Microsoft KB Archive/232513

{|
 * width="100%"|

PRB: LogonUser Fails in ISAPI Extensions

 * }

Q232513

-

The information in this article applies to:


 * Microsoft Windows NT Server versions 4.0, 4.0 SP4
 * Microsoft Windows NT Workstation versions 4.0, 4.0 SP4

-

SYMPTOMS
An ISAPI extension is running in the security context of the authenticated user. If the extension needs to access resources that the user is unable to access, you can call LogonUser to log another user to the local computer inside the ISAPI, and then call ImpersonateLoggedonUser to impersonate the user who has the appropriate access permission. However the call to LogonUser would fail and GetLastError returns ERROR_ACCESS_DENIED even though the authenticated user has the SE_TCB_NAME privilege and the SE_CHANGE_NOTIFY_NAME privilege enabled (for everyone by default.)

CAUSE
The code inside LogonUser tries to open the process token. It fails since the authenticated user may not have access to the process token (SYSTEM if it's an inproc ISAPI.)

RESOLUTION
As a temporary workaround, you can call RevertToSelf to return the thread to the security context of the process token before calling LogonUser. For ISAPI extensions running inproc, the process security context is SYSTEM. You should immediately impersonate some token on the thread so that it doesn't remain running in the context of the local system any longer than is necessary.

BOOL bThreadToken = FALSE; HANDLE hThreadToken1, hThreadToken2;

//Save the current thread token if( OpenThreadToken(GetCurrentThread, TOKEN_IMPERSONATE, FALSE, &hThreadToken1) ) {  RevertToSelf; bThreadToken = TRUE; }

//Impersonate a user account //Insure the Sid associated with the process holds SE_TCB_NAME Privilege LogonUser(...); ImpersonateLoggedOnUser(...);

//Restore the original thread token if( bThreadToken ) {  hThreadToken2 = GetCurrentThread; SetThreadToken( &hThreadToken2, hThreadToken1 ); CloseHandle( hThreadToken1 ); }

STATUS
Microsoft has confirmed this to be a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION
Modifying the impersonation token for out-of-process (OOP) ISAPI extensions is not supported under IIS4 because of some bugs that can cause problems with impersonation tokens. Therefore, the above workaround doesn't apply to OOP ISAPIs.

Never add the SE_TCB_NAME privilege to either the IUSR_MACHINE or IWAM_MACHINE accounts, and never add either of them to the Administrators group. It would expose serious security problems.

Additional query words:

Keywords : kbGrpDSInetServer

Issue type : kbprb

Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400xsearch kbWinNTW400sp4 kbWinNTSsearch kbWinNTS400sp4 kbWinNTS400xsearch kbWinNTS400