Use LsaLogonUser for Protocol Transitioning and SSPI RRS feed

  • Question

  • Hello,

    I am wondering if the following is possible:

    1. An account on machine A with the necessary privileges uses protocol transitioning through LsaLogonUser to acquire credentials for another user principal.
    2. The Token Handle acquired through the LsaLogonUser function is then used to impersonate that user, through the ImpersonateLoggedOnUser function
    3. AcquireCredentialsHandle and InitializeSecurityContext are then used to proove the impersonated principal's identity to another server (B).

    The main goal would be for machine B to receive the impersonated credentials from machine A, so that B could the use them to prove authenticate against another service.

    So far, I have successfully been able to use protocol transitioning with LsaLogonUser to log in with another principal. I then impersonate this principal successfully and call AcquireCredentialsHandle. All of this works fine, but when I call InitializeSecurityContext, it returns SEC_E_NO_CREDENTIALS.

    So, is something like this possible and if so, is this a valid way of doing it, or is there another way?

    Thanks for any help,


    Wednesday, December 3, 2008 1:58 PM