0

I am using SSPI to perform single sign-on which works.

After successful single sign-on I get the user token as following:

 HANDLE tempHandle;
 if (!QuerySecurityContextToken(&tnS->hctxt, &tempHandle))
 {
   MyDbg("SSO: Could not obtain token for user");
 }
 if (!DuplicateTokenEx(tempHanle, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &tnS->htok))
{
  MyDbg("SSO: Could not duplicate token");
}

But later on when I use this token (tempHandle) in call to createProcessAsUser, the process creation failed with following error message:

Process has terminated prematurely: ExitCode = 0xC0000142 [{DLL Initialization Failed} Initialization of the dynamic link library %hs failed. The process is terminating abnormally.]

It seems that the token is lacking permissions. I have read that the QuerySecurityContextToken returns an impersonate token which lacks permissions while LogonUser returns a primary token. I cannot use LogonUser as I do not have the user password.

How do I get a Primary Token for user when using SSPI?

I can call createProcessAsUser using system account but it is not desired.

ekhanad
  • 154
  • 2
  • 8
  • 1
    The problem isn't the lack of a primary token. It's probably insufficient access to the session's interactive window station and default desktop, which will prevent user32.dll from loading. The logon-session SID that's associated with the target desktop session is granted the required access. This SID has to be added to the token groups. The secondary logon service (i.e. `CreateProcessWithLogonW`) adds it when it calls `LsaLogonUser`. You can also modify the security of the window station and desktop to grant access to a particular SID, but that's inelegant and messy. – Eryk Sun Jun 11 '20 at 20:16
  • I am naive in windows programming. Could you please help with me a code example or a pseudo code? – ekhanad Jun 11 '20 at 22:55
  • You are right! If i do not create windows station and desktop it works fine. It is necessary to create window station and desktop? Could it skip performance if i do not create those? If required, How do I add SID to token groups? – ekhanad Jun 12 '20 at 19:01
  • What's the issue if it works fine without creating a new window station and desktop? You would only create a new window station and/or desktop if the process needs to be isolated from other processes in the terminal session. A Windows terminal session has one interactive window station, named "WinSta0". All other window stations cannot interact with the user. The default desktop on "WinSta0" is named "Default", or its qualified name "WinSta0\Default". There's also a "WinSta0\Winlogon" secure desktop that's only accessible to SYSTEM processes in a session. – Eryk Sun Jun 12 '20 at 20:24
  • You cannot add groups to a token after it's created by LSA. You can request groups to be added when the user is logged on via `LsaLogonUser`. – Eryk Sun Jun 12 '20 at 20:26

0 Answers0