LSA Functions - Privileges and Impersonation

Hi,

See this post[^] for a solution to your problem.

Regards,
Jecho

Hallo Corinna,

Ihr Code hat mich auf den richtigen Weg gebracht für das, was ich tun will.

Das einzige, was mir abgegangen ist, "RemoveRight" (Recht löschen) und "HasRight" (Abfrage, ob ein Account ein bestimmtes Recht besitzt) sowie eine öffentliche Enumeration von Rechten.

Ich habe diese Dinge in meiner Version von "LsaUtilities.cs" ergänzt und würde Ihnen das Resultat gerne zum Test zur Verfügung stellen. Derzeit habe ich nur die Logon-Features überprüft.

Ich hoffe, Sie können aus dieser Nachricht meine Email-Adresse ermitteln, sonst senden Sie mir bitte bei Interesse einfach eine SMS mit Ihrer Email an 004369912197955.

Liebe Grüße aus Österreich
Peter Pranter Roll eyes | :rolleyes:

Hi,
I have banging my head against the wall for about 2 weeks trying to figure this out.
My goal is to write a file to a SAMBA share in a C# console app. I have an account set up in SAMBA and also set up in windows with identical username and password. I have read that this is the way to do it.
I have found that i am impersonating the user correctly but when i go to write the file an error is raised telling me that it is a bad username and/or password. According to the SAMBA logs the impersonated users credentials are not being sent, instead MY login credentials are being sent. Do you have any ideas? It would be greatly appreciated.
Cheers,
Lucas.

Lucas

Hi,

I've built these LSA functions into a VB command line app so that I can call it from within an InstallShield setup project. The primary purpose was so that I can call SetRight with SeServiceLogonRight to make sure the user has the "Logon as a Service" right, before I try to set a username/password on the service I'm installing.

On WinXP this has worked like a charm, but when I tested it on Win2k I got an error from LsaOpenPolicy. From my application the error is reported as "OpenPolicy failed: 4294967296". At first I thought it must have been an error that crept in when I converted the code to VB, but on further investigation it appears this isn't a valid error number at all. As far as I can tell this is just the max value for an integer. So I tried the original test app from this article and it returns the error "Privilege not added: +winErrorCode".
(Note: In both of these cases I was trying to give the privilege to the Administrator of the local PC, but I get the same error no matter what user I use)

As far as I can tell this is still necessary on Win2k because after the error occurs my service is left with LocalSystem as the logon user.

Is there some good reason why this isn't working on Win2k or am I missing something obvious?

i have this exact problem, did you ever resolve this issue?

I don't think I ever did get that working. In the end I found a pre-compiled version of ssplogon.exe like what is described here.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q180548

The one I have takes a command line like...
ssplogon.exe <domain> <user> <password>
...and returns a value in the ERRORLEVEL indicating if the logon wass sucessful or not.

If this will suit you purpose, let me know and I can send u a copy of the exe.

i've had a read through that article.

could you post some sample c# code as i am not quite sure what to do.

basically the bit i am interested in is more enabling privileges for different accounts (specifically log on as service)

cheers

Sorry bout that, I went off on completely the wrong track there. The code for the class I ended up using is below. I converted Corinna's class to VB.NET (since that's my language of choice) and if I recall correctly the problem went away somewhere during the conversion. If there was something specific I fixed it's too long ago for me to recall what it was now. Hopefully if you compare the 2 you might be able to spot what's different, or maybe you could just compile this into a dll that you can use from your C# projects.

To grant the Logon As A Service right you'd call the SetRight function like this...
Dim lsaResult As Long = LsaFunctions.SetRight("domain\account", "SeServiceLogonRight")
...and a 0 result means it was sucessful.

Here's my VB.NET class, which is basically equivilent to Corinna's LsaUtility class.
(BTW... sorry for the long post everyone, but I can't see any other way to attach this.)

