Creating a PACCESS_TOKEN for SeImpersonateClient

OSR_Community_User · May 30, 2002, 5:14pm

I need to create a PACCESS_TOKEN with the context of a remote user (through
TCP/IP) so that I can impersonate the user in the kernel (to perform
operations on behalf of the user).

I would also like to use delegation (if it is enabled) so I don’t have to
send challenge/response information on the wire.

I assume that one must use LsaLogonUser(), and other LSA functions to
create the tokens?? Once I have a token, I need to build a SECURITY_CONTEXT
to pass to SeImpersonateClient (I assume this from the .h/.hlp files in the
ifs kit).

My quandary is, I can find no documentation (or samples) on what parameters
to pass to these functions, or what the valid parameters are.

Does anyone out there know where I can get docs for these calls, or how to
create a PACCESS_TOKEN.
Any other options for how to do this would be much appreciated…

Regards,
Kurt

OSR_Community_User · May 31, 2002, 8:21am

> I need to create a PACCESS_TOKEN with the context of a remote user
(through

TCP/IP) so that I can impersonate the user in the kernel (to perform
operations on behalf of the user).

To do this correctly, you must specify an auth data.
NT supports plaintext, NTLM and Kerberos auth data formats.
If you have your own - then you will need to write an auth package
(DLL for LSA) of your own.

As about the API - KSecDD.sys exposes the same API as user-mode RPC
SECURITY.DLL, read the user-mode documentation on
InitializeSecurityContext and such and do the same in the kernel.

Max

OSR_Community_User · May 31, 2002, 8:43am

Maxim,

Do you know anyone who has written an Lsa DLL? It looks like a pretty
forbidding hill to climb from the MSDN docs.

There are a number of facilities that MS might have exported but didn’t.
For example, you could wish for a LogonUserWithCertificate that took an
X.509 certificate and returned a full token using the Cert->User mapping
in the AD. You can simulate this by firing up SSPI for SCHANNEL and
pretending to be an SSL client and present the certificate.

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Friday, May 31, 2002 6:26 AM
To: File Systems Developers
Subject: [ntfsd] Re: Creating a PACCESS_TOKEN for SeImpersonateClient

I need to create a PACCESS_TOKEN with the context of a remote user
(through
TCP/IP) so that I can impersonate the user in the kernel (to perform
operations on behalf of the user).

To do this correctly, you must specify an auth data.
NT supports plaintext, NTLM and Kerberos auth data formats.
If you have your own - then you will need to write an auth package
(DLL for LSA) of your own.

As about the API - KSecDD.sys exposes the same API as user-mode RPC
SECURITY.DLL, read the user-mode documentation on
InitializeSecurityContext and such and do the same in the kernel.

Max

You are currently subscribed to ntfsd as: xxxxx@basistech.com
To unsubscribe send a blank email to %%email.unsub%%