|
Posted by Ondrej Sevecek on January 19, 2006, 9:31 am
Please log in for more thread options
There are actually two identities involved:
- the user (or the local system) under which account runs the LsaLogonUser
function
this user/computer must be set up for "Account is trusted for delegation"
or "Trust computer for delegation",
should have the SeTCBPrivilege (and for w2k3 the account must have
SeImpersonatePrivilege).
- the user you are logging on by the LsaLogonUser function should *not* have
the "Account is sensitive and cannot be delegated" checkbox set. Then, the
account should have appropriate logon rights (local, network, ...) on the
computer the LsaLogonUser runs
More, kerberos must be functioning properly. Also you can troubleshoot by
using auditing: Account Logon Events on DC, Logon Events on the workstation.
Also, you can try to enable kerberos logging on both the workstation and
server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
LogLevel = DWORD = 0x1
O.
> One of the constructors for a WindowsIdentity allows you to pass the UPN
> of a user and have an identity created for that user. If your permissions
> are setup correctly then the system is supposed to return you a
> delegatable token that you can use for impersonation. I have been
> attempting just this, I have set my local account to have permission to
> act as part of the operating system and have flaged it as trusted for
> delegation, however whenever I use this function I get a System.Security
> exception with the message "Incorrect Function", I get the exact same
> result if I call LsaLogonUser using the Kerberos S4U format.
>
> Any thoughts or advice are appreciated
>
> Robert
>
| 
XML Sitemap