Forums » Community Server Add-Ons Archive (read only) » Community Server News Gateway (NNTP Server) » DuplicateToken() failed while using Windows authentication in CS NNTP Server

DuplicateToken() failed while using Windows authentication in CS NNTP Server

rated by 0 users
Not Answered This post has 0 verified answers | 3 Replies | 0 Followers

backend
Not Ranked
9 Posts
Points 105
Reply | Contact
By: backend
Posted: Fri, Apr 14 2006 5:55 AM

When I enabled Windows authentication in CS NNTP Server (2.0 RTM) and run it in console or service mode, it always returned "280 Unknown user or invalid credentials". After traced inside the nntp component, I found After CommunityServer.NntpServer.Components.NntpContext.ValidateUser() indirectly call LogonUser() successfully, it then call

DuplicateToken(token1, 3, token2)

The second parameter is defined as "SECURITY_IMPERSONATION_LEVEL", and have

SecurityAnonymous = 0
SecurityIdentification = 1
SecurityImpersonation = 2
SecurityDelegation = 3

this call got Error 1346 (returned by Marshal.GetLastWin32Error()).

I had wrote an console to simulate those calls, and got the same result. If I passed "2"(SecurityImpersonation), it would return "true" with no error.

Running environment: Windows Server 2003 with all sp & patches.

 
  • Post Points: 20 |

All Replies

Ken Robertson
Top 10 Contributor
5,180 Posts
Points 47,450
CS Developers
Reply |Contact
By: Ken Robertson
Posted: Fri, Apr 14 2006 11:53 AM In reply to
Thank you. I will mark this as something to investigate further.
 
  • Post Points: 5 |
Ken Robertson
Top 10 Contributor
5,180 Posts
Points 47,450
CS Developers
Reply |Contact
By: Ken Robertson
Posted: Mon, Apr 17 2006 4:18 PM In reply to
Have you experienced any of the issues in this post: http://communityserver.org/forums/thread/509497.aspx

Basically, we used to set it with a value of '2', but then had some bug reports that it was failing with '2' and needed to be '3', so we changed it to use 3, and now we are getting reports that it needs to be 2. Smile [:)]

Going forward, I will probably be making this a configurable value.
 
  • Post Points: 20 |
backend
Not Ranked
9 Posts
Points 105
Reply |Contact
By: backend
Posted: Mon, Apr 17 2006 10:44 PM In reply to

Below is my parameter combinations for test and their results in a simulative console app:

dwLogonType        ImpersonationLevel        Result
for LogonUser()    for DuplicateToken()

    3                     3                   False
    3                     2                   True
    2                     3                   True
    2                     2                   True

According to MSDN, we have:

dwLogonType = 2 : LOGON32_LOGON_NETWORK
            = 3 : LOGON32_LOGON_NETWORK_CLEARTEXT

ImpersonationLevel = 2 : SecurityImpersonation
                   = 3 : SecurityDelegation (has the most powerful privileges)

In consideration of the application security, I don't think the value "3" (LOGON32_LOGON_NETWORK_CLEARTEXT and SecurityDelegation) is a good parameter when calling the two platform APIs.

 
  • Post Points: 5 |
Page 1 of 1 (4 items) | RSS
Powered by Community Server (Commercial Edition), by Telligent Systems

Copyright© 2008 Telligent Systems Inc. All rights reserved
CommunityServer.com  •  Telligent.com