Jump to content

Recommended Posts

Guest Kasparov
Posted

I am facing a weird problem. Any pointers are much appreciated.

 

I am using SSPI for authentication on Windows 2003 machine. On my

server side I am checking whether my SSPI context user is part of the

backup operators (BO) group. Now the check always returns me false

even though the user is present in the BO group on that machine.

 

Strange thing is if I do logonuser using the same username and

password (with which the client is running) on the server side and try

to check whether the logon user token is part of the BO group it

returns me TRUE ! Have also tried with administrator group but there

the functionality is as expected (both the times it returns me true) .

So I am not sure whats going on. I am pasting part of my code below:

 

**************

// At this point SSPI handshake is complete.

AcceptSecurityContext has returned 0.

 

// Initialise SID for the Backup Operators group

if ( AllocateAndInitializeSid( &NtAuthority,

2,

SECURITY_BUILTIN_DOMAIN_RID,

DOMAIN_ALIAS_RID_BACKUP_OPS,

0, 0, 0, 0, 0, 0,

&BOGroup ) == 0)

{

ret_val = GetLastError()

break

}

 

 

// Impersonate the context

ss = (*c->ImpersonateSecurityContext)(&c->hContext)

if (!SEC_SUCCESS(ss))

{

ret_val = E_CORBA_AUTH_FAILURE

break

}

 

// Fetch username with domain name from the SSPI context

 

HANDLE hToken = NULL

PTOKEN_USER ptiUser = NULL

DWORD cbti = 0

SID_NAME_USE snu

 

 

 

// Check group permissions

 

if (!CheckTokenMembership( NULL, BOGroup, &bIsMember)) //

Check whether part of the BO group

{

ret_val = GetLastError()

break

}

if (bIsMember)

{

sspiContext.isBO = true

}

else

{

}

 

 

// Do Logon user with the same credentials and impersonate to

fetch the access token

// here NDMPContext.username and password are of the same user

as obtained from SSPI context.

 

LogonAndImpersonateUser( (const CHAR *)

(ndmpContext.username).c_str(), (const CHAR *)

(ndmpContext.passsword).c_str() )

 

 

if (!CheckTokenMembership( NULL, BOGroup, &bIsMember))

{

BE_Zprintf(0, TEXT("checkGroupMembership:

CheckTokenMembership returned %d\n"), GetLastError() )

}

if ( ndmpContext.isAnonymous || ( !ndmpContext.isAdmin && !

ndmpContext.isBO ))

{

BE_Zprintf( 0, TEXT( "SSPIAuthenticate: Authenticating

user is ANONYMOUS or not part of the administrator / BO group.

Rejecting..." ))

ret_val = E_CORBA_AUTH_FAILURE

break

}

 

 

**************

 

 

Thanks in advance,

Ganesh Tambat

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...