<br />
Imports System.Text<br />
Imports System.Runtime.InteropServices<br />
<br />
Public Class LsaFunctions<br />
<br />
    ' Import the LSA functions<br />
    <DllImport("advapi32.dll", PreserveSig:=True)> _<br />
    Private Shared Function LsaOpenPolicy(ByRef SystemName As LSA_UNICODE_STRING, ByRef ObjectAttributes As LSA_OBJECT_ATTRIBUTES, ByVal DesiredAccess As Int32, ByRef PolicyHandle As IntPtr) As UInt32<br />
    End Function<br />
<br />
    <DllImport("advapi32.dll", SetLastError:=True, PreserveSig:=True)> _<br />
    Private Shared Function LsaAddAccountRights(ByVal PolicyHandle As IntPtr, ByVal AccountSid As IntPtr, ByVal UserRights As LSA_UNICODE_STRING(), ByVal CountOfRights As Long) As UInt32<br />
    End Function<br />
<br />
    <DllImport("advapi32")> _<br />
    Public Shared Sub FreeSid(ByVal pSid As IntPtr)<br />
    End Sub<br />
<br />
    <DllImport("advapi32.dll", CharSet:=CharSet.Auto, SetLastError:=True, PreserveSig:=True)> _<br />
    Private Shared Function LookupAccountName(ByVal lpSystemName As String, ByVal lpAccountName As String, ByVal psid As IntPtr, ByRef cbsid As Int32, ByVal domainName As StringBuilder, ByRef cbdomainLength As Int32, ByRef use As Int32) As Boolean<br />
    End Function<br />
<br />
    <DllImport("advapi32.dll")> _<br />
    Private Shared Function IsValidSid(ByVal pSid As IntPtr) As Boolean<br />
    End Function<br />
<br />
    <DllImport("advapi32.dll")> _<br />
    Private Shared Function LsaClose(ByVal ObjectHandle As IntPtr) As Long<br />
    End Function<br />
<br />
    <DllImport("kernel32.dll")> _<br />
    Private Shared Function GetLastError() As Long<br />
    End Function<br />
<br />
    ' Define the structures<br />
    <StructLayout(LayoutKind.Sequential)> _<br />
    Private Structure LSA_UNICODE_STRING<br />
        Public Length As UInt16<br />
        Public MaximumLength As UInt16<br />
        Public Buffer As IntPtr<br />
    End Structure<br />
<br />
    <StructLayout(LayoutKind.Sequential)> _<br />
    Private Structure LSA_OBJECT_ATTRIBUTES<br />
        Public Length As Int32<br />
        Public RootDirectory As IntPtr<br />
        Public ObjectName As LSA_UNICODE_STRING<br />
        Public Attributes As UInt32<br />
        Public SecurityDescriptor As IntPtr<br />
        Public SecurityQualityOfService As IntPtr<br />
    End Structure<br />
<br />
    ' Enum all policies<br />
    Private Enum LSA_AccessPolicy As Long<br />
        POLICY_VIEW_LOCAL_INFORMATION = &H1L<br />
        POLICY_VIEW_AUDIT_INFORMATION = &H2L<br />
        POLICY_GET_PRIVATE_INFORMATION = &H4L<br />
        POLICY_TRUST_ADMIN = &H8L<br />
        POLICY_CREATE_ACCOUNT = &H10L<br />
        POLICY_CREATE_SECRET = &H20L<br />
        POLICY_CREATE_PRIVILEGE = &H40L<br />
        POLICY_SET_DEFAULT_QUOTA_LIMITS = &H80L<br />
        POLICY_SET_AUDIT_REQUIREMENTS = &H100L<br />
        POLICY_AUDIT_LOG_ADMIN = &H200L<br />
        POLICY_SERVER_ADMIN = &H400L<br />
        POLICY_LOOKUP_NAMES = &H800L<br />
        POLICY_NOTIFICATION = &H1000L<br />
    End Enum<br />
<br />
    ' <summary>Adds a privilege to an account</summary><br />
    ' <param name="accountName">Name of an account - "domain\account" or only "account"</param><br />
    ' <param name="privilegeName">Name ofthe privilege</param><br />
    ' <returns>The windows error code returned by LsaAddAccountRights</returns><br />
    Public Shared Function SetRight(ByVal accountName As String, ByVal privilegeName As String) As Long<br />
        Dim winErrorCode As Long = 0 ' contains the last error<br />
<br />
        ' pointer an size for the SID<br />
        Dim sid As IntPtr = IntPtr.Zero<br />
        Dim sidSize As Int32 = 0<br />
<br />
        ' StringBuilder and size for the domain name<br />
