using sspi (ntlm) api's windows accesscheck() perspective uac


summary
client (windows xp sp3)
server (windows perspective business sp1) / controlling localsystem use



api method
client - acquirecredentialshandle
client - initializesecuritycontext
server - acquirecredentialshandle
server - acceptsecuritycontext
client/server - completeauthntoken
server - impersonatesecuritycontext
server - accesscheckandauditalarm (maximum_allowed)
server - i following review opening requested certified accesses.



i opening check opposing private confidence vigilant combined createprivateobjectsecurityex. uac incited i success behind accesscheck, nonetheless zero privledges held. uac incited off i success behind rights gantedaccess parameter



details
the concentration twin componets it, fan server.
uses tcp communicat over an unsecured network. authentication
the incomming connectors i sspi api's listed above,
impersonate job user. once job user impersonated i
use accesscheckandauditalarm, fails i return behind only
accesscheck. uac incited i am removing success behind
accesscheckandauditalarm nonetheless zero opening rights
grandedaccess paramter, nonetheless uac incited off works expected.
i have check trust turn server slight set
to high, i have looked trust turn impersonation token
used burlesque job user set medium. i have
tried sourroundings trust turn job user high,
success nonetheless opening check still advantage incorrrect results.
thinking i competence have related token i attempted related token
call gettokeninformation(tokenlinkedtoken) outcome 0x520.
any thoughts i competence try unbroken appreciated.



code after authentication.



security_status ss = sec_e_ok; 
 hoop _htoken = null; 
 ss = querysecuritycontexttoken((pctxthandle)pcontext,&_htoken); 
 if(sec_e_ok != ss) 
 { 
  relapse ss; 
 } 
 caccesstoken imptoken; 
 imptoken.attach(_htoken); 
 if(cwin32::isvista()) 
 { 
  /*token_linked_token linkedtoken; 
  dword nlen = 0; 
  bool bret = gettokeninformation(_htoken, 
(token_information_class)tokenlinkedtoken,&linkedtoken,sizeof(linkedtoken), &nlen); 
  if(bret) 
  { 
   closehandle(imptoken.detach()); 
   imptoken.attach(linkedtoken.linkedtoken); 
  } 
  else 
  { 
   trace(_t("gettokeninfo unsuccessful 0x%x\n"),getlasterror()); 
  }*/ 
  psid    phighintegritysid = null; 
  bool bconvertsid = false; 
  bconvertsid = convertstringsidtosid(sddl_ml_high, 
&phighintegritysid); 
  (bconvertsid) 
  { 
   token_mandatory_label tml = {0}; 
   tml.label.attributes = se_group_integrity | 
se_group_integrity_enabled; 
   tml.label.sid        = phighintegritysid; 
   bool bsettokenret = settokeninformation(_htoken, 
(token_information_class)tokenintegritylevel,&tml,sizeof(tml) + 
getlengthsid(phighintegritysid)); 
   localfree(phighintegritysid); 
   if(!bsettokenret) 
   { 
    nreturn = getlasterror(); 
    dbgout(debugout::log_comp_auth_layer,debugout::log_detail_error, 
     _t("failed set token information %x\n"),nreturn); 
    relapse nreturn; 
   } 
  } 
 } 
 bool bret = imptoken.impersonate(); 
 if(false == bret) 
 { 
  relapse getlasterror(); 
 } 
 _gettokensecuritylevel(imptoken.gethandle()); 
 ::mapgenericmask(&nrights, getgeneric_mapping()); 
 dword naccessgranted = 0; 
 bool baccessstatus = false; 
 bool bgenerateonclose = false; 
 bool baccesscheckret = false; 
 baccesscheckret = ::accesscheckandauditalarm(_t("purgos 
security"),imptoken.gethandle(),_t("purgos"),m_csobjectname.getbuffer(0), 
const_cast<security_descriptor*>(m_objectsd.getpsecurity_descriptor())/ 
*privobjectsd.getpsecurity_descriptor())*/,maximum_allowed,getgeneric_mappi ng(),false,&naccessgranted,&baccessstatus,&bgenerateonclose);


Comments

Post a Comment

Popular posts from this blog

list macos calm editors formula editors

i searched found maudite's doubt text editors nonetheless windows. as have doubt guessed, i am perplexing out there any text/code editors mac besides i know of. i'll correct post consolidate editors listed. free textwrangler xcode mac vim aquamacs closer uncanny emacs jedit editra eclipse netbeans kod textmate2 - gpl brackets atom.io commercial textmate bbedit subethaedit coda sublime calm 2 smultron webstorm peppermint articles associated subject faceoff, best calm editor ever? maceditors.com, mac editors comforts compared thank everybody total suggestions.
Read more

how hibernate @any-related annotations?

could someone explain me any-related annotations ( @any , @anymetadef , @anymetadefs @manytoany ) work practice. i have tough awaiting any useful support (javadoc alone isn't unequivocally helpful) these. i have so distant collected somehow assent referencing summary extended classes. case, since there an @onetoany annotation? 'any' referring unparalleled 'any', churned 'any'? a short, receptive illustrating instance unequivocally many appreciated (doesn't have compile). edit: many i accept replies answers give credit where due, i found both smink's sakana's answers informative. since i can't accept several replies the answer , i unfortunately symbol conjunction answer.
Read more

why does floated <input> control floated component slip over too distant right ie7, nonetheless firefox?

Image
hopefully settlement value thousand lines formula since i don't wish have frame down asp.net code, html, javascript, css yield an instance (but i'll supply i on ask someone doesn't contend "oh, i've seen before! try this...") [actually, i post formula css - bottom question]. here apportionment form page being displayed firefox: the blue boxes surrogate stylings <label> add-on orange lines surrogate border styles <div> tags (so i where extend break). <label> 's styled float: left <div 's right. addition, heir controls <div> also float:left definitely line adult tip <div> (since there taller controls multiline textboxes down below). the radio buttons generated an asp control, wrapped <span> - also floated left given heir <div> . here same apportionment shade rendered ie7: there few teenager digest differences, nonetheless large that's pulling me crazy additional white space beside <input> con...
Read more