SSPI/NTLM impersonation level problem

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

My installation app uses SSPI and NTLM to switch user to an administrator
(within the local machine) if the logged user does not have the right
privileges (write registry HKLM).

It stopped working with 2000 SP4 (it may have with an earlier SP but I only
have PCs with no SP and SP4).

Calling ImpersonateSecurityContext() results in an impersonation level of
SecurityIdentification not SecurityImpersonation and GetUserName() fails
with ERROR_INVALID_HANDLE (if I recall rightly GetUserName() used to fail on
NT but the impersonation level was ok).

Also on XP SP1 requesting an impersonation of user Admin from a restricted
user results in an impersonation of user Guest (all the calls succeed but
the wrong user is impersonated).

Calling InitializeSecurityContext() with ISC_REQ_DELEGATE always results in
the returned context attributes not having DELEGATE set whether the
impersonation level achieved was SecurityImpersonation or not. (The docs say
NTLM does not support ISC_REQ_DELEGATE.)

(My code is based on Tomas Restrepo's library
http://www.winterdom.com/dev/security/sspi.html . The app is a WIN32 GUI. I
am using VC6.

Any security experts out there got any ideas what changed re: SSPI/NTLM with
SP4 (or earlier) or how I can induce NTLM to raise the impersonation level?

Thanks,

Jan