PRB: LogonUser Fails in ISAPI Extensions (232513)
The information in this article applies to:
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Internet Server Application Programming Interface (API)
This article was previously published under Q232513 SYMPTOMS
An ISAPI extension is running in the security context of the authenticated user. If the extension needs to access resources that the user is unable to access, you can call LogonUser to log another user to the local computer inside the ISAPI, and then call ImpersonateLoggedonUser to impersonate the user who has the appropriate access permission. However the call to LogonUser would fail and GetLastError returns ERROR_ACCESS_DENIED even though the authenticated user has the SE_TCB_NAME privilege and the SE_CHANGE_NOTIFY_NAME privilege enabled (for everyone by default.)
CAUSE
The code inside LogonUser tries to open the process token. It fails since the authenticated user may not have access to the process token (SYSTEM if it's an inproc ISAPI.)
RESOLUTION
As a temporary workaround, you can call RevertToSelf to return the thread to the security context of the process token before calling LogonUser. For ISAPI extensions running inproc, the process security context is SYSTEM. You should immediately impersonate some token on the thread so that it doesn't remain running in the context of the local system any longer than is necessary.
BOOL bThreadToken = FALSE;
HANDLE hThreadToken1, hThreadToken2;
//Save the current thread token
if( OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, FALSE, &hThreadToken1) )
{
RevertToSelf();
bThreadToken = TRUE;
}
//Impersonate a user account
//Insure the Sid associated with the process holds SE_TCB_NAME Privilege
LogonUser(...);
ImpersonateLoggedOnUser(...);
//Restore the original thread token
if( bThreadToken )
{
hThreadToken2 = GetCurrentThread();
SetThreadToken( &hThreadToken2, hThreadToken1 );
CloseHandle( hThreadToken1 );
}
STATUS
This behavior is by design. More information on how to call LogOnUser can be found in the helpfile for this api.
MORE INFORMATION
Modifying the impersonation token for out-of-process (OOP) ISAPI extensions is not supported under IIS4 because of some bugs that can cause problems with impersonation tokens. Therefore, the above workaround doesn't apply to OOP ISAPIs.
Never add the SE_TCB_NAME privilege to either the IUSR_MACHINE or IWAM_MACHINE accounts, and never add either of them to the Administrators group. It would expose serious security problems.
| Modification Type: | Major | Last Reviewed: | 5/12/2003 |
|---|
| Keywords: | kbhttp kbprb KB232513 |
|---|
|