|
Home > Archive > IIS Server Security > June 2004 > Impersonating a specific thread
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Impersonating a specific thread
|
|
| Tony Proctor 2004-06-26, 10:16 am |
| I need a little help with getting an IIS thread (well, actually a DLLHOST
one) to impersonate the same account as another thread is doing.
My situation is as follows: our application involves a VB6 component. This
accepts a number of special "admin" requests which have to be synchronised
and marshalled across the remaining currently active IIS threads. They also
have to synchronize with external DCOM servers, but that's irrelevant to
this description.
The incoming admin request is handled, in the normal way, by a thread
impersonating the client-side user. The code in the other threads is
marshalled using a private Windows message, though, and so no impersonation
occurs. The code therefore executes in the native IWAM account and causes
resource-access problems.
What I would like to do is get each 'other' thread to adopt the same
impersonation token as the source thread. Each 'other' thread currently
knows the ID of the source thread.
What I've tried is getting those threads to open the source thread, in order
to derive a thread handle from the thread ID, and then call OpenThreadToken
to retrieve its current token. The idea would then have been to call
SetThreadToken, RevertToSelf, CloseHandle, etc. However, the OpenThreadToken
fails with error 1008, "An attempt was made to reference a token that does
not exist".
Any ideas what I might be doing wrong?
Tony Proctor
| |
| Tony Proctor 2004-06-26, 10:16 am |
| Ignore this. I've found the problem...two in fact:
1) I was using the wrong thread ID to fetch the current impersonation token.
Hence, there wasn't one active. duh!
2) The standard VB declaration for DuplicateToken is incorrect. The
SECURITY_IMPERSONATION_LEVEL parameter should be passed by value, not by
reference.
....thanks for listening anyway
Tony Proctor
"Tony Proctor" <tony_proctor@aimtechnology_NOSPAM_.com> wrote in message
news:exUgp4UWEHA.1164@tk2msftngp13.phx.gbl...
> I need a little help with getting an IIS thread (well, actually a DLLHOST
> one) to impersonate the same account as another thread is doing.
>
> My situation is as follows: our application involves a VB6 component. This
> accepts a number of special "admin" requests which have to be synchronised
> and marshalled across the remaining currently active IIS threads. They
also
> have to synchronize with external DCOM servers, but that's irrelevant to
> this description.
>
> The incoming admin request is handled, in the normal way, by a thread
> impersonating the client-side user. The code in the other threads is
> marshalled using a private Windows message, though, and so no
impersonation
> occurs. The code therefore executes in the native IWAM account and causes
> resource-access problems.
>
> What I would like to do is get each 'other' thread to adopt the same
> impersonation token as the source thread. Each 'other' thread currently
> knows the ID of the source thread.
>
> What I've tried is getting those threads to open the source thread, in
order
> to derive a thread handle from the thread ID, and then call
OpenThreadToken
> to retrieve its current token. The idea would then have been to call
> SetThreadToken, RevertToSelf, CloseHandle, etc. However, the
OpenThreadToken
> fails with error 1008, "An attempt was made to reference a token that does
> not exist".
>
> Any ideas what I might be doing wrong?
>
> Tony Proctor
>
>
|
|
|
|
|