Using LoginUser for Authentication

[Dan]

We are writing a component in VB.net that is supposed to
authenticate a predetermined user (using the user name,
password and
domain) and then copy a file to a file share (using a
mapped drive or UNC path).

This component will be called from an IIS process (either
IIS 4, 5 or 6).

The general code structure is as follows:

Call RevertToSelf()
Call LogonUser() to obtain a token
Call ImpersonateLoggedOnUser()
Copy the file over
......

Sounds pretty simple, right?

We have the most difficult time getting past LogonUser().
We invariably get an error 1314: "A required privilege is
not held by the client".

We get this error even though we attempt to run the
program as a standalone executable outside of IIS and
using Administrator user accounts.

One solution we saw was to provide "Act as part of the OS
privileges" to the user account in question. Even if this
works, we cannot do that for security reasons.

Does anyone have any idea what we could be doing wrong?

Thanks in advance for any assistance.

 

[Scott Allen]

This is sort of a problem on windows 2000, because LogonUser only
works if you have SeTcbPrivilege set or are running as SYSTEM - both
options unfortunately bad from a security standpoint. The good news is
in XP and Windows 2003 you don't need the higher priviledge level -
but it doesn't sound like this helps you any.

There is a work around using an SSPI handshake. I know Keith Brown has
some C++ code to do this on the developmentor.com website.
Unfortunately, the logon session you start will not have any network
credentials for the user - so I'm not sure this will work for you
either.

What you might consider is using SSPI to authenticate the user's
credentials, and once you see the user can be authenticated then you
can impersonate another domain account from web.config (specify a
username and password) and let these credentails give you the
authorization to copy files across the network.

Let me know if you could use some more details or URLs. HTH,