问题
I work on a Kerberos logon infrastructure (Single Sign-On) with:
- A client which is authenticated to the Kerberos Key Distribution Center.
- A principal service server using Kerberos as authentication.
Server Program is coded in C++.
I have no problem to create a context between my principal (client) and my service principal (server). I also delegated my client credentials to the server, because I need to create a process on the server using client user credentials.
And this is my problem, on the server side, I have a SSPI context and I need to CreateProcessAsUser using a Windows type pHandle.
I do not know how to use my SSPI credentials to create on my server a process as the client user.
I take a look at LsaLogonUser, which seems to do what I want (create a handle from kerberos user credentials) but my problem is the same, I do not know how to use the SSPI Token with this LsaLogonUser.
Thanks in Advance, for your help
回答1:
Though it is very late but you could obtain a token by doing following:
HANDLE tempHandle;
if (!QuerySecurityContextToken(hctxt, &tempHandle))
{
MyDbg("Could not obtain token for user");
}
回答2:
I just posted a question regarding something related to what you are doing. I am using a session 0 Windows service to launch an application into session 1. The code I used (and asked about) is included in that post, and works well except that paths normally available to a user in session 1 are not accessible when launced this way. In any case, Even though I have some questions about this code, I hope it can start you on the right path.
Ryyker
回答3:
I finally found a solution to my problem.
The best way to do it is to:
- write delegated credentials in a temporary file.
- set KRB5CCNAME environment variable to the path of this file.
It Works ;)
来源:https://stackoverflow.com/questions/16854543/how-createprocessasuser-on-windows-using-delegated-credentials-from-sspi