Sign in with
Sign up | Sign in
Your question

How to use SSPI to validate a domain user in another forest

Tags:
  • Domain
  • Microsoft
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
July 28, 2005 3:49:42 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have a little program using SSPI to validate client's
credential(domain\userID and password).
This program works fine if the client is the domain user in the same
forest as where the program is running.
eg, this program is running in domain A.test.com,
if the client is the user in domain B.test.com(domain A and B are in
the same forest ), everything works fine no matter this program is
running as a user or local system account.

However, when I try to verfiy the credentials for the client in another
forest(eg, client user is in domain C.test.org ( A.test.com and
C.test.org are in two seperate forests and no trust relationship is set
up for the forest )
I can use SSPI to verify the client's credential, however, when I
impersonate, we find the client's identity is ANONYMOUS logon, which is
wrong. But, if running this program as local system account, I can get
the clien't identity correctly.

Does anyone know why I get "ANONYMOUS logon" and how to solve it?
I have being trying for a while, but could not figure out the reason.

Any help is greatly appreciated.

More about : sspi validate domain user forest

Anonymous
August 1, 2005 11:01:22 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The forests have no trust.

In attempting impersonation you are asking one realm to trust the
statement from the other realm as to with whom you are interacting
(attempting to impersonate), but you do not trust that other realm to
make such a statement. Anyway, without a trust the credentials of
the external realm would not be recognized and would be unusable
in the "impersonating" realm.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"xinyu" <xinyu_wang114@yahoo.com> wrote in message
news:1122576582.883398.258670@f14g2000cwb.googlegroups.com...
> I have a little program using SSPI to validate client's
> credential(domain\userID and password).
> This program works fine if the client is the domain user in the same
> forest as where the program is running.
> eg, this program is running in domain A.test.com,
> if the client is the user in domain B.test.com(domain A and B are in
> the same forest ), everything works fine no matter this program is
> running as a user or local system account.
>
> However, when I try to verfiy the credentials for the client in another
> forest(eg, client user is in domain C.test.org ( A.test.com and
> C.test.org are in two seperate forests and no trust relationship is set
> up for the forest )
> I can use SSPI to verify the client's credential, however, when I
> impersonate, we find the client's identity is ANONYMOUS logon, which is
> wrong. But, if running this program as local system account, I can get
> the clien't identity correctly.
>
> Does anyone know why I get "ANONYMOUS logon" and how to solve it?
> I have being trying for a while, but could not figure out the reason.
>
> Any help is greatly appreciated.
>
Anonymous
August 9, 2005 4:53:14 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Roger for the response.

However, if the program is running as local system account, I can get
the client's identity correctly and can get the group membership from
the token.

My question is:

Why running as local system account works?
!