Identity Information when running with RunAs /NetOnly

[Grant]

Hi,

In a WinForms application, how can you get the identity of the remote
credentials used when kicking off the application with RunAs /NetOnly?

I can get local Identity information with
System.Security.Principal.WindowsIdentity.GetCurrent(), but don't know how to
get the identity for the remote calls.

Any help would be appreciated,
Grant.

 

[Jeroen Mostert]

In a WinForms application, how can you get the identity of the remote
credentials used when kicking off the application with RunAs /NetOnly?

You can't. There's a good thread explaining it here (the unmanaged
equivalent, that is):
http://groups.google.com/group/micr...ecurity/browse_thread/thread/e4beee80ed0573dd

I can get local Identity information with
System.Security.Principal.WindowsIdentity.GetCurrent(), but don't know how to
get the identity for the remote calls.

This information is apparently managed by LSA internally and cannot be
retrieved after the fact. Technically, there isn't even an identity until a
remote resource is actually accessed and the credentials are successfully used.

 

[Grant]

Hi Jeroen,

Many thanks for this - I searched extensively, but this a thread I didn't
find.


Regards,
Grant Holdom.

 

[Zhi-xin Ye]

Hi, Grant

How about this issue now? Does Jeroen's reply make sense to you?

The /netonly switch indicates that the user information specified is for
remote access only.

When you start a program with RunAs using /netonly, the program executes on
your local computer as the user you are currently logged on as, so the
System.Security.Principal.WindowsIdentity.GetCurrent() will return the
currently logged user instead of the user specified on the RunAs command.
The new credential created in this case is only available when there're
connections to other computers on the network.

I look forward to hearing from you soon.

Best Regards,
Zhi-Xin Ye
Microsoft Online Community Support


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Zhi-xin Ye]

Hi Grant,

How are things going?

I have done some further research and let me share out a little bit more
details. The "runas /netonly" switch calls the "CreateProcessWithLogonW"
API internally with the "LOGON_NETCREDENTIALS_ONLY" flag, below is the
description of this flag quoted from
MSDN(http://msdn.microsoft.com/en-us/library/ms682431(VS.85).aspx) for
your information,

"
LOGON_NETCREDENTIALS_ONLY

Log on, but use the specified credentials on the network only. The new
process uses the same token as the caller, but the system creates a new
logon session within LSA, and the process uses the specified credentials as
the default credentials.
This value can be used to create a process that uses a different set of
credentials locally than it does remotely. This is useful in inter-domain
scenarios where there is no trust relationship.
The system does not validate the specified credentials. Therefore, the
process can start, but it may not have access to network resources.
"

The specified credentials stay in the local security authority(lsass.exe
process) and cannot be retrieved easily. However, we can manage to get the
specified user name with some trick. I found that the "runas" utility will
set the STARTUPINFO.lpTitle property to something like the following, when
it invokes the "CreateProcessWithLogonW" API:

"myApp.exe(running as MyDomain\SpecifiedUserName)"

To retrieve that title information, we can call the GetStartupInfo API:

private void button1_Click(object sender, EventArgs e)
{
STARTUPINFO s;
GetStartupInfo(out s);
string name = s.lpTitle.Substring(s.lpTitle.LastIndexOf('\\') +
1);
name = name.Remove(name.Length - 1);//remove the ")"
textBox1.Text = string.Format("The specified user name
is:{0}",name);
}

[DllImport("kernel32.dll",EntryPoint="GetStartupInfoW")]
static extern void GetStartupInfo(out STARTUPINFO lpStartupInfo);

[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwYSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public Int32 dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}

However, please not that this specific implementation (e.g. setting the
title) of the "RunAs" utility is not documented officially. There can be
opportunity that the design will be changed in the future versions. If that
happens, our existing code can break. But I still hope the workaround can
be useful to you to some extent.

If you need any further information, or there is anything else we can help
with, please feel free to reply here.


Sincerely,
Zhi-Xin Ye
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Zhi-xin Ye]

Hi, Grant

I haven't heard back from you so I would like to follow up to find out
whether the information I supplied makes any sense to you or not. If there
is anything more I can help with, please don't hesitate to let me know.
Thanks.

Sincerely,
Zhi-Xin Ye
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).
This posting is provided "AS IS" with no warranties, and confers no rights.