EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Network Share and User Authentication

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#6166
Posted: 05/07/2008 12:10:14
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Hello, again.

We understand that Version 2.0 will extend the Virtual File System capability of CBFS to be a network redirector and in effect make your virtual disks into network shared drives.

We are eagerly awaiting this capability, although using the old CBFS, I was able to use Windows explorer to share my virtual drive over a network, so a rudimentary capability to do that was already there.

What I am wondering is if the new version will have more sophisticated capabilities, like user authentication and authorization?

The current version allows some of this capability by using GetOriginatorToken, etc., but obviously those functions are useless if the Open file is being done over a network share.
#6169
Posted: 05/07/2008 12:50:11
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Quote
Sid Schipper wrote:
The current version allows some of this capability by using GetOriginatorToken, etc., but obviously those functions are useless if the Open file is being done over a network share.


Actually I thought about this some more and GetOriginatorToken may do what I want already. So, I'm off to do some more experimentation and I'll let you know what I find out. Thank you again for all your help.
#6170
Posted: 05/07/2008 13:44:24
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

OK, I ran an experiment and it told me that GetOriginatorToken already returns to me the necessary things that I need to authorize a user who is accessing a file over a network share. So, CBFS already has the capability I need for sharing my disk over a network. What more is CBFS version 2.0 going to give me?
#6172
Posted: 05/07/2008 14:58:24
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Quote
Sid Schipper wrote:
OK, I ran an experiment and it told me that GetOriginatorToken already returns to me the necessary things that I need to authorize a user who is accessing a file over a network share. So, CBFS already has the capability I need for sharing my disk over a network.


Well, I wasn't quite right about this. GetOriginatorToken only works with the local security database, it doesn't seem to have the capability of getting things from the Active Directory database that one would use for security on a network. So, as long as you have local users defined that correspond to the users that are accessing your Virtual Disk over the network, then things work OK, but that of course is a management nightmare. Will version 2.0 solve this problem?
#6173
Posted: 05/07/2008 16:56:42
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

I did some further experimentation and found something quite interesting that I'm hoping you can explain to me. My explanation of it will be rather long because it is fairly complicated, but I hope you can understand it.

My computer is part of an Active Directory domain on our network. I also have a local user defined on my system that is not part of the domain. I have the CBFS driver installed on this system. I booted the system and the first user I logged in as was my local user "schipp". I ran my CBFS application under the Visual Studio Debugger and placed a break point in the Open File callback, where I have code that uses GetOriginatorToken and GetTokenInformation to find out the account and domain names. I created my Virtual Disk and when I tried to open a file on it I got to the break point and the account name was "schipp" and the domain name was the local machine name.

I then went into Windows explorer and set up a network share for my Virtual Drive letter. I then went to another machine on our network and logged in as user "sid" and mapped the drive on my local machine to a network drive letter. On the network machine I opened a file on the virtual drive and I hit the breakpoint, but the account name was "schipp" and the domain was the local user machine.

I then logged off "schipp" (I did not reboot, I just logged off) and logged back on again as the administrator of the domain that both computers are connected to via Active Directory. The name of that account is "administrator". I then opened files on my virtual disk from both computers and the account name that I got in both cases was still "schipp" with the domain name being the local computer's name.

I then rebooted my system and immediately logged in as the administrator of the domain and tried the test again and this time the account names were "administrator" and "sid" and the domain name was the correct domain name from our Active Directory domain server.

So it seems like the CBFS Kernel Driver is sending back the originator token for the first user that logs in to the system after a reboot and if that user is part of the domain, it can also get the correct user for any machines accessing the drive over the network. I don't really understand why that is happening or if I am even making a correct conclusion from the sequence of events that ocurred. Can you explain what happened to me?
#6174
Posted: 05/07/2008 17:43:35
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Sorry, I ran my tests again and I had an error in the callback routine that was causing me to misinterpret what was happening. What happens now is that I get the correct account name and domain name if the logged in user on my local machine is the administrator of the domain. If the logged in user is my local user, then that is the account name that I get from LookupAccountSid. It is not related to rebooting.
#6175
Posted: 05/07/2008 18:15:41
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Never mnd! It was all my fault. Things are working exactly as I expect them to now. But, I still don't see what Version 2.0 will give me that I do not already have?
#6178
Posted: 05/08/2008 02:29:08
by Volodymyr Zinin (EldoS Corp.)

Hello,

Quote
Sid Schipper wrote:
I still don't see what Version 2.0 will give me that I do not already have?

I will answer you a bit later today.
#6181
Posted: 05/08/2008 13:25:12
by Eugene Mayevski (EldoS Corp.)

Active Directory authentication in your case is a bit out of scope of CBFS functionality. What you get in a security token and that's all we can do at the moment - if you need more control, you should crunch the given token.

Version 2.0 won't offer any advancements in this aspect.


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 4631 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!