0

I have read that CreateProcessAsUser take primary token as its argument .

I have created the token using OpenThreadToken() which will create impersonation token. But CreateProcessAsUser with impersonation token is "passing on most" of the machines, working as expected but "failing on few" with error :1349 = The type of the token is inappropriate for its attempted use .

user5327778
  • 19
  • 1
  • 5
  • If I remember rightly, OpenThreadToken() doesn't always return an impersonation token, only if the thread in question is actually impersonating. Have you checked the type of the token? – Harry Johnston Oct 04 '16 at 23:49
  • yes the token type is impersonation .Before calling OpenThreadToken i am calling ImpersonateSecurityContext() . token_flags=TOKEN_QUERY|TOKEN_IMPERSONATE|TOKEN_DUPLICATE|TOKEN_ASSIGN_PRIMARY that is passed to OpenThreadToken . Is the error 1349 is related to that or there is some other reason? – user5327778 Oct 05 '16 at 05:13
  • There are special requirements for a server to gain delegated access to a client's security context, e.g., [Kerberos Delegation](https://blogs.msdn.microsoft.com/autz_auth_stuff/2011/05/03/kerberos-delegation/) must be enabled. I've never used this technology so I'm not familiar with the implementation details, but it seems very likely that any attempt to convert the impersonation token generated by ImpersonateSecurityContext() into a primary token requires delegation. There are some existing questions here about delegation, perhaps they will help. – Harry Johnston Oct 05 '16 at 20:13
  • It might help if you could post a [mcve]. Also, what happens if you explicitly convert the token to a primary token before calling CreateProcessAsUser? Does the conversion fail? If not, does CreateProcessAsUser still produce error 1349 even though you're passing it a primary token? Does the thus-modified code still work on the machines where the existing code works? – Harry Johnston Oct 05 '16 at 20:18

0 Answers0