Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows 2000 / Security / August 2005

Tip: Looking for answers? Try searching our database.

How to use SSPI to validate a domain user in another forest

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
xinyu - 28 Jul 2005 19:49 GMT
I have a little program using SSPI to validate client's
credential(domain\userID and password).
This program works fine if the client is the domain user in the same
forest as where the program is running.
eg, this program is running in domain A.test.com,
if the client is the user in domain B.test.com(domain A and B are in
the same forest ), everything works fine no matter this program is
running as a user or local system account.

However, when I try to verfiy the credentials for the client in another
forest(eg, client user is in domain C.test.org ( A.test.com and
C.test.org are in two seperate forests and no trust relationship is set
up for the forest )
I can use SSPI to verify the client's credential, however, when I
impersonate, we find the client's identity is ANONYMOUS logon, which is
wrong. But, if running this program as local system account, I can get
the clien't identity correctly.

Does anyone know why I get "ANONYMOUS logon" and how to solve it?
I have being trying for a while, but could not figure out the reason.

Any help is greatly appreciated.
Reply to this Message
Roger Abell - 01 Aug 2005 15:01 GMT
The forests have no trust.

In attempting impersonation you are asking one realm to trust the
statement from the other realm as to with whom you are interacting
(attempting to impersonate), but you do not trust that other realm to
make such a statement.  Anyway, without a trust the credentials of
the external realm would not be recognized and would be unusable
in the "impersonating" realm.

Signature

Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA

> I have a little program using SSPI to validate client's
> credential(domain\userID and password).
[quoted text clipped - 18 lines]
>
> Any help is greatly appreciated.
Reply to this Message
xinyu - 09 Aug 2005 20:53 GMT
Thanks Roger for the response.

However, if the program is running as local system account, I can get
the client's identity correctly and can get the group membership from
the token.

My question is:

Why running as local system account works?
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.