I have a website in IIS which has been configured to run with Windows
Authentication and I have <identity impersonate="true" /> in my
web.config.
I know that my configuration works correctly as when I look at the
identity under which the thread is running I can see that it is the
user's account.
My aim is to generate a security token to authenticate the user against
one of our single-sign-on(SSO) servers(written in-house). I am using
the SSPI samples (Microsoft Security SSPI Classes) which I downloaded
from your website to generate tokens in order to perform an sspi
authentication with our SSO server.
The problem I have is that when a user logs on although the thread in
iis seems to run under the user's account, the SSPI call seems to
generate credentials for 'anonymous user'.
When I log on from the machine where iis is running (and I am the
interactive user), the token is generated with my details. Which is
the correct behaviour.
When I log on from another machine where I am the interactive user (
and iis is still running on the original machine where I am the
interactive user ) the token seems to be generated for 'anonymous
user'.
Is there a way I can get the call to AcquireCredentials and
subsequently to InitializeSecurityContext to yield a token relating to
the currently logged on user.
This is the signature for acquireCredentials:
SECURITY_STATUS sResult = AcquireCredentialsHandle(
NULL,
// [in] name of principal. NULL
= principal of
current security context
pszPackageName,
// [in] name of package
fCredentialUse,
// [in] flags indicating use.
pszLogonID,
// [in] pointer to
logon identifier. NULL =
we're not specifying the id of another logon session
NULL,
// [in] package-specific data.
NULL = default
credentials for security package
NULL,
// [in] pointer to GetKey
function. NULL = we're
not using a callback to retrieve the credentials
NULL,
// [in] value to pass to GetKey
this->credentialHandle,
// [out] credential handle (this
must be already allocated)
&tsExpiry
// [out] lifetime of the
returned credentials
);
Initially (for the above described symptoms), instead of pszlogonid
there was a null being passed in. I have tried to pass in an SID and
even the logoin session id (luid) but this causes the function to
return -2146893050 which i'm pretty sure is SEC_E_NOT_OWNER. I get this
error now, on the iis machine as well as the remote machine.
Is there something i am missing here?
Can anyone help?
Who shot J.R?
I hope Keith Brown is reading im sure he'd sort this out in a flash.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