        Dim domainName As StringBuilder = New StringBuilder<br />
        Dim nameSize As Int32 = 0<br />
<br />
        ' account-type variable for lookup<br />
        Dim accountType As Int32 = 0<br />
<br />
        ' get required buffer size<br />
        LookupAccountName(String.Empty, accountName, sid, sidSize, domainName, nameSize, accountType)<br />
<br />
        ' allocate buffers<br />
        domainName = New StringBuilder(nameSize)<br />
        sid = Marshal.AllocHGlobal(sidSize)<br />
<br />
        ' lookup the SID for the account<br />
        Dim result As Boolean = LookupAccountName(String.Empty, accountName, sid, sidSize, domainName, nameSize, accountType)<br />
<br />
        ' say what you're doing<br />
        'Dim msg As String<br />
        'msg &= "LookupAccountName result = " & result & vbCrLf<br />
        'msg &= "IsValidSid: " & IsValidSid(sid) & vbCrLf<br />
        'msg &= "LookupAccountName domainName: " & domainName.ToString()<br />
        'MessageBox.Show(msg)<br />
<br />
        If Not result Then<br />
            winErrorCode = GetLastError()<br />
            MessageBox.Show("LookupAccountName failed: " & winErrorCode, "ServiceUtils")<br />
        Else<br />
            ' initialize an empty unicode-string<br />
            Dim systemName As LSA_UNICODE_STRING = New LSA_UNICODE_STRING<br />
<br />
            ' Combine policies required to grant/deny privileges<br />
            Dim access As Int32 = CInt( _<br />
                LSA_AccessPolicy.POLICY_CREATE_ACCOUNT Or _<br />
                LSA_AccessPolicy.POLICY_LOOKUP_NAMES)<br />
<br />
            ' initialize a pointer for the policy handle<br />
            Dim policyHandle As IntPtr = IntPtr.Zero<br />
<br />
            ' these attributes are not used, but LsaOpenPolicy wants them to exists<br />
            Dim ObjectAttributes As LSA_OBJECT_ATTRIBUTES = New LSA_OBJECT_ATTRIBUTES<br />
            ObjectAttributes.Length = 0<br />
            ObjectAttributes.RootDirectory = IntPtr.Zero<br />
            ObjectAttributes.Attributes = UInt32.Parse("0")<br />
            ObjectAttributes.SecurityDescriptor = IntPtr.Zero<br />
            ObjectAttributes.SecurityQualityOfService = IntPtr.Zero<br />
<br />
            ' get a policy handle<br />
            Dim resultPolicy As UInt32 = LsaOpenPolicy(systemName, ObjectAttributes, access, policyHandle)<br />
<br />
            If Not resultPolicy.ToString = "0" Then<br />
                MessageBox.Show("OpenPolicy failed: " & resultPolicy.ToString, "ServiceUtils")<br />
            Else<br />
                ' Now that we have the SID an the policy,<br />
                ' we can add rights to the account.<br />
<br />
                ' initialize an unicode-string for the privilege name<br />
                Dim userRights(1) As LSA_UNICODE_STRING<br />
                userRights(0) = New LSA_UNICODE_STRING<br />
                userRights(0).Buffer = Marshal.StringToHGlobalUni(privilegeName)<br />
                userRights(0).Length = UInt16.Parse(privilegeName.Length * UnicodeEncoding.CharSize)<br />
                userRights(0).MaximumLength = UInt16.Parse((privilegeName.Length + 1) * UnicodeEncoding.CharSize)<br />
<br />
                ' add the right to the account<br />
                Dim resultRights As UInt32 = LsaAddAccountRights(policyHandle, sid, userRights, 1)<br />
                If Not resultRights.ToString = "0" Then<br />
                    MessageBox.Show("LsaAddAccountRights failed: " & resultRights.ToString, "ServiceUtils")<br />
                End If<br />
<br />
                LsaClose(policyHandle)<br />
            End If<br />
            FreeSid(sid)<br />
        End If<br />
<br />
        Return winErrorCode<br />
    End Function<br />
End Class<br />

