Below:

> -----Original Message-----
> From: Danilo Almeida [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, February 20, 2002 11:04 AM
> To: 'Mike Frisch'
> Cc: [EMAIL PROTECTED]
> Subject: RE: New cred cache breaks Win2k service
> 
> 
> This is by design.  As I recall, the original problem was this:
> 
> A process doing impersonation cannot start a program as the 
> user being impersonated because the process level tokens are 
> the service's and not the user's.

In Windows, when a process is created, by default it shares the process
token of the calling process.  However, the server process can duplicate
the impersonation token to a primary token and assign this to the
process being spawned.  See the CreateProcessAsUser API in MSDN for more
information.




_______________________________________________
Kerberos mailing list
[EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to