S
Sahana Udaya
Guest
In the POC we are trying, a Service impersonates a user in order to be able to access a file on file system.
The POC is from link http://code.msdn.microsoft.com/windowsdesktop/CppWindowsService-cacf4948.
We have been trying constrained delegation as per the link http://msdn.microsoft.com/en-us/library/ff649317.aspx
We were able to achieve impersonation if the service is trusted for delegation in the domain controller and the service runs under “Local System” account. Trying to run the service as WinAD user isnt able to impersonate.
We have followed thesteps mentioned in the link https://technet.microsoft.com/en-us/library/cc757194%28v=ws.10%29.aspx.
Some of the things we came across about the configuration are:
http://technet.microsoft.com/en-us/library/cc753104.aspx. Also https://technet.microsoft.com/en-us/library/ee675779.aspx
Continue reading...
The POC is from link http://code.msdn.microsoft.com/windowsdesktop/CppWindowsService-cacf4948.
We have been trying constrained delegation as per the link http://msdn.microsoft.com/en-us/library/ff649317.aspx
We were able to achieve impersonation if the service is trusted for delegation in the domain controller and the service runs under “Local System” account. Trying to run the service as WinAD user isnt able to impersonate.
We have followed thesteps mentioned in the link https://technet.microsoft.com/en-us/library/cc757194%28v=ws.10%29.aspx.
Some of the things we came across about the configuration are:
- The Domain Functional level to be more than Windows Server 2003
http://technet.microsoft.com/en-us/library/cc753104.aspx. Also https://technet.microsoft.com/en-us/library/ee675779.aspx
- Providing SeTcbPrivilege
- To set SPN http://technet.microsoft.com/en-us/library/cc731241%28WS.10%29.aspx
- Making the user part of Pre
Windows 2000 Compatible http://support.microsoft.com/kb/325363
Continue reading...