I'm using IX509PrivateKey to create a key for an X.509 cert request (as "NT AUTHORITY\NETWORK SERVICE"), and the Create method is generating an access denied (I'm P/Invoke-ing the dispatch interface from C#, so the HRESULT is getting translated to a .NET exception). Process Monitor also shows an access denied attempt to access the key file (the key file is being created).
Here's the actual code:
IX509PrivateKey privateKey = new CX509PrivateKey() as IX509PrivateKey;
privateKey.Length = request.KeyLength;
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE;
privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES;
privateKey.MachineContext = true;
privateKey.Create();
return privateKey;
If I create a user key set instead (by setting MachineContext to false), I see a "File Not Found" instead of "Access Denied". But ProcMon shows nothing; no attempt to access any key files.
In Process Monitor, I was able to determine that "Network Service" did not have access to the key file, so I used the IX509PrivateKey::SecurityDescriptor property to set it. "Network Service" indeed then had access to the key file, but I still received the access denied from Create, and ProcMon still showed an access denied attempt on the file.
Much TIA for any and all ideas.
The cause of this issue has been determined.
The call to IX509PrivateKey::Create was occurring within a web service. As a result, it was occurring under impersonation of IUSR. We edited ACLs enabling the wrong user. It turned out to be straightforward access denied, only for an obfuscated user account. This condition can be observed in ProcMon. ProcMon's "Detail" column will clearly indicate (you may have to enable "Advanced Output")that the call was under an impersonated user account.
In order to more tightly control the user account under which the call is made, and the CA is accessed, we moved the request out-of-process. The enrollment API calls are now made from their own Windows service, and exposed via WCF (net.tcp) to the web service running in IIS. That would be my recommendation for others. IMO, the risk of having another "moving part" is outweighed by the lack of control of making the calls within IIS.
Related
The goal is to have a service create a process which has the security context of a user whose password is not known.
I understand and accept the limitation that the new process will only be able to access local resources
I think I am close to a solution. Everything works fine so long as the user to be impersonated is in the local administrators group.
But if not I get an exception 0xc06d007e.
It seems the user to be impersonated lacks some permission or privilege that it has when it is in the administrators group.
But how can I find out what this missing right/permission/privilege is without by trial and error going through the thousands of permutations
get a token for the user to be impersonated
token = new WindowsIdentity("username#domain").Token
create a primary token
token2 = duplicatetokenex(token)
The process to be created is a simple console application and indeed I don't even need a console.
process_creation_flags.DETACHED_PROCESS
| process_creation_flags.CREATE_NO_WINDOW
| process_creation_flags.CREATE_NEW_PROCESS_GROUP
try to start the new process as the impersonated user
createprocessasuser(token2, "myapplication.exe" etc etc)`
As I say this works fine if username#domain is in the local admin group
otherwise I get exception 0xc06d007e I think when the new process is trying to start
As one of the steps towards creating the service, I was running the code as a console application and it was during that stage I was getting the exception mentioned above.
But I found that running the code as a service works fine!!
So I never found out why the user-to-be-impersonated (impersonatee?) needs to be in the local admin group when the impersonation is done from a console application.
I suspect it is something to do with sessions and / or desktops.
I have not found many discussions where the scenario is impersonating a user whose password you do not know. So I just want to re-assure anyone having problems that it is indeed possible and the main points are:
1) run the code as a service (with local system or a user with all the required privileges)
2) get the s4u token from windowsidentity (this will be an impersonation token if the call has the required privileges)
3) create a primary token from the impersonation token using duplicatetokenex
4) createprocessasuser using the token from 3
note the process will only have access to local resources
I got the super admin privileges for to my Google Account.
I need to get the list of all the chrome devices through an API.
I did enable Google Admin SDK but still facing some issues.
I copied the exact python script from Python Quickstart for checking but still getting error as
"googleapiclient.errors.HttpError: https://www.googleapis.com/admin/directory/v1/users?customer=my_customer&orderBy=email&alt=json&maxResults=10 returned "Insufficient Permission">"
When checked on Admin SDK API dashboard I can see 4xx errors for every call made from my python script.
When you run the sample you need to make sure that this step
The sample will attempt to open a new window or tab in your default browser. If this fails, copy the URL from the console and manually open it in your browser.
If you are not already logged into your Google account, you will be prompted to log in. If you are logged into multiple Google accounts, you will be asked to select one account to use for the authorization.
Is done from the Google account which has access to your admin account. The user you are logged in with now does not have access.
I managed to get Super Admin access of Google account and then grant access to my project for different scopes. The docs/ references are so confusing hence it took a while for me to figure it out. So under the admin console, we have to get into Security >> Advanced Settings >> Manage API Client Access(under Authentication) and then add the client name and the scopes(multiple scopes separated by commas) for which we need access. Client name is the client-id which we can get from the client-secretxxxxx.json file(downloaded while creating the oauth id).
NOTE :- You do NOT need super admin access it is just that I was new and the guy who gave me the initial access wasn't sure what has to be enabled across.
Also couldn't post as a comment due to the limitation of characters.
