Security permissions for Win32 LogonUser call.

[Ken Varn]

I am running my ASP.NET page under IIS in Windows 2000 Pro. I need to make
a call to the Win32 LogonUser function to get a logon token. How can I get
security permission to do this while running under the MACHINE account for
ASP.NET?

--
-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.

EmailID = varnk
Domain = Diebold.com
-----------------------------------

 

[Joe Kaplan \(MVP - ADSI\)]

Under Windows 2000, an account needs the Act As Part of the Operating System
privilege to call LogonUser. By default, only SYSTEM has this privilege as
it is very powerful and not something you want to give out lightly.

Another option you might want to consider in Win2K would be using SSPI.
I've seen a few .NET wrappers out there that will allow you to get a logon
token for a user without calling LogonUser. A Google search should turn
something up.

Alternately, you can also move to 2003 server where this restriction is
lifted.

Joe K.

 

[Dominick Baier [DevelopMentor]]

Hello Joe,

check this out for the SSPI workaround:
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATokenForAUser.html

 

[Joe Kaplan \(MVP - ADSI\)]

Keith's SSPI sample uses NegotiateStream which is certainly cool, but
definitely only in .NET 2.0 right now. 1.x users will need a p/invoke
solution although I've seen several published here that should show up in a
Google search.

Joe K.

 

[Dominick Baier [DevelopMentor]]

Hello Joe,

whoops. Microsoft makes us live in the future, all the time