|
Microsoft Applications Security - Microsoft's general security discussions and announcements
|
|
|
|
|
Posted by Kasparov on May 1, 2009, 1:42 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I am facing a weird problem. Any pointers are much appreciated.
I am using SSPI for authentication on Windows 2003 machine. On my
server side I am checking whether my SSPI context user is part of the
backup operators (BO) group. Now the check always returns me false
even though the user is present in the BO group on that machine.
Strange thing is if I do logonuser using the same username and
password (with which the client is running) on the server side and try
to check whether the logon user token is part of the BO group it
returns me TRUE ! Have also tried with administrator group but there
the functionality is as expected (both the times it returns me true) .
So I am not sure whats going on. I am pasting part of my code below:
**************
// At this point SSPI handshake is complete.
AcceptSecurityContext has returned 0.
// Initialise SID for the Backup Operators group
if ( AllocateAndInitializeSid( &NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_BACKUP_OPS,
0, 0, 0, 0, 0, 0,
&BOGroup ) == 0)
{
ret_val = GetLastError();
break;
}
// Impersonate the context
ss = (*c->ImpersonateSecurityContext)(&c->hContext);
if (!SEC_SUCCESS(ss))
{
ret_val = E_CORBA_AUTH_FAILURE;
break;
}
// Fetch username with domain name from the SSPI context
HANDLE hToken = NULL;
PTOKEN_USER ptiUser = NULL;
DWORD cbti = 0;
SID_NAME_USE snu;
// Check group permissions
if (!CheckTokenMembership( NULL, BOGroup, &bIsMember)) //
Check whether part of the BO group
{
ret_val = GetLastError();
break;
}
if (bIsMember)
{
sspiContext.isBO = true;
}
else
{
}
// Do Logon user with the same credentials and impersonate to
fetch the access token
// here NDMPContext.username and password are of the same user
as obtained from SSPI context.
LogonAndImpersonateUser( (const CHAR *)
(ndmpContext.username).c_str(), (const CHAR *)
(ndmpContext.passsword).c_str() );
if (!CheckTokenMembership( NULL, BOGroup, &bIsMember))
{
BE_Zprintf(0, TEXT("checkGroupMembership:
CheckTokenMembership returned %d\n"), GetLastError() );
}
if ( ndmpContext.isAnonymous || ( !ndmpContext.isAdmin && !
ndmpContext.isBO ))
{
BE_Zprintf( 0, TEXT( "SSPIAuthenticate: Authenticating
user is ANONYMOUS or not part of the administrator / BO group.
Rejecting..." ));
ret_val = E_CORBA_AUTH_FAILURE;
break;
}
**************
Thanks in advance,
Ganesh Tambat
|
| Similar Threads | Posted | | Very weird ping problem | September 23, 2005, 8:42 pm |
| Weird problem / Email showing up in excel spreadsheet | December 21, 2005, 6:51 pm |
| Weird Service | July 17, 2006, 12:28 am |
| Bug in Kerberos SSP within SSPI?? | July 28, 2005, 4:46 am |
| SSPI: VerifySignature(Digest) | October 17, 2005, 4:52 pm |
| SSPI Kerberos for delegation | December 18, 2008, 11:17 am |
| Using SPNEGO/SSPI in SMB (Extended Security) | August 18, 2005, 5:56 pm |
| SSPI to verify machine identity | January 12, 2006, 8:59 am |
| SSPI client to ldap Server - Error at last stage of n-way authentication check | December 24, 2005, 1:14 am |
| SSPI client to ldap Server - Error at last stage of n-way authentication check | December 24, 2005, 1:15 am |
|
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map