Reputation: 193
SSPI: acquire credentials for another user from a process running with local admin privileges
I am running a process with loacl admin privilege in Windows and trying to obtain a credential handle for another user using AcquireCredentialsHandle . It is possible to pass in SEC_WINNT_AUTH_IDENTITY structure with user info ( e.g. user, domain, password) and obtain the handle. I have verified it. Without the SEC_WINNT_AUTH_IDENTITY passing only the pszPrincipal does not work.
I wonder is there any other way one can do it without providing the user password?
I am running the following scenario:
- Client obtains a kerberos token using UPN and sends it to server
- Server tries to acquire the credential handle (AcquireCredentialsHandle) using UPN of the client.
Any suggestions please?
Upvotes: 0
Views: 437
Answers (1)
Reputation: 4623
You normally don't get to request a ticket on behalf of other users. That would be a very dangerous security issue.
There are two ways around this.
Use S4U2Self which is where the application requests a ticket to themselves using the passed in username, which will get them a ticket on behalf of the user to themselves. This lets you see things like user group membership. You need to be running as
SYSTEMor haveSeImpersonatePrivilegeto do this.Use S4U2Proxy aka protocol transition which is where the application requests a ticket for another service using the passed in username. This lets you impersonate the user based only on the name, and must be explicitly granted to the server and target by AD. This is an incredibly dangerous privilege because you're allowing your application to have the equivalent rights as a KDC.
Unfortunately this is a fairly complicated bit of code so it's not shareable in this post as-is. You can find a sample application here: https://github.com/SteveSyfuhs/DelegatedAuthentication
The gist of the process is:
- Client sends username to service.
- Service is configured for
SeImpersonatePrivilegeorSeTcbPrivilege(meaning running asSYSTEM) - Service calls
LsaLogonUserand passes just the username, returning an NT token handle. - Service calls
SetThreadTokenwith the token from (3). - Service calls
AcquireCredentialsHandlewithout any credentials (uses default SSO creds). - Service calls
InitializeSecurityContext - Service sends token to target server
Upvotes: 2
Related Questions
- Starting another process with elevation using different user credentials
- Getting handles to the credentials of a domain user from a process launched by a local user on Windows 10
- Logical workflow steps for CreateProcessAsUser to ImpersonateLoggedOnUser and DuplicateHandle all to run a command as the user?
- support kerberos constrained delegation using SSPI for multiprocess
- Client/Server app, how to create process on remote system as a domain user without transferring that users username/password to the remote system?
- How to logon a user on a server and run a process given a Kerberos Ticket
- Launch a process under another user's credentials
- Run process with admin credentials
- How to run a separate process as a domain user with a 'local system' service?
- How do you pass user credentials from one process to another for Impersonation in .NET 1.1?