PRB: LogonUser Fails in ISAPI Extensions

ID: Q232513

The information in this article applies to:

Microsoft Windows NT, versions 4.0, 4.0 SP4

SYMPTOMS

An ISAPI extension is running in the security context of the authenticated user. If the extension needs to access resources that the user is unable to access, you can call LogonUser to log another user to the local computer inside the ISAPI, and then call ImpersonateLoggedonUser to impersonate the user who has the appropriate access permission. However the call to LogonUser would fail and GetLastError returns ERROR_ACCESS_DENIED even though the authenticated user has the SE_TCB_NAME privilege and the SE_CHANGE_NOTIFY_NAME privilege enabled (for everyone by default.)

CAUSE

The code inside LogonUser tries to open the process token. It fails since the authenticated user may not have access to the process token (SYSTEM if it's an inproc ISAPI.)

RESOLUTION

As a temporary workaround, you can call RevertToSelf to return the thread to the security context of the process token before calling LogonUser. For ISAPI extensions running inproc, the process security context is SYSTEM. You should immediately impersonate some token on the thread so that it doesn't remain running in the context of the local system any longer than is necessary.


BOOL bThreadToken = FALSE;
HANDLE hThreadToken1, hThreadToken2;

//Save the current thread token
if( OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, FALSE, &hThreadToken1) )
{
   RevertToSelf();
   bThreadToken = TRUE;
}

//Impersonate a user account
//Insure the Sid associated with the process holds SE_TCB_NAME Privilege
LogonUser(...);
ImpersonateLoggedOnUser(...);

//Restore the original thread token
if( bThreadToken )
{
   hThreadToken2 = GetCurrentThread();
   SetThreadToken( &hThreadToken2, hThreadToken1 );
   CloseHandle( hThreadToken1 );
}

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

MORE INFORMATION

Modifying the impersonation token for out-of-process (OOP) ISAPI extensions is not supported under IIS4 because of some bugs that can cause problems with impersonation tokens. Therefore, the above workaround doesn't apply to OOP ISAPIs.

Never add the SE_TCB_NAME privilege to either the IUSR_MACHINE or IWAM_MACHINE accounts, and never add either of them to the Administrators group. It would expose serious security problems.

Additional query words:


Keywords          : kbGrpInetServer 
Version           : winnt:4.0,4.0 SP4
Platform          : winnt 
Issue type        : kbprb

Last Reviewed: July 20, 1999