| Daniel Corbett 2005-12-22, 5:57 pm |
| I know who they are because I have gotten this DN from a trusted source over
an SSL connection. I am trying to simulate having gotten the users
certificate. If necessary, I could grab all the components and re-create
the certificate, but I would still have the same issue.
I am trying to use LsaLogonUser with KERB_S4U_LOGON to impersonate the user
but I am now getting this error:
"specified logon session does not exist. It may already have been
terminated. (1312)."
I am using a "domain account" which has SeTcbPrivelege enabled, and am
requesting an impersonation token. I have also made sure the user is a
member of the "Pre-Windows 2000 compatible Access" group on the Domain.
"Ken Schaefer" wrote:
> Daniel,
>
> I'm a bit confused as well. Authentication occurs when you marry a user
> identity (e.g. a username, in this case the DN) with the corresponding
> "secret" (this is usually a password, or some kind of token like a
> certificate). Given that you have the username only, how do you intend to
> authenticate the user? How do you know the user is who they say they are?
>
> Cheers
> Ken
>
>
> "Daniel Corbett" <mrinalexandria@nospam.nospam> wrote in message
> news:E6823E0A-6B99-4F47-B4BF-1A386B811C63@microsoft.com...
> :I DO want to a pass-through authentication feature by myself. Instead of
> : authenticating on a client certificate, I want to authenticate based on
> the
> : Distinguished name contained in a header in the client request. For
> : security purposes there is also a certificate contained in the request,
> : however, I am only using that to verify the validity of the connection,
> not
> : to authenticate the user who originally sent the HTTP request.
> :
> : ""Yuan Ren[MSFT]"" wrote:
> :
> : > Hi,
> : >
> : > Welcome to Microsoft newsgroup!
> : >
> : > >How can I logon / impersonate the user / grab the appropriate "ticket"
> : > without the password?
> : > >¡Â_
> : > >"This is what IIS does when it does certificate based login, however,
> in
> : > this case, I do not have the full certificate."
> : >
> : > IIS has client certificate authentication. However in this scenario, we
> do
> : > need to provide each authenticated user account's password which is
> stored
> : > into IIS metabase. The below article explains how this feature works in
> IIS
> : > 5.0:
> : > http://support.microsoft.com/defaul...;313070&sd=tech
> : >
> : > >"I need to authenticate against active directory and log a user on to
> : > Sharepoint. In order to reduce SSL load and support edge server caching
> we
> : > are using a persistant shared SSL connection."
> : >
> : > I'm not very clear about what you want to achieve. Could you please
> explain
> : > the whole scenario more clearly? It sounds like you want to implement a
> : > pass-through authentication feature by yourself? What authentication
> method
> : > you want to use? Is SSL used for encryption only or you also want it to
> : > implement client cert authentication?
> : >
> : > Regards,
> : >
> : > Yuan Ren [MSFT]
> : > Microsoft Online Support
> : >
> : >
>
>
>
|