IIS Extension and token delegation?

  • Thread starter Thread starter Sten Westerback
  • Start date Start date
S

Sten Westerback

Hi

I am constructing a IIS Extension for the purpose of providing Web pages
based on queries to a system running in another NT Service. The service
runs either on the IIS server or on a separate one and currently communicate
properly with interactive clients over a named pipe.

Now i'm having a problem that when i try to connect to the pipe creator
from inside an IIS Extension IIS just locks up completely and i don't
see any marks of any connection attempts.

The problem is that GetUserName() does retrieve the account of the
current user, p_ecb->ServerSupportFunction(p_ecb->ConnID,
HSE_REQ_GET_IMPERSONATION_TOKEN, &hToken, 0, 0) also
returns something else than INVALID_HANDLE_VALUE and i could
do SetThreadToken(GetCurrentThread(), hToken). But after that the
CreateFile fails.

ImpersonateLoggedOnUser(htoken);
hpipe = CreateFile("\\\\.\\pipe\\SWeClientPipe", GENERIC_READ|GENERIC_WRITE,
0 /*FILE_SHARE_READ|FILE_SHARE_WRITE*/, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL | SECURITY_IMPERSONATION, NULL);

(BTW, i have tried both with 0 and with FILE_SHARE_READ|FILE_SHARE_WRITE
as the third parameter and the pipe is of the Message type. Is 0 OK or
should one enable
sharing?)

Authentication works properly with the normal interactive clients. The
service uses a
NULL security descriptor on the pipe and uses GetUserName() to find out who
connected and ImpersonateNamedPipe() to perform authentication.

The idea would also be to keep the named pipe open and access it to handle
subsequent http requests (up to a certain time of living inactively). I
guess that's possible somehow if i can just get the authentication thing to
work. Is the token of an not good enough type or isn't second hand
impersonation possible?

Would making the processing asyncronous help? I was planning to return
a small main page whenever the pipe opens up or fails but now it just
locks up.

Who knows if it's even possible to delegate the IIS-provided access token
to another Service over a named pipe or would have to to consider some
other alternative and if so how?

- Sten
 
Back
Top