fixed the errors:

private static extern long LsaAddAccountRights(
IntPtr PolicyHandle, IntPtr AccountSid,
LSA_UNICODE_STRING[] UserRights,
UInt32 CountOfRights );

private static extern long LsaNtStatusToWinError(UInt32 status);

I know this is an old thread, but I am just reading it now. I am interested in a compiled version of SSPLOGIN.EXE. I don't seem to be able to find it anywhere.

Thanks
Neo

Kermittt wrote:
The one I have takes a command line like...
ssplogon.exe <domain> <user> <password>
...and returns a value in the ERRORLEVEL indicating if the logon wass sucessful or not.

Hi,

I am creating some test apps to set privs/rights on a system. I have ran accross some functions that Microsoft shows in MSDN, but it doesn have anything else Frown | :-(

I searched the I-Net for these functions, but all I ever get are sites that show the Definition file for AdvApi32.dll. I know they are exported in the AdvApi32.dll (because I have some working), but I need to know the params that are past to get them to work correctly. Is there anyone that has some real documentation on these things???

Search for ACCOUNT_VIEW in MSDN and you will have 2 returns:

Account Object Access Rights
HOWTO: Manage User Privileges Programmatically in Windows NT

Here is some functions I am talking about:

LsaOpenAccount
LsaCreateAccount
LsaGetSystemAccessAccount
LsaSetSystemAccessAccount
LsaAddPrivilegesToAccount
LsaRemovePrivilegesFromAccount
...
...

Here are some DEFs I am talking about:

ACCOUNT_VIEW This access type is required to read the account information. This includes the privileges assigned to the account, memory quotas assigned, and any special access types granted.

ACCOUNT_ADJUST_PRIVILEGES This access type is required to assign privileges to or remove privileges from an account.

ACCOUNT_ADJUST_QUOTAS This access type is required to change the system quotas assigned to an account.

ACCOUNT_ADJUST_SYSTEM_ACCESS This access type is required to update the system access flags for the account.

Regards,

Dan

Hi Dan,

there is no documuntation for exported functions that are not declared in ntsecapi.h. I think the sample from KB 132958 ^ has been published by accident.

You can get a list of exported functions from the winehq.org CVS ^, but they don't have the parameters.

Excuse me:
How can I get the fullname of the user by the user's SID?
(When you are registering to be a user of the windows system,you must write the sid,fullname and the descriptions)

Use LookupAccountSid API for the purpose.
I used the API in VC++, but there must a C# replica for this method.

"Work Smarter, not Harder!" Wink | ;)

TJ

Is it possible to contain the impersonation to a given AppDomain rather than the impersonation consuming the full process? I have a service running under the local system account, but need to impersonate the current user for some functionality. However I dont want the full service to change it's access rights. I can spawn a seperate process (which impersonates a specifed user) but this therefore consumes more memory.

Any ideas?

Thanks
Chris

Check impersonation out here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic.asp[^]

Under Windows XP, you do not have to create a separate process to impersonate. Impersonation works under Win2k only if you are an admin and are performing the impersonation, and I think you also need to set a registry key or two.

I'm not sure why there is a concern for memory usage...shouldn't take a lot of memory to use impersonationation or CreateProcessWithLogon, etc.

Hi,
I try included examples and have question about retriving of SID - SID which I retrived for my acount in example (via function LookupAccountName) was integer number (e.g. 1580697). I try convert this number via function ConvertSidToStringSid to string representation and got path to application, something like this "\memoTest\ConsoleApplication1". What's wrong, how can I retrive SID in format like 'S-1-5-21-1431262831-1455604309-1834353910-1000'?

Thanks

Drc

If you haven't got it yet:

To Get the SID....

