LogonUser works only after installing SQL Server 2000

N

nild

Hello

i have a strange problem. I'm using LogonUser to impersonate the user
under which my program must run. On Win XP or Server 2003 it works. But
on 2000 it doesn't. So i found out, to set SE_TCB_NAME privileg - it
doesn't work. Then i read somewhere that this only work for local users
and not domain users and so the changes in the domain policy don't
work.
But the strangest thing i've found out after some tests: LogonUser
works after i installed a standard SQL Server 2000 installation. And it
looks like, that this doesn't change my policy. But before the
installation i've always got error 1314 when try to impersonate. And
after the installation of SQL Server 2000 there is absolutly NO problem
to impersonate.

Does anybody know what the installation of SQL Server do with the
system so that it works and how i could do this manually.

Test-server was Windows 2000 Server and Advanced Server with SP4,
Rollup 1 for SP4 and all updates available from windows update

hope somebody could help
 
W

Willy Denoyette [MVP]

nild said:
Hello

i have a strange problem. I'm using LogonUser to impersonate the user
under which my program must run. On Win XP or Server 2003 it works. But
on 2000 it doesn't. So i found out, to set SE_TCB_NAME privileg - it
doesn't work. Then i read somewhere that this only work for local users
and not domain users and so the changes in the domain policy don't
work.
But the strangest thing i've found out after some tests: LogonUser
works after i installed a standard SQL Server 2000 installation. And it
looks like, that this doesn't change my policy. But before the
installation i've always got error 1314 when try to impersonate. And
after the installation of SQL Server 2000 there is absolutly NO problem
to impersonate.

Does anybody know what the installation of SQL Server do with the
system so that it works and how i could do this manually.

Nothing, you probably did not restart the system after you did change the TCB privilege, but
you did after (during) SQL install.

Willy.
 
N

nild

i restarted the system after setting the TCB privilege. And i've not
restarted it after installing SQL Server 2000.
 
N

nild

Because after i found out that LogonUser works after successfully
installed MS CRM 3. So i've tried to find out after which service
pack/program/whatever the LogonUser works. I've set up a new Server
2000 installation and changed nothing on the policy. I've just
installed one update after another and checked everytime if LogonUser
works. And after installing SQL Server 2000 it worked after changing
manually the policy
 
W

Willy Denoyette [MVP]

nild said:
i restarted the system after setting the TCB privilege. And i've not
restarted it after installing SQL Server 2000.

Weird, All I can say is that it should work by setting the TCB privilege for the account
that calls LogonUser() (something extremely unsecure by the way), the account should log off
after setting this privilege. I don't see what SQL server has to do with this.
Note also that error code 1314 means : A required privilege is not held by the client. Which
makes me think that the TCB privilege was not set or not in effect.

Willy.
 
N

nild

I've tried with setting the TCB privilege but it didn't work. I've
restarted the machine about half an hour later so that the policy is
really updated. i logged on once again and it didn't work. And after
installing SQL Server 2000 it worked without restart and without
setting the TCB privilege. I really don't know what SQL Server do so
that it works.
 
W

Willy Denoyette [MVP]

nild said:
I've tried with setting the TCB privilege but it didn't work. I've
restarted the machine about half an hour later so that the policy is
really updated. i logged on once again and it didn't work. And after
installing SQL Server 2000 it worked without restart and without
setting the TCB privilege. I really don't know what SQL Server do so
that it works.

Let's make thing clear to make sure we are talking about the same thing, you say that, even
after granting the TCB privilege to the account that runs the program that calls "LogonUser
", this call fails with an error 1314?
Well, this isn't the expected behavior, LogonUser() on w2k and below requires the TCB
privilege to be granted to the caller that's all, SQL server is in no way related to this.
Wonder how you are testing this, mind to post the failing code?

Willy.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top