Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / January 2006

Tip: Looking for answers? Try searching our database.

Thread security

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Robert Ginsburg - 20 Jan 2006 15:00 GMT
I have a client/server scenario where I need the client to impersonate a
specific account, depending on rules established on the server.  Essentially
this a call back event that happens occasionally where the server needs to
temporarily elevate the clients permissions to do some work. I really dont
want to pass back credentials to use, and I dont want to give the user
account any "dangerous" permissions. The server is running as the system
account and I can genrate any access token (aka windows identity) or
impersonation context I need.  I am trying to figure out how to pass this
back to the client and so far I have not been successful. I have figured out
how to attach to the clients thread and can succesfully call SetThreadToken,
however the thread (which is a managed thread) does not appear to change to
the new security context.

Any thoughts or ideas appreciated

-Robert
Reply to this Message
Dominick Baier [DevelopMentor] - 20 Jan 2006 15:30 GMT
Hi,

are client and server on the same machine?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I have a client/server scenario where I need the client to impersonate
> a specific account, depending on rules established on the server.
[quoted text clipped - 13 lines]
>
> -Robert
Reply to this Message
Robert Ginsburg - 20 Jan 2006 18:24 GMT
yes

> Hi,
> are client and server on the same machine?
[quoted text clipped - 20 lines]
>>
>> -Robert
Reply to this Message
Joe Kaplan (MVP - ADSI) - 20 Jan 2006 18:44 GMT
Can you pass back the token handle via whatever IPC mechanism you have and
then let the client create a WindowsIdentity from that and do the
impersonation inside the thread method?

I'm not sure why the other approach isn't working, but you should be able to
do most of this with managed code anyway.  Having the server change the
client's thread seems weird to me.

Joe K.

> yes
>
[quoted text clipped - 22 lines]
>>>
>>> -Robert
Reply to this Message
Robert Ginsburg - 21 Jan 2006 12:44 GMT
The IPC mechanism is currently either COM or the IPC Remoting channel,
neither of which seem to be able to pass the token handle (or at least I
cant figure it out). In any case, the primary reason I want the server to
change the clients thread, is that I don't want the account the client is
operating under to have impersonation privilidges.

> Can you pass back the token handle via whatever IPC mechanism you have and
> then let the client create a WindowsIdentity from that and do the
[quoted text clipped - 32 lines]
>>>>
>>>> -Robert
Reply to this Message
Joe Kaplan (MVP - ADSI) - 21 Jan 2006 16:59 GMT
You should be able to pass the handle value as an int32 and then create an
IntPtr based on that to create the WindowsIdentity.  However, if you don't
want the client doing the work, you probably need to use an approach like
what you are doing.

Just out of curiosity, what does WindowsIdentity.GetCurrent() say after you
do SetThreadToken?

Also, would it be possible instead to have the client invoke a method on the
server that performs the privileged operation?  That seems cleaner to me...

Joe K.

> The IPC mechanism is currently either COM or the IPC Remoting channel,
> neither of which seem to be able to pass the token handle (or at least I
> cant figure it out). In any case, the primary reason I want the server to
> change the clients thread, is that I don't want the account the client is
> operating under to have impersonation privilidges.
Reply to this Message
Robert Ginsburg - 23 Jan 2006 11:27 GMT
Currently I pass in the treadid from GetCurrentThreadID() and the server
successfully calls duplicate token,
then SetThreadToken() on the client thread, however the client thread always
reports the same current user/identity.

There are two problems with calling all of the functions on the server. the
first is interactive UI (the server is running as a service)
, the second is that one of the functions is to evaluate and execute a bunch
of local code that the client has created, some of which should execute in
the callers context, some of which should execute in the context sent to the
caller from the system. The "application logic" works fine if I pass user
names and passwords back and forth instead of access tokena, but it it
tantalizing close (at least no API errors) to working using this technique.

-Robert

> You should be able to pass the handle value as an int32 and then create an
> IntPtr based on that to create the WindowsIdentity.  However, if you don't
[quoted text clipped - 15 lines]
>> change the clients thread, is that I don't want the account the client is
>> operating under to have impersonation privilidges.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.