<br />
Example:   <br />
<br />
GetAccountSid(NULL,"UserName",&sid);<br />
<br />
<br />
//////////////////////////////////////////////////////////////////////<br />
BOOL GetAccountSid(LPTSTR SystemName, LPTSTR AccountName, PSID *Sid)<br />
{<br />
	LPTSTR ReferencedDomain=NULL;<br />
	DWORD cbSid=128;    // initial allocation attempt<br />
	DWORD cchReferencedDomain=16; // initial allocation size<br />
	SID_NAME_USE peUse;<br />
	BOOL bSuccess=FALSE; // assume this function will fail<br />
<br />
	__try {<br />
<br />
		//<br />
		// initial memory allocations<br />
		//<br />
		*Sid = (PSID)HeapAlloc(GetProcessHeap(), 0, cbSid);<br />
<br />
		if(*Sid == NULL) __leave;<br />
<br />
		ReferencedDomain = (LPTSTR)HeapAlloc(GetProcessHeap(),0,cchReferencedDomain * sizeof(TCHAR));<br />
		if(ReferencedDomain == NULL) __leave;<br />
<br />
		//<br />
		// Obtain the SID of the specified account on the specified system.<br />
		//<br />
		while(!LookupAccountName(<br />
						SystemName,         // machine to lookup account on<br />
						AccountName,        // account to lookup<br />
						*Sid,               // SID of interest<br />
						&cbSid,             // size of SID<br />
						ReferencedDomain,   // domain account was found on<br />
						&cchReferencedDomain,<br />
						&peUse<br />
						)) {<br />
			if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {<br />
				//<br />
				// reallocate memory<br />
				//<br />
				*Sid = (PSID)HeapReAlloc(GetProcessHeap(),<br />
										 0,<br />
										 *Sid,<br />
										 cbSid);<br />
<br />
				if(*Sid == NULL) __leave;<br />
<br />
				ReferencedDomain = (LPTSTR)HeapReAlloc( GetProcessHeap(),<br />
														0,<br />
														ReferencedDomain,<br />
														cchReferencedDomain * sizeof(TCHAR));<br />
<br />
				if(ReferencedDomain == NULL) __leave;<br />
			}<br />
			else __leave;<br />
		}<br />
<br />
		//<br />
		// Indicate success.<br />
		//<br />
		bSuccess=TRUE;<br />
<br />
	} // try<br />
	__finally {<br />
<br />
		//<br />
		// Cleanup and indicate failure, if appropriate.<br />
		//<br />
<br />
		HeapFree(GetProcessHeap(), 0, ReferencedDomain);<br />
<br />
		if(!bSuccess) {<br />
			if(*Sid != NULL) {<br />
				HeapFree(GetProcessHeap(), 0, *Sid);<br />
				*Sid = NULL;<br />
			}<br />
		}<br />
<br />
    } // finally<br />
<br />
    return bSuccess;<br />
}<br />
<br />

Now to Make it Text:

Example:

