|
|
You're in the
dotnet security
group:token elevation
dotnet security:
I have a .net service running in LocalSystem context, that is called from a user context program via IPC. The service has a copy of the user token and can impersonate the user when required. My problem is that my service either runs as LocalSystem or as the user; what I really need is to impersonate the user *with the LocalSystem rights included*. Can I in some way add the LocalSystem rights to the delegated user token without adding the user account to the local Administrators group? This could possibly be done by adding the system or administrators sid to the delegated user token (not to the user account itself), but I can't find any class that can do this.
You can't do this in .NET, but might be able to do something like this with
the low level token APIs by virtue of the fact that you are running as SYSTEM. Are you sure you want to do this though? The design sounds very strange. Perhaps it would be better to not impersonate the user for the operations that require system and just let system do the work? Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "Scewbedew" <Scewbedew@discussions.microsoft.com> wrote in message news:F715EEDD-EF34-421E-A131-B0963B4B02F5@microsoft.com... > Can I elevate the rights of a delegated user token? > > I have a .net service running in LocalSystem context, that is called from > a > user context program via IPC. The service has a copy of the user token and > can impersonate the user when required. > > My problem is that my service either runs as LocalSystem or as the user; > what I really need is to impersonate the user *with the LocalSystem rights > included*. Can I in some way add the LocalSystem rights to the delegated > user > token without adding the user account to the local Administrators group? > > This could possibly be done by adding the system or administrators sid to > the delegated user token (not to the user account itself), but I can't > find > any class that can do this. > > Is it in any way possible to do this?
My initial intention was to run everything in the SYSTEM context, but ran
into problems when my service required access to network files. My service requires SYSTEM rights and cannot run as NetworkService. I haven't found a way to access the network files using the delegated user token while still running in SYSTEM context locally, but I'd be more than happy to implement such a solution. The idea of elevating the rights of the user token was my final(?) hope of finding a solution to my network access problem. [quoted text, click to view] "Joe Kaplan" wrote:
> You can't do this in .NET, but might be able to do something like this with > the low level token APIs by virtue of the fact that you are running as > SYSTEM. Are you sure you want to do this though? The design sounds very > strange. Perhaps it would be better to not impersonate the user for the > operations that require system and just let system do the work? > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "Scewbedew" <Scewbedew@discussions.microsoft.com> wrote in message > news:F715EEDD-EF34-421E-A131-B0963B4B02F5@microsoft.com... > > Can I elevate the rights of a delegated user token? > > > > I have a .net service running in LocalSystem context, that is called from > > a > > user context program via IPC. The service has a copy of the user token and > > can impersonate the user when required. > > > > My problem is that my service either runs as LocalSystem or as the user; > > what I really need is to impersonate the user *with the LocalSystem rights > > included*. Can I in some way add the LocalSystem rights to the delegated > > user > > token without adding the user account to the local Administrators group? > > > > This could possibly be done by adding the system or administrators sid to > > the delegated user token (not to the user account itself), but I can't > > find > > any class that can do this. > > > > Is it in any way possible to do this? > >
If you enable Kerberos delegation correctly, you should be able to
impersonate the authenticated user to access the remote network files with the user's security context. You could also do your impersonation programmatically so that some of your operations were conducted with the SYSTEM account. Do you know if you have Kerberos delegation enabled for the machine account? That is the account that delegation will be applied to when the SYSTEM account attempts to access network resources. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "Scewbedew" <Scewbedew@discussions.microsoft.com> wrote in message news:A937FD24-0F25-4BA9-A41E-56D2ABDF7316@microsoft.com... > My initial intention was to run everything in the SYSTEM context, but ran > into problems when my service required access to network files. My service > requires SYSTEM rights and cannot run as NetworkService. > > I haven't found a way to access the network files using the delegated user > token while still running in SYSTEM context locally, but I'd be more than > happy to implement such a solution. > > The idea of elevating the rights of the user token was my final(?) hope of > finding a solution to my network access problem. > > "Joe Kaplan" wrote: > >> You can't do this in .NET, but might be able to do something like this >> with >> the low level token APIs by virtue of the fact that you are running as >> SYSTEM. Are you sure you want to do this though? The design sounds very >> strange. Perhaps it would be better to not impersonate the user for the >> operations that require system and just let system do the work? >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "Scewbedew" <Scewbedew@discussions.microsoft.com> wrote in message >> news:F715EEDD-EF34-421E-A131-B0963B4B02F5@microsoft.com... >> > Can I elevate the rights of a delegated user token? >> > >> > I have a .net service running in LocalSystem context, that is called >> > from >> > a >> > user context program via IPC. The service has a copy of the user token >> > and >> > can impersonate the user when required. >> > >> > My problem is that my service either runs as LocalSystem or as the >> > user; >> > what I really need is to impersonate the user *with the LocalSystem >> > rights >> > included*. Can I in some way add the LocalSystem rights to the >> > delegated >> > user >> > token without adding the user account to the local Administrators >> > group? >> > >> > This could possibly be done by adding the system or administrators sid >> > to >> > the delegated user token (not to the user account itself), but I can't >> > find >> > any class that can do this. >> > >> > Is it in any way possible to do this? >> >> >>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |