Impersonation in Visual Basic.NET in Windows 2000 w/o bypass secur

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello.

I need a VB.NET example of how to impersonate a user, and then determine if
that user is an "Administrator" under Windows 2000 Professional. The
following article discusses this but says the example code will not work
under Windows 2000 due to default security policy and tells how to bypass the
security setting. I do not want to bypass the security setting. How do I do
this in VB.NET? I did have code that was able to do this on the same
operating system, but in VB6. It also did not need to bypass the security
setting. However, I found it too difficult to port it to VB.NET.

Thanks

The article I was referring to is
http://msdn.microsoft.com/library/d...ipalwindowsimpersonationcontextclasstopic.asp
 
Hi

Is the error you encouter is the 1314 error which means
ERROR_PRIVILEGE_NOT_HELD, you do not have the necessary privilege?

If so, I think this is what the link means why this did not work on windows
2000.

You may look into the logonuser api remark:

Windows 2000: The process calling LogonUser requires the SE_TCB_NAME
privilege. If the calling process does not have this privilege, LogonUser
fails and GetLastError returns ERROR_PRIVILEGE_NOT_HELD. In some cases, the
process that calls LogonUser must also have the SE_CHANGE_NOTIFY_NAME
privilege enabled; otherwise, LogonUser fails and GetLastError returns
ERROR_ACCESS_DENIED. This privilege is not required for the local system
account or accounts that are members of the administrators group. By
default, SE_CHANGE_NOTIFY_NAME is enabled for all users, but some
administrators may disable it for everyone. For more information about
privileges, see Privileges.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/se
curity/logonuser.asp


Based on my test, vb6 appliacation that call the logon user will also
failed with the 1314 error on windows 2000.

Since we have different behavior, I have to confirm with you something.
Did you run the vb6 application and the vb.net application under the same
user account and on the same machine?

If no, you may have a try and let me know the result.

Else, can you post the vb6 code that will works on your windows 2000 to do
the impersonate?


Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hello Peter,

I didn't check which error I get, since the article tells me outright that
it won't work under Windows 2000 thus I never even tried. The bottom line is
I need the ability in my VB.NET application for someone to log in with
administrator rights even though they are actually not logged in as
administrator. Something like the "Run As" feature in Windows. Thus the
user would log into Windows as a "Power User" (not Admin), but when my
program is run I need to give them the ability to enter a valid Windows
Administrator account name and correct password. I then in my app. need to
determine if the user ID they entered is valid, is an administrator and that
the password is valid. I would then grant the user the ability to do certain
things in my program.

How do I do this in VB.NET in a Windows 2000 and XP environment WITHOUT
having to bypass the security (as the article mentions)?

By the way, my VB6 program actually doesn't impersonate. It uses the code
in the article "HOWTO: Validate User Credentials from Visual Basic by Using
SSPI" (Q279815) to validate a user's credentials.

It then uses the code from article "HOWTO: Use Microsoft Visual Basic to
Convert a Raw SID into a String SID" (Q286182) to determine if the associated
SID is that of an Administrator. The code that does this is shown below:

' yes, valid user. Now determine if they have administrator rights
Sid = Convert_BIN_To_SDDL("", UserName)
SidParam = Split(Sid, "-")
If SidParam(7) = "1000" Or SidParam(7) = "500" Or SidParam(7) = "544" Then
CurrentUserIsAdministrator = True
End If

Thanks.
 
Hi

I think for a common user to do the impersonate on windows 2000, we have to
use the RunAs service we can use that by simplily calling the runas.exe
command.
In this way, we have to write two separate exe file.
1. do the admin user/passsword check
2. the runas.exe will run another exe file in the specified security
context(under the impersoante account)

For how to use runas, you may try to press runas in the command prompt
window, you will see the help.

If you still have any concern on this issue, please feel free to post here.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hello.

That solution will not work. I need that capability within my program.
More specifically, what I need to do is as follows:

1. When Logged in Windows as "Power User" or "User", run my program (e.g.
not Administrator level)
2. Allow user in my program to do an auxillary log in (e.g. prompt at
program start for user name/password). If user enters a name different than
the one logged on to the computer, then check if the user ID/password is a
valid Windows User and do they have Administrator priveledges. If they do,
allow the user to do certain things (e.g. allow them to edit the values in a
configuration form.

It is VERY important that after I determine that an "Administrator" log in
was successful, that I "log out" so my application is no longer running under
the "Administrator" account, but is still running as the same user they
logged in as. This is because I am storing values to the Registry as the
original logged in user and if they are impersonating the "Administrator",
then the values I write out to the Registry will be under the "Administrator"
(e.g. wrong) account. Thus all I need to do is find out in a Log In screen
in my program if a valid "Administrator" account and proper password was
entered. My program does NOT need to run as an "Administrator". I am just
using this technique to verify that a user id/password entered in my program
is:

1. A valid "Administrator" account ID
2. A valid password was entered.

Thank you.
 
Hi

From your description, do you mean that you wants to just validate if a
username/password pair mathces while not do the impersonate?
If so I think you may try to take a look at the link below.
How to Validate a User Exists in a Windows NT Domain
http://www.4guysfromrolla.com/webtech/061202-1.shtml

You may read the section below in the link above.
Authenticating a User with ADSI

If you still have any concern, please feel free to post here.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hello,

As I mentioned a few times in my previous messages, I need to validate a
user AND see if they have "administrator" level priveledges. Also, the
application program will not be on a machine that is logged into a network.
Thus they are not necessarily authenticated by a "Server", thus will this
technique still work? If so, how do I determine if the ID is that of an
administrator (after validating them)? Also, is the VB.NET code illustrating
how to use ADSI (if it works on stand-alone PCs)? I get a "Cannot create
ActiveX component" error when calling the the "GetObject" function as listed
in the ADSI example on the page you mentioned.

Please answer all of my questions individually and don't just respond to
one. Thanks for your help.
 
Hi,

I am now researching the issue, and I will get back here and update you
with new information ASAP.


Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi

I have consulted the security Team, this is the reply from a senior
engineer.

Collecting user's credentials is against the Unified Logon/SSO requirement
(a requirement that the user should only be required to type their
credentials one time at the CTRL+ALT+DEL screen). It is important to make
sure that you cannot use some other method of authorization.

SSPI APIs can validate user's credentials without any privilege requirement
for the caller. There is no managed interface for this.

If you have an access token, the following KB article describes with 'C'
sample code in checking group membership

How To Determine Whether a Thread Is Running in User Context of Local
Administrator Account
http://support.microsoft.com/default.aspx?scid=kb;en-us;118626

If your customer wants to implement business-rule style access policy,
check out Authz API or AzMan which permit a Resource Manager application to
do all these. There are samples in the SDK at
%MSSDK%\Samples\security\Authorization\authz

Authz API is available on Windows XP or Windows Server 2003.

For Windows 2000, you need to install
http://support.microsoft.com/default.aspx?scid=kb;en-us;821887 hotfix on
top of Windows 2000 Server SP4 to get authz.dll.

Since the sample is all written in C, so I think if you wants to use it in
VB.NET, it would better wrap the C code in a COM class and import into .NET.

Hope this helps.

If you still have any concern, please feel free to post here


Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hello Peter,

Thanks for the information. This seems like an awful amount of work just to
simply validate a user and their ID and to see if they are an administrator.
Thus your telling me there is no equivalent .NET code to do this? If not, I
would highly suggest this basic functionality be added to VB.NET 2005.

Thanks
 
Back
Top