<br />
....<br />
	LPSTR sidText = NULL;<br />
	DWORD cbSid = 128;<br />
<br />
	sidText = (LPSTR) LocalAlloc(LPTR, cbSid);<br />
	if (sidText)<br />
	{<br />
		if(GetTextualSid(psid, sidText, &cbSid)) {<br />
			m_edtSID.SetWindowText(sidText);<br />
		} else {<br />
			m_edtSID.SetWindowText("");<br />
		}<br />
		LocalFree(sidText);<br />
	}<br />
....<br />
<br />
////////////////////////////////////////////////////////////////////<br />
BOOL GetTextualSid(PSID pSid, PTSTR TextualSid, PDWORD pdwBufferLen) <br />
{<br />
	BOOL fSuccess = FALSE;<br />
<br />
    try {{<br />
		// Test if Sid passed in is valid<br />
        if (!IsValidSid(pSid))<br />
			goto leave;<br />
<br />
        // Obtain Sid identifier authority<br />
        PSID_IDENTIFIER_AUTHORITY psia = GetSidIdentifierAuthority(pSid);<br />
<br />
        // Obtain sid subauthority count<br />
        DWORD dwSubAuthorities = *GetSidSubAuthorityCount(pSid);<br />
<br />
        // Compute buffer length<br />
        // S-SID_REVISION-+identifierauthority-+subauthorities-+NULL<br />
        DWORD dwSidSize = (15 + 12 + (12 * dwSubAuthorities) + 1)<br />
            * sizeof(TCHAR);<br />
<br />
        // Check provided buffer length.<br />
        // If not large enough, indicate proper size and SetLastError<br />
        if (*pdwBufferLen < dwSidSize) <br />
		{<br />
			*pdwBufferLen = dwSidSize;<br />
            SetLastError(ERROR_INSUFFICIENT_BUFFER);<br />
            goto leave;<br />
		}<br />
<br />
        // prepare S-SID_REVISION-<br />
        dwSidSize = wsprintf(TextualSid, TEXT("S-%lu-"), SID_REVISION);<br />
<br />
        // Prepare Sid identifier authority<br />
        if ((psia->Value[0] != 0) || (psia->Value[1] != 0)) <br />
		{<br />
			dwSidSize += wsprintf(TextualSid + lstrlen(TextualSid),<br />
               TEXT("0x%02hx%02hx%02hx%02hx%02hx%02hx"),<br />
               (USHORT) psia->Value[0], (USHORT) psia->Value[1],<br />
               (USHORT) psia->Value[2], (USHORT) psia->Value[3],<br />
               (USHORT) psia->Value[4], (USHORT) psia->Value[5]);<br />
		}<br />
		else<br />
		{<br />
            dwSidSize += wsprintf(TextualSid + lstrlen(TextualSid),<br />
               TEXT("%lu"), (ULONG) (psia->Value[5])<br />
               + (ULONG) (psia->Value[4] << 8)<br />
               + (ULONG) (psia->Value[3] << 16)<br />
               + (ULONG) (psia->Value[2] << 24));<br />
		}<br />
<br />
        // Loop through sid subauthorities<br />
        DWORD dwCounter;<br />
        for (dwCounter = 0; dwCounter < dwSubAuthorities; dwCounter++) <br />
		{<br />
			dwSidSize += wsprintf(TextualSid + dwSidSize, TEXT("-%lu"),<br />
               *GetSidSubAuthority(pSid, dwCounter));<br />
		}<br />
<br />
        fSuccess = TRUE;<br />
    } leave:;<br />
    } catch(...) {}<br />
<br />
    return(fSuccess);<br />
}<br />

Regards,

Dan

Hi Corinna,

I developpe an application that must run with restricted user rights on Windows 2000, but my application must write some data in HKEY_LOCAL_MACHINE in registry.
With restricted user right it is not possible.
I think I can do that with impersonation technics but how ?
Could you explain me ?

Thank you for your answer

Patrick.
I developpe with C++Builder 6 Pro.

Patrick
DidactSoft@aol.com

The application must be installed or configured by an administrator, who enters the logon data for an unrestricted account. The application saves the logon data in hkey_current_user.
When the app has to write something to hkey_local_machine, it reads the name and password from the registry, uses it to impersonate the unrestricted user, writes the registry values and then returns to the restricted user's context.

coco

I seem to be getting a consistent error of 1314 whenever I attempt to impersonate using "domain\username". Any guesses? I've read a little bit about the problems with authenticating using that Win32API call, but I've never been able to solve using it for domain authentication.

Are you sure you hold the SE_TCB_NAME privilege?
This authority is required for calling LogonUser().
By default only the system authorities (local service, local system and network service) and the local administrators group have the SE_TBC_NAME priviledge.

I think I figured out what's going on. Domain policy is overriding local policy. I'll have to convert the code to a service and use the localsystem account to do authentication for me.

Is there any advantage to using SSPI when you have overriding domain policies? The KB article http://support.microsoft.com/default.aspx?scid=kb;en-us;180548 seems to hint at it being a viable workaround... Unsure | :~

Thanks for the help!

SSPI works on all windows platforms with any policies, but on XP you have to change registry settings, and AFAIK real impersonation does not work with SSPI.

The easiest way to impersonate a user is a local service or local system service. You GUI uses the account of the logged on user, and when it needs other privileges, it calls the service.

Thanks for all your help!

LSA Functions - Privileges and Impersonation

Introduction

SIDs, Policies and Rights

More LSA

Using the code

License

Comments and Discussions