locked
How to create elevated administrator token from LSA authentication package RRS feed

  • Question

  • Hi,

    I have an LSA authentication package which basically works fine.  I have just
    a problem with users in the administrators group.

    When such an admin user logs in the package returns the token information for
    a full administrators token to the LSA.  But the token created by the LSA is always
    a token with only medium integrity level and reduced privilege set.  This does not
    happen for the built in Administrator user, but for every other admin account.

    This behaviour is fine for the default case but not for every case. 
    While it's simple
    to elevate the token in the logon process after the call to LsaLogonUser, there's
    apparently no chance to revert that token to the full privilege set for an admin.

    So, what I'd like to do is to create a full administrative token right from the LSA
    authentication package.  However, I fail to see a way for the authentication package
    to tell the LSA to create an elevated token with high integrity and the full set of
    privileges.  Am I just missing something or is that in fact not possible?


    Corinna
    Saturday, November 11, 2006 9:13 PM

Answers

  • Case closed.

    I found that the elevated token is returned by

    GetTokenInformation (new_token, TokenLinkedToken, [...]);


    Corinna
    Sunday, November 12, 2006 6:04 PM

All replies

  • Case closed.

    I found that the elevated token is returned by

    GetTokenInformation (new_token, TokenLinkedToken, [...]);


    Corinna
    Sunday, November 12, 2006 6:04 PM
  • It is by design that LsaLogonUser returns the non-elevated version of the user's tokens.
    Otherwise, the door to elevation without consent is wide opened for malware that enticed the user to release his credentials.

    An authentication package returning the linked token would essentially disable UAC for all tokens created by this package.

    Monday, November 13, 2006 8:31 PM
  • But you cant use this token for CreateProcessAsUser,  isnt it?

     

    Sunday, September 9, 2007 6:32 PM
  • hasley wrote:

    > But you cant use this token for CreateProcessAsUser,  isnt it?

     

    You can use the linked token in calls to CreateProcessAsUser just fine.

    It wouldn't be of much use otherwise, would it?

     

     

    Corinna

    Tuesday, September 25, 2007 1:11 PM
  • Thank you, Corinna!
    Wednesday, January 9, 2013 4:19 PM