joe K.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello Joe,
    >>
    >> check this out for the SSPI workaround:
    >> http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATok
    >> enForAUser.html
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Under Windows 2000, an account needs the Act As Part of the
    >>> Operating System privilege to call LogonUser. By default, only
    >>> SYSTEM has this privilege as it is very powerful and not something
    >>> you want to give out lightly.
    >>>
    >>> Another option you might want to consider in Win2K would be using
    >>> SSPI. I've seen a few .NET wrappers out there that will allow you to
    >>> get a logon token for a user without calling LogonUser. A Google
    >>> search should turn something up.
    >>>
    >>> Alternately, you can also move to 2003 server where this restriction
    >>> is lifted.
    >>>
    >>> Joe K.
    >>>
    >>> "Ken Varn" <nospam> wrote in message
    >>> news:...
    >>>> I am running my ASP.NET page under IIS in Windows 2000 Pro. I need
    >>>> to make
    >>>> a call to the Win32 LogonUser function to get a logon token. How
    >>>> can
    >>>> I
    >>>> get
    >>>> security permission to do this while running under the MACHINE
    >>>> account for
    >>>> ASP.NET?
    >>>> --
    >>>> -----------------------------------
    >>>> Ken Varn
    >>>> Senior Software Engineer
    >>>> Diebold Inc.
    >>>> EmailID = varnk
    >>>> Domain = Diebold.com
    >>>> -----------------------------------
    Dominick Baier [DevelopMentor], Mar 31, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rich
    Replies:
    1
    Views:
    8,054
    Scott Allen
    Nov 2, 2004
  2. =?Utf-8?B?U2FqaWQ=?=

    Security Error LogonUser

    =?Utf-8?B?U2FqaWQ=?=, Dec 11, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    352
    Frank Hickman [MVP]
    Dec 11, 2006
  3. kellygreer1

    Permissions to call LogonUser

    kellygreer1, Nov 20, 2007, in forum: ASP .Net
    Replies:
    1
    Views:
    314
    bruce barker (sqlwork.com)
    Nov 20, 2007
  4. Rich

    ASP.net & Win32 API (LogonUser) question...

    Rich, Nov 2, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    386
  5. Leyla
    Replies:
    2
    Views:
    661
    Leyla
    Aug 17, 2006
Loading...

Share This Page