Obtaining a Delegation Token

Question

0.00/5 (No votes)

See more:

I am having trouble getting the correct type of impersonation token using WindowsIdentity.impersonate(). My code attempts to access a file share using the account of the user who is running it, who has been denied access to it. When this process fails the I attempt to impersonate the Administrator account, who has access to the file share, and access it again. However the ImpersonationLevel of my WindowsImpersonationContext is Impersonation, not Delegation. I have ensured that my process has the SeTcbPrivilege enabled and that the machine that the code runs on has constrained delegation enabled.

From my understanding I am not able to access the file share because it is a network resource, and to access a network resource I need to have a Delegation ImpersonationLevel, Impersonation will only work for accessing resources on the local system (which I have verified as working). Under the properties for my machine on AD I have the cifs service added for WIN-J5H5R939SN7 under the delegation settings.

Are there any other steps I need to take to receive a Delegation token?

C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Principal;
using System.Security;
using System.IO;

namespace DelegationTest
{
    class Program
    {

        static bool printDirectory(string directory)
        {
            Console.WriteLine("Attempting to read directory " + directory + " as " + WindowsIdentity.GetCurrent().Name);
            try
            {
                DirectoryInfo dirInfo = new DirectoryInfo(directory);
                FileInfo[] files = dirInfo.GetFiles();
                foreach (FileInfo f in files)
                {
                    Console.WriteLine(f.FullName);
                }
            }
            catch (Exception e)
            {
                //Console.WriteLine(e.ToString());
                Console.WriteLine(e.Message);
                return false;
            }
            return true;
        }
        static void Main(string[] args)
        {
            string dir = @"\\WIN-J5H5R939SN7\demoCA";
            if (!printDirectory(dir))
            {
                Console.WriteLine("Attempt to impersonate Administrator and try again");
                string userName = "Administrator";
                WindowsIdentity wid = new WindowsIdentity(userName);
                WindowsImpersonationContext wic;
                try
                {
                    wic = wid.Impersonate();
                    System.Console.WriteLine(wid.ImpersonationLevel.ToString());
                    printDirectory(dir);
                    wic.Undo();
                }
                catch (Exception e)
                {
                    System.Console.WriteLine(e.Message);
                }
            }

        }
    }
}

Posted 3-Aug-11 10:11am

Member 8105804

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Espen Harlinn · Answer 1 · 2011-08-03T12:25:00

Solution 1

"My code attempts to access a file share using the account of the user who is running it, who has been denied access to it. When this process fails the I attempt to impersonate the Administrator account"

Sounds like things are working as they should - you need the administrator password too.

This might help you to do it right (You will still need the password):
A small C# Class for impersonating a User[^]

Best regards
Espen Harlinn

Posted 3-Aug-11 12:25pm

Espen Harlinn

Comments

Member 8105804 4-Aug-11 12:28pm

Thanks for the reply.

From what I understand the code should be using the S4U Kerberos Extensions, which should allow me to use Impersonation/Delegation without having the user's password. From what I can tell the code is using the S4U2Self extension, rather than the S4U2Proxy extension, which would provide me with a Delegation token. The KERB_S4U_LOGON structure, which I believe is being used behind the scenes here, does not have a field for the user's password.

Espen Harlinn 4-Aug-11 12:54pm

Just think about it: If you can access the administrator account using some sort of "magic" from a program running under any other account, the security would be hopelessly compromised ...

Member 8105804 4-Aug-11 17:31pm

You can't though. The account that the code runs under has to have the SeTcbPrivilege to perform Delegation. The SeTcbPrivilege allows that account to act as though it were it Local System Account. With that level of privilege there isn't anything you can't do anyway.

Espen Harlinn 4-Aug-11 18:40pm

"My code attempts to access a file share using the account of the user who is running it" made me assume that you where talking about a logged in user.

You have to stop/exit the impersonation of the user, so that the code will run under the Local System Account again to be able to do what you want.

Alternatively you can start a thread when you are initially running under the Local System Account - this thread will the continue to run under the Local System Account. Perhaps creating an active object - see: http://blog.gurock.com/wp-content/uploads/2008/01/activeobjects.pdf
I don't know anything about this author but the pattern is good.
You can also look at my article:http://www.codeproject.com/KB/mcpp/ACEDotNetDemo.aspx
for an example of the pattern in C++