0

In a service impersonating a client (using ImpersonateNamedPipeClient), I try to call CreateProcessAsUser. The executable filename is a UNC path located on a third computer (neither the server, nor the client connected to the pipe).

The call fail with the error code 5 (ACCES DENIED). I tried to use WNetAddConnection2 to authenticate the client from the client (in the context of the token which will be impersonated) before the server calls ImpersonateNamedPipeClient but I still get the same error.

How may I authenticate the account impersonated (given the fact that the server only got the impersonation token) in order to gain access to the executable ?

Emmanuel BERNAT
  • 793
  • 6
  • 17

2 Answers2

0

My Win32 is rather rusty so this may be a shot in the dark, but have you tried using the CreateProcessAsUser function instead of CreateProcess? According to the MSDN Documentation it will operate on a restricted token. If I recall correctly, an impersonation token should suffice.

Hope that helps.

Jesse Squire
  • 6,107
  • 1
  • 27
  • 30
  • I made a mistake in my question, of course I use CreateProcessAsUser. The point is that the token is get from ImpersonateNamedPipeClient cannot access the network. (I edited my question) – Emmanuel BERNAT Aug 28 '09 at 17:31
  • The user being impersonated needs network access, as well as needs to have permissions on the third machine. Are both of those true in your case? – Remy Lebeau Sep 02 '09 at 00:34
0

CreateProcessAsUser() needs a primary token, not an impersonated token. You can use DuplicateTokenEx() to get a primary token from an impersonated token. The documentation for CreateProcessAsUser() even says as much.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • Thanks for your help. I already use DuplicateTokenEx. I've just changed the impersonation level from SecurityImpersonation to SecurityDelegation but I still get the same error if the executable is remote. – Emmanuel BERNAT Sep 02 '09 at 12:55