I want to impersonation a user on a windows server (2012/2016/2019) in a domain environment.
This should happened by a administrator account with SE_DEBUG and SE_IMPERSONATE privileges.
GetAccessToken()
DuplicateTokenEx()
CreateProcessWithTokenW(token, LOGON_NETCREDENTIALS_ONLY, L"c:\\windows\\system32\\cmd.exe", NULL, 0, FALSE, NULL, &si, &pi)
Until now its working fine.
But i have to read a fileshare on another server in context of the impersonated user/token.
On localhost the created process have all permissions from the original user/process.
If try to access a fileshare or any other server on the Network this results in "Access Denied".
I found out that it is depending on the logon type if users credentials are available on the system which is needed to connect to another system. (double hop)
But also if the impersonated process is started from an interactive logon (tried RDP und runas.exe)there seems to be no rights on remote systems.
I checked the Logon Type of the token GetTokenInformation() to get session id and then call LsaGetLogonSessionData() to get field LogonType.
Where is the difference between this and get TokenOrigin Variable from GetTokenInformation?
Which configuration allows me to access remote share with the impersonated token?
There's no difference in impersonating a admin vs non-admin, but a LOCAL admin does not necessarily have access to the another machine. A domain user does.
Related
We are resetting the password of Active directory service account used in server for
Identity in Application Pool
Certificate Access Permission
Folder share access permissions
Windows Scheduler job permission
HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > EventLog (Permissions)
Should we modify the all the places after password reset?
No need to reset password for application pool.You can directly entered into application pool but for accessing the sites presents in application pool using identity.You will need new password that you have reset(Indirectly we can say for application pool it auto update the password there is no need of separately change password of application pool).
Windows Domain accounts are used as identities to run IIS App Pools.
Whenever the password of a domain account is changed in the domain
controller, the new password has to be updated individually in all
associated App Pools for web applications to run without any
hindrance. With each domain account running numerous App Pools,
changing all the passwords manally becomes tedious.
Same for Certificate Access Permission, Folder share access permissions, HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > EventLog (Permissions) we don't require change passoword.
It is different for Windows Scheduler job permission we need to change password because in backend Window Scheduler Job is working with old password but all the schedule job will be failed.You need to update the password manually here.
For more information you can refer this Document
(Revised based on comments below)
I know there's a ton of posts like this online and I've browsed many and found no useful help.
I have setup and configured SSRS many times and have not had this problem. The setup is similar to other servers in the past (all stand alone servers - no AD). I can log into Report Manager from a browser on the local server but when I try to access from my remote dev machine or from deploying a report from VS I get the above message.
This is how I'm trying to login which works on other servers but not this one.
http://Server IP/Reports
-Username: Administrator
-Password: admin password
I get the above error even though this is exactly the same as on other servers.
I should mention that I connect using a VPN to the network so I have access to the private IPs as well.
I also tried using he private IP
I also tried MachineName\Administrator
I also tried creating an SQL user with admin privileges and that did not work either.
This is a screenshot from a server where everything is working as expected. Administrators had default permissions (Content Manager). Users has browse:
This is a screenshot from the server that’s having permission issues. I assigned all roles to both admin accounts
and then I added all roles to both admin accounts:
Now I can deploy from VS using the username "administrator".
and I made a little progress (i think...) trying to access report manager from my pc. From IE (run as admin) on my local pc I try to access report manager from this URL
http://server ip/Reports/browse/
-Username: Administrator
-Password: admin password
And now I gain access to server manager but cannot see any content. When I click on the home button I get this error:
Any recommendations?
I'm trying to create a program which echo's a current user.
As the program needs to be run as admin using the task scheduler the %username% always returns admin, NOT the user.
What I'm looking for in the end is a batch that echo's time stamp, user info and pc info every time a user logs on, off, locks, unlocks, switches user, ...
I ran into similar issue before, try using whoami
The current user IS admin. Windows supports multiple users (although only 1 live one at a time). What you can do is query for users logged on and choose the interactive one.
Lists of potential users
wmic PATH Win32_SystemUsers get /format:List
wmic PATH WIN32_UserAccount get /format:List
wmic PATH WIN32_Account get /format:List
All the users logged on incl system accounts.
NB Administrators will have two logons - one as a limited user and one elevated.
wmic PATH Win32_LoggedOnUser get /format:List
To find info about the logon types
wmic PATH Win32_LogonSession get /format:list
List of logon types - you want 2.
LogonTypeData type: uint32Access type: Read-only
Numeric value that indicates the type of logon session.
Value
Meaning
0
Used only by the System account.
Interactive2
Intended for users who are interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.
Network3
Intended for high-performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.
Batch4
Intended for batch servers, where processes can be executed on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.
Service5
Indicates a service-type logon. The account provided must have the service privilege enabled.
Proxy6
Indicates a proxy-type logon.
Unlock7
This logon type is intended for GINA DLLs logging on users who are interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.
NetworkCleartext8
Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.
NewCredentials9
Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identify, but uses different credentials for other network connections.
RemoteInteractive10
Terminal Services session that is both remote and interactive.
CachedInteractive11
Attempt cached credentials without accessing the network.
CachedRemoteInteractive12
I am setting up a new instance of Report Server on a new box and need to create a couple new roles. The problem is that I don't have permissions to access /reports or /reportserver:
/reports: User '<username>' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
/reportserver: The permissions granted to user '<username>' are insufficient for performing this operation. (rsAccessDenied)
The domain user through which I am trying to access these has been granted full local admin rights. I would assume there might be a ReportServer user group in Local Users and Groups, but one doesn't exist.
The service account is the built-in account 'Network Service'. I'm not sure if that's relevant.
Any idea how I'd access the server to begin granting these permissions?
Did you assign the permissions for the user on the report folder level? Doing this via report management URL (with Internet Explorer) by clicking the little arrow to the right of the report folder and selecting permissions.
I create a service which is defined to Log On as Administrator.
This service performs system("net use Z: \... /user:user password") and completes successfully.
If I (as Administrator) run "net use" I see Z: indeed added, but with status - unavailable.
I tried adding ImpersonateLoggedOnUser to the service, but that didn't help.
OS: Win XP
What am I missing?
ImpersonateLoggedOnUser doesn't impersonate the logon session from the user token, just the security context. CreateProcessAsUser, however, should be able to create a new process in the logon session associated with the specified user token.
Note that calling LogonUser to get a user token for CreateProcessAsUser won't work, because this token won't be in the same logon session as the logged-on user. You have to find one of the user's processes and duplicate its token.
Logon sessions are not well documented, but all you really need to know that each time a user is authenticated a distinct logon session is created, and that each such logon session has a distinct set of network drive mappings. Logon sessions are not the same as terminal services sessions.
In Windows Vista and above, two logon sessions are created when an administrative user logs in, one associated with the restricted token and one associated with the elevated token.
You can look up the logon session associated with a token using the GetTokenInformation function with the TokenStatistics option. The logon session is identified by the AuthenticationId LUID.
To make this work, your service would need to first figure out when a user has logged in, wait for a process associated with the new session to start, make sure it's not an elevated process, then duplicate the access token.
Instead, your best option is going to be to split the application into two components. One component will run as the user (you would probably launch this automatically using the Run key) and be responsible for mapping the network drive. It can contact the service to obtain any information it needs, either via a named pipe or a registry key.
Windows logs on Administrator and uses the logon token to start the service. If you logon interactively Windows creates a logon token for you. The two tokens are not related to each other. Mapped devices are mapped for one session/logon token, therefore if the service maps a device you do not see it in your logon session.