locked
ImpersonateLoggedOnUser strange behaviour RRS feed

  • Question

  • Hi,

    I've a Windows Vista Enterprise machine which is under domain Test2k3.com. The domain controller in on Windows 2003 server. I've created a website on Vista with Web server IIS 7.0. I've also created a user IUSER_qhAdmin500 which is a plain user. All CGIs run in the context of the user.

    Now my CGI (test.CGI) calls a function to check whether a domain user belongs to administrator group or not. The CGI calls a function in a separate DLL for validation. The validation code Calls LogonUser to get access token. On the token it calls ImpersonateLoggedOnUser.

    The problem is that when I try to validate using "administrator" account the function returns immediately to CGI after ImpersonateLoggedOnUser without giving success or failure. But it doesn't happen when I try to validate user with any other account.

    See logs when validating with administrator account:

    testCGI _tmain Entry
    testCGI _tmain domain (test2k3.com), username (administrtor), password (Microsoft1)
    testCGI _tmain Loading netenum library...
    testCGI _tmain Library loaded.
    netenum ValidateDomainUser Start
    netenum ValidateDomainUser Input UserName: administrator@test2k3.com
    netenum ValidateDomainUser Before ADsOpenObject
    netenum ValidateDomainUser Domain name : LDAP://test2k3.com
    netenum ValidateDomainUser Before Imporsonate
    netenum ValidateDomainUser User : (administrator@test2k3.com) Password : (Microsoft1)
    netenum Imporsonate Start (Entry).
    netenum Imporsonate pcszUserName: (administrator@test2k3.com) pcszPassword: (Microsoft1)
    netenum Imporsonate Before calling LogonUserW...
    netenum Imporsonate After LogonUserW (000000D4)
    netenum Imporsonate Before calling  ImpersonateLoggedOnUser
    testCGI _tmain ValidateDomainUser failed
    testCGI _tmain Exit

    Logs with other account validation

    testCGI _tmain Entry
    testCGI _tmain domain (test2k3.com), username (tryout), password (Microsoft1)
    testCGI _tmain Loading netenum library...
    testCGI _tmain Library loaded.
    netenum ValidateDomainUser Start
    netenum IsLDAPPresent Start
    netenum IsLDAPPresent LDAP:// is not present
    netenum ValidateDomainUser Before ADsOpenObject
    netenum Domain Name :  LDAP://Test2k3.com
    netenum ValidateDomainUser Before Imporsonate
    netenum ValidateDomainUser User : (testadmin@test2k3.com) Password : (Microsoft1)
    netenum Imporsonate Start.
    netenum Imporsonate pcszUserName: (testadmin@test2k3.com) pcszPassword: (Microsoft1)
    netenum Imporsonate Before calling LogonUserW...
    netenum Imporsonate Before calling DuplicateTokenEx...
    netenum Imporsonate After calling DuplicateTokenEx.
    netenum Imporsonate Before calling ImpersonateLoggedOnUser...
    netenum Imporsonate After calling ImpersonateLoggedOnUser.
    netenum Imporsonate End.
    netenum ValidateDomainUser After Imporsonate
    netenum ValidateDomainUser Domain : (Test2k3.com) User : (testadmin)
    netenum ValidateDomainUser Before NetUserGetInfo
    netenum ValidateDomainUser Imporsonate success
    netenum ValidateDomainUser After NetUserGetInfo
    netenum ValidateDomainUser  testadmin@test2k3.com is AdministratorLoggedOnUser
    testCGI _tmain Exit

    Here is the snapshot taken using process explorer describing privileges of the process in both cases.

    Anyone please suggest me what I am missing.

    Warm Regards


    • Edited by abhay4u Monday, November 5, 2012 10:27 AM
    Monday, November 5, 2012 10:26 AM

All replies