Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / January 2006

Tip: Looking for answers? Try searching our database.

Strange problem with user rights for impersonation.

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Ken Varn - 10 Jan 2006 16:03 GMT
I am trying to Impersonate a user in a .NET Windows Application running in
Windows 2000 SP4.  Whenever I try to do the impersonation, I get an
exception which states "A required privilege is not held by the client."

The user that the application is running under has the following access
rights "Create global objects" and "Impersonate a client after
authentication".

For some reason, the only way I can get the impersonation to work is to
assign the user to "Act as part of operating system".  I would prefer to not
do this.  Is there some other access right that the user must have in order
for the Impersonation to work properly?

For the impersonation, I am using a WindowsIdentity object that was
constructed from a Windows User using the LogonUser Win32 API handle that I
obtained through my own .net wrapper class.

Signature

-----------------------------------
Ken Varn
Senior Software Engineer
Diebold Inc.

EmailID = varnk
Domain = Diebold.com
-----------------------------------

Reply to this Message
Dominick Baier [DevelopMentor] - 10 Jan 2006 16:16 GMT
Hi,

LogonUser requires the "Act as part.." priv under Windows 2000 - XP and Server
2003 "fixed" this.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I am trying to Impersonate a user in a .NET Windows Application
> running in Windows 2000 SP4.  Whenever I try to do the impersonation,
[quoted text clipped - 17 lines]
> Domain = Diebold.com
> -----------------------------------
Reply to this Message
Joe Kaplan (MVP - ADSI) - 10 Jan 2006 16:24 GMT
Calling LogonUser on Windows 2000 requires "act as part of the operating
system" privilege.  It is documented as such in the MSDN docs.  There is no
way around this unless you upgrade your server to 2003.

Joe K.

>I am trying to Impersonate a user in a .NET Windows Application running in
> Windows 2000 SP4.  Whenever I try to do the impersonation, I get an
[quoted text clipped - 15 lines]
> I
> obtained through my own .net wrapper class.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.