EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Urgent, please reply soon!

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
Posted: 05/15/2008 14:54:36
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

I have already implemented an application that creates a Virtual Drive that is an interface to my database system. It uses the AddMountingPoint to add a drive letter, let's say for discussion's sake that the drive letter is S:. In Windows Explorer, I was able to right click on the S: drive and set up sharing in such a way as to be able to share my virtual drive over my network. This all worked fine.

Unfortunately, this is not longer true! Using Version 1 when I got the Originator Token using GetOriginatorToken in my EnumerateDirectory callback, I would get the token that gave me the user name and domain name for a user logged on to another machine on the network who was accessing my drive remotely. Now, using Version 2.0, GetOriginatorToken returns a token that always gives me "SYSTEM" and "NT AUTHORITY" as the user name and domain name. Why did this change occur?
Posted: 05/19/2008 01:46:10
by Volodymyr Zinin (EldoS Corp.)

Hello. We will check it now.
Posted: 05/19/2008 09:00:01
by Volodymyr Zinin (EldoS Corp.)

We've corrected the code and an update will be released today or tomorrow.
Posted: 05/19/2008 12:19:07
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Thank you, Vladimir. I eagerly await the latest build.
Posted: 05/20/2008 07:36:36
by Volodymyr Zinin (EldoS Corp.)

The new build is available.
Posted: 05/20/2008 16:37:30
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Well, I got the new build and it still is a bit different from the old Version 1, I think.

In my Version 1 code I was able to use GetOriginatorToken to get the security token and then I used ImpersonateLoggedOnUser to impersonate that user. That all seemed to work fine with the old version.

With the new version, the ImpersonateLoggedOnUser function fails with a GetLastError code of 5, which is "Access Denied". Looking through the Microsoft documentation, I am thinking that it may be because the token that you have provided for me was not obtained with the TOKEN_IMPERSONATE access right. Unfortunately, I am not familiar enough with all the Windows Security APIs to find out if that is true or not.

When you obtain the security token that you return to me in GetOriginatorToken, do you get it with the TOKEN_IMPERSONATE access right?, If not, is that a change from Version 1?
Posted: 05/20/2008 17:06:52
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Well, now I'm really confused. I used the Windows API function GetTokenInformation to find out what the Impersonation Level was on the token you provided and it was SecurityImpersonation, which according to the documentation should allow me to use that token in the call to ImpersonateLoggedOnUser and be successful. But it doesn't seem to work. Help!!!
Posted: 05/21/2008 01:16:34
by Volodymyr Zinin (EldoS Corp.)

Try to duplicate the obtained token (by means of the DuplicateToken api) and impersonate an user using the new one.
Posted: 05/21/2008 01:37:46
by Volodymyr Zinin (EldoS Corp.)

Hm. I think that the DuplicateToken api will fail with the original token because it doesn't have TOKEN_DUPLICATE access. Try the driver that is attached to this message (but before installing it ensure that the previous version of the driver was uninstalled). The attached driver returns the token with TOKEN_DUPLICATE access right. If it works then we'll add the fix in the next build.

[ Download ]
Posted: 05/21/2008 11:52:37
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

I am in the process of testing this now, but I have run into a few minor problems with my application code that I need to fix before I can definitively state whether your change helped or not. I probably will have something to tell you later today, but by then I imagine you will be gone, so I am not expecting any resolution to all this until tomorrow.
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.



Topic viewed 8773 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!