The Windows Task Scheduler can create tasks that run with the account of a particular user, without storing the user password. They call it "S4U", service for user. This should work something like the scheduler creates such a token for the current user and can use it to run the scheduled process under that user account. They claim that it cannot access network or encrypted resources with this system. The scheduler itself runs with the SYSTEM account for it to work. Here's an article that describes it. The relevant quote from it:
TASK_LOGON_S4U is yet another option that provides a more secure
alternative. It takes advantage of a service for user (S4U) logon to
run the task on behalf of the specified user, but without having to
store the password. Since the Task Scheduler runs within the local
system account, it can create a S4U logon session and receive a token
that can not only be used for identification, but also for
impersonation on the local computer. Normally a S4U token is only good
for identification.
I need to use this authentication scheme in my application, but can't let the Task Scheduler do it but need to do it myself, because I need it for any number of accounts. Whenever a user registers a task with my application, any followup tasks must run under the same user. But since they cannot overlap, I need to do the serialisation myself.
I cannot find any information about this "S4U" thing. How could I implement it in my application? C# preferred, but WINAPI and C is okay.
Update: This is what I've tried, and it doesn't work.
// The WindowsIdentity(string) constructor uses the new
// Kerberos S4U extension to get a logon for the user
// without a password.
WindowsIdentity wi = new WindowsIdentity(identity);
WindowsImpersonationContext wic = null;
try
{
wic = wi.Impersonate();
// Code to access network resources goes here.
}
catch()
{
// Ensure that an exception is not propagated higher in the call stack.
}
finally
{
// Make sure to remove the impersonation token
if( wic != null)
wic.Undo();
}
But I've got the impression now, that you can't just say you want to be a certain user. Not even as System. You need to be logged in as that user and can generate some token that allows you to become that user later again, without the password. So this must be a two-step thing, first I need to get the token and store it on disk; later I can use that token to impersonate. None of the examples explains this.
"The computer may not be joined to the domain"
S4U requires access to a KDC. S4U is actually two protocols. S4U2Self and S4U2Proxy. What it is doing is using an addition to Kerberos to get service tickets for a user, but that account that goes and gets the ticket has to have a special delegation enabled on it. See here for this set up.
But unless you are actually letting the process die etc, why not just get the users service ticket or TGT? Is your application local or is it a service running remote to the user?
Task scheduler needs to go get a new one because a service ticket isn't valid forever. Or in some delegation schemes the user hasn't passed a service ticket to the Application Server and then the AS goes and requests and service ticket via S4U2Self, and then uses that service ticket to request a ticket to a second service via S4U2Proxy.
I’m trying to save a file like this:
FileStream file =
new FileStream(“C:\\temp”, FileMode.Create, System.IO.FileAccess.Write);
Byte[] bytes = new byte[file.Length];
File.Read(bytes, 0, (int)file.Length);
File.Write(bytes, 0, bytes.Length);
File.Close();
File.Close();
I then get this error:
Access to the path ‘C:\temp’ is denied. Description: An unhandled
exception occurred during the execution of the current web request.
Please review the stack trace for more information about the error and
where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the
path ‘C:\temp’ is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and
the configured application pool identity on IIS 7.5) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user. To grant ASP.NET access to a file, right-click the
file in File Explorer, choose “Properties” and select the Security
tab. Click “Add” to add the appropriate user or group. Highlight the
ASP.NET account, and check the boxes for the desired access.
I’ve done this on both my Windows 7 and Windows 8 machines and got the same error message. I’ve changed the administrator role on the pc, given full control to all users, removed the ‘Read Only’ attribute from the file and still got the same error. I even tried using a thumb drive.
I also noticed that after removing the ‘Read-Only’ attribute from the file, it always returns as if the setting did not take.
I also tried this fix with the Windows 7 machine: http://fixmywin.com/fix-windows-7-access-denied-error-and-permission-ownership-problem/...but still the same errors. I gave up after about fie hours with this problem. How can I fix this?
Thanks for any help!
Look in IIS at the ApplicationPool the site is running under, select "Advanced Settings" and find the user the App Pool is using. This will typically be "NETWORK SERVICE" unless you have specifically changed it. Then, right click on the folder c:\temp >> Properties >> Security and add "NETWORK SERVICE" (or other user) with "Modify", "Full Control" or the appropriate permissions for your app.
I am new to vista and not a advanced programmer. From past few days i am trying to digest many technical details about vista. But still i have few basic questions on it. Hope you all will be help me in getting the answers for my questions.
Can we create a interactive process(which is having a embedded manifest file with "invokeAsAdministrator") from a service which is running under Local system account?
Here i know about the session 0 isolation and all.Still i am asking this question because, when i create a interactive process through CreateProcessAsUser(which requires admin privileges) it is failing with error 740. While using this i have given proper session id. The session id is that of my active desktop, where my user login as administrative privilages.
If the process can be created does that show up the UAC dialog?
If the UAC dialog shows up, can we avoid this?
It is well understandable problem. Local account has no privelegies of admin. The only thing you can do is impersonation. Temporary you emulates another account (in your case it is admin). Example of this technique you can find in MSDN for topic WindowsIdentity.Impersonate ( http://msdn.microsoft.com/en-us/library/chf6fbt4.aspx )
EDIT
Sorry, only after post noticed that you use vc++,
On Win API use ImpersonateLoggedOnUser
The createprocessasuser is failing in my case because by default when we query for the user token for the users desktop session I was getting a restricted token that was created for the user (for administrators two tokens are created 1)restricted token 2) full token; any how my application can be run only by administrators).
By browsing the net i have found that i have to find for linked token and use that token for creation of process.
The code for creation of process from service can be found in the following question:
Desktop problem with using CreateProcessAsUser from a service on Vista