EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Urgent, please reply soon!

Posted: 05/15/2008 14:54:36
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

I have already implemented an application that creates a Virtual Drive that is an interface to my database system. It uses the AddMountingPoint to add a drive letter, let's say for discussion's sake that the drive letter is S:. In Windows Explorer, I was able to right click on the S: drive and set up sharing in such a way as to be able to share my virtual drive over my network. This all worked fine.

Unfortunately, this is not longer true! Using Version 1 when I got the Originator Token using GetOriginatorToken in my EnumerateDirectory callback, I would get the token that gave me the user name and domain name for a user logged on to another machine on the network who was accessing my drive remotely. Now, using Version 2.0, GetOriginatorToken returns a token that always gives me "SYSTEM" and "NT AUTHORITY" as the user name and domain name. Why did this change occur?
Posted: 05/19/2008 01:46:10
by Volodymyr Zinin (Team)

Hello. We will check it now.
Posted: 05/19/2008 09:00:01
by Volodymyr Zinin (Team)

We've corrected the code and an update will be released today or tomorrow.
Posted: 05/19/2008 12:19:07
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Thank you, Vladimir. I eagerly await the latest build.
Posted: 05/20/2008 07:36:36
by Volodymyr Zinin (Team)

The new build is available.
Posted: 05/20/2008 16:37:30
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Well, I got the new build and it still is a bit different from the old Version 1, I think.

In my Version 1 code I was able to use GetOriginatorToken to get the security token and then I used ImpersonateLoggedOnUser to impersonate that user. That all seemed to work fine with the old version.

With the new version, the ImpersonateLoggedOnUser function fails with a GetLastError code of 5, which is "Access Denied". Looking through the Microsoft documentation, I am thinking that it may be because the token that you have provided for me was not obtained with the TOKEN_IMPERSONATE access right. Unfortunately, I am not familiar enough with all the Windows Security APIs to find out if that is true or not.

When you obtain the security token that you return to me in GetOriginatorToken, do you get it with the TOKEN_IMPERSONATE access right?, If not, is that a change from Version 1?
Posted: 05/20/2008 17:06:52
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

Well, now I'm really confused. I used the Windows API function GetTokenInformation to find out what the Impersonation Level was on the token you provided and it was SecurityImpersonation, which according to the documentation should allow me to use that token in the call to ImpersonateLoggedOnUser and be successful. But it doesn't seem to work. Help!!!
Posted: 05/21/2008 01:16:34
by Volodymyr Zinin (Team)

Try to duplicate the obtained token (by means of the DuplicateToken api) and impersonate an user using the new one.
Posted: 05/21/2008 01:37:46
by Volodymyr Zinin (Team)

Hm. I think that the DuplicateToken api will fail with the original token because it doesn't have TOKEN_DUPLICATE access. Try the driver that is attached to this message (but before installing it ensure that the previous version of the driver was uninstalled). The attached driver returns the token with TOKEN_DUPLICATE access right. If it works then we'll add the fix in the next build.

[ Download ]
Posted: 05/21/2008 11:52:37
by Sid Schipper (Standard support level)
Joined: 03/14/2008
Posts: 285

I am in the process of testing this now, but I have run into a few minor problems with my application code that I need to fix before I can definitively state whether your change helped or not. I probably will have something to tell you later today, but by then I imagine you will be gone, so I am not expecting any resolution to all this until tomorrow.



Topic viewed 14040 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!