0

I am running a process with loacl admin privilege in Windows and trying to obtain a credential handle for another user using AcquireCredentialsHandle . It is possible to pass in SEC_WINNT_AUTH_IDENTITY structure with user info ( e.g. user, domain, password) and obtain the handle. I have verified it. Without the SEC_WINNT_AUTH_IDENTITY passing only the pszPrincipal does not work.

I wonder is there any other way one can do it without providing the user password?

I am running the following scenario:

  1. Client obtains a kerberos token using UPN and sends it to server
  2. Server tries to acquire the credential handle (AcquireCredentialsHandle) using UPN of the client.

Any suggestions please?

ekhanad
  • 154
  • 2
  • 8

1 Answers1

1

You normally don't get to request a ticket on behalf of other users. That would be a very dangerous security issue.

There are two ways around this.

  1. Use S4U2Self which is where the application requests a ticket to themselves using the passed in username, which will get them a ticket on behalf of the user to themselves. This lets you see things like user group membership. You need to be running as SYSTEM or have SeImpersonatePrivilege to do this.

  2. Use S4U2Proxy aka protocol transition which is where the application requests a ticket for another service using the passed in username. This lets you impersonate the user based only on the name, and must be explicitly granted to the server and target by AD. This is an incredibly dangerous privilege because you're allowing your application to have the equivalent rights as a KDC.

Unfortunately this is a fairly complicated bit of code so it's not shareable in this post as-is. You can find a sample application here: https://github.com/SteveSyfuhs/DelegatedAuthentication

The gist of the process is:

  1. Client sends username to service.
  2. Service is configured for SeImpersonatePrivilege or SeTcbPrivilege (meaning running as SYSTEM)
  3. Service calls LsaLogonUser and passes just the username, returning an NT token handle.
  4. Service calls SetThreadToken with the token from (3).
  5. Service calls AcquireCredentialsHandle without any credentials (uses default SSO creds).
  6. Service calls InitializeSecurityContext
  7. Service sends token to target server
Steve
  • 4,463
  • 1
  • 19
  • 24
  • Thanks for your explanation @Steve. What is the preferred way for my scenario? The **windows's client** wants to access a service on a **Linux** server. The service is running as a **local admin**. Once the user is authenticated, the server will impersonate the user and start another program as impersonated user. We would like to use **Kerberos**. Login with UPN and service running as **local admin** ( no domain account) did not work using **SSPI**? – ekhanad Sep 10 '20 at 07:15