 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / December 2006token elevation
Can I elevate the rights of a delegated user token? I have a .net service running in LocalSystem context, that is called from a user context program via IPC. The service has a copy of the user token and can impersonate the user when required. My problem is that my service either runs as LocalSystem or as the user; what I really need is to impersonate the user *with the LocalSystem rights included*. Can I in some way add the LocalSystem rights to the delegated user token without adding the user account to the local Administrators group? This could possibly be done by adding the system or administrators sid to the delegated user token (not to the user account itself), but I can't find any class that can do this. Is it in any way possible to do this? You can't do this in .NET, but might be able to do something like this with the low level token APIs by virtue of the fact that you are running as SYSTEM. Are you sure you want to do this though? The design sounds very strange. Perhaps it would be better to not impersonate the user for the operations that require system and just let system do the work? Joe K.  SignatureJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- > Can I elevate the rights of a delegated user token? > [quoted text clipped - 15 lines] > > Is it in any way possible to do this? My initial intention was to run everything in the SYSTEM context, but ran into problems when my service required access to network files. My service requires SYSTEM rights and cannot run as NetworkService. I haven't found a way to access the network files using the delegated user token while still running in SYSTEM context locally, but I'd be more than happy to implement such a solution. The idea of elevating the rights of the user token was my final(?) hope of finding a solution to my network access problem. > You can't do this in .NET, but might be able to do something like this with > the low level token APIs by virtue of the fact that you are running as [quoted text clipped - 23 lines] > > > > Is it in any way possible to do this? If you enable Kerberos delegation correctly, you should be able to impersonate the authenticated user to access the remote network files with the user's security context. You could also do your impersonation programmatically so that some of your operations were conducted with the SYSTEM account. Do you know if you have Kerberos delegation enabled for the machine account? That is the account that delegation will be applied to when the SYSTEM account attempts to access network resources. Joe K. SignatureJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- > My initial intention was to run everything in the SYSTEM context, but ran > into problems when my service required access to network files. My service [quoted text clipped - 42 lines] >> > >> > Is it in any way possible to do this? Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.