iis security: Token impersonation in IIS filter -- iis security

Token impersonation in IIS filter

pyang NO[at]SPAM rsasecurity.com
3/14/2004 9:52:34 PM

iis security:

Hi:

I am working on a project that requres impersonation of a user's
identity. I use a name pipe server to generate a user token by calling
LsaLogonUser. When the token is returned to ISAPI filter, I call
SetThreadToken to attach the token to the running thread, So that user
can access some MS applications, for example, mailbox through OWA.

The token generated by the token server works fine in a wildcard
extension, I set UserInfo.hImpersonationToken = token returned by
namepipe server, UserInfo is a structure of HSE_EXEC_URL_USER_INFO,
UserInfo is then assigned to a HSE_EXEC_URL_INFO structure before
invoking the wildcard extension.

But if I use SetThreadToken call in ISAPI filter instead of using a
wildcard extension. I get 'Access denied' message when I access user's
mailbox through OWA.

Does anyone know the difference between these two methods? Am I
missing something when I try to attach user's token in ISAPI filter?

Any advice is appreciated.

Re: Token impersonation in IIS filter

Wade A. Hilmo [MS]
3/15/2004 6:46:30 AM

Hi Paul,

There is no way for an ISAPI filter to manually set a thread token for a
request. Setting the token via HSE_EXEC_URL_USER_INFO is the only way to
achieve this.

Thank you,
-Wade A. Hilmo,
-Microsoft

[quoted text, click to view]