How CreateProcessAsUser on Windows Using Delegated Credentials from SSPI?

Question

I work on a Kerberos logon infrastructure (Single Sign-On) with:

1. A client which is authenticated to the Kerberos Key Distribution Center.
2. A principal service server using Kerberos as authentication.

Server Program is coded in C++.

I have no problem to create a context between my principal (client) and my service principal (server). I also delegated my client credentials to the server, because I need to create a process on the server using client user credentials.

And this is my problem, on the server side, I have a SSPI context and I need to CreateProcessAsUser using a Windows type pHandle.

I do not know how to use my SSPI credentials to create on my server a process as the client user.

I take a look at LsaLogonUser, which seems to do what I want (create a handle from kerberos user credentials) but my problem is the same, I do not know how to use the SSPI Token with this LsaLogonUser.

Thanks in Advance, for your help

Answer 1

I finally found a solution to my problem.

The best way to do it is to:

1. write delegated credentials in a temporary file.
2. set KRB5CCNAME environment variable to the path of this file.

It Works ;)

Answer 2

Though it is very late but you could obtain a token by doing following:

HANDLE tempHandle;
 if (!QuerySecurityContextToken(hctxt, &tempHandle))
 {
   MyDbg("Could not obtain token for user");
 }

Answer 3

I just posted a question regarding something related to what you are doing. I am using a session 0 Windows service to launch an application into session 1. The code I used (and asked about) is included in that post, and works well except that paths normally available to a user in session 1 are not accessible when launced this way. In any case, Even though I have some questions about this code, I hope it can start you on the right path.

Ryyker