What determines the Integrity level (UAC) when doing SSPI Impersonation? RRS feed

  • Question

  • When using the core Microsoft SSPI authentication packages (Negotiate, Kerberos, NTLM) and the API functions ImpersonateSecurityContext() and QuerySecurityContextToken() at the "server" end:

    What determines the "Integrity Level" (UAC status) of the access token provided by SSPI?

    In particular, if the authenticated remote user is an Administrator what determines if the access token is a limited user access token or a full administrator access token?

    Also, is there a way to get a pair of "linked access tokens" (TokenLinkedToken), one limited, the other Administrator?

    In testing I have found that at least sometimes, the access token is a limited access token not linked with a full access token, but I have found no documentation on the rules (and thus how I might obtain the full token where needed)?

    • Edited by 74JBlw Tuesday, August 8, 2017 8:22 AM Clarified a phrase
    Tuesday, August 8, 2017 2:19 AM