New cred cache breaks Win2k service
David Lawler Christiansen (NT)
DAVIDCHR at windows.microsoft.com
Wed Feb 20 16:51:14 EST 2002
Below:
> -----Original Message-----
> From: Danilo Almeida [mailto:dalmeida at mit.edu]
> Sent: Wednesday, February 20, 2002 11:04 AM
> To: 'Mike Frisch'
> Cc: kerberos at mit.edu
> Subject: RE: New cred cache breaks Win2k service
>
>
> This is by design. As I recall, the original problem was this:
>
> A process doing impersonation cannot start a program as the
> user being impersonated because the process level tokens are
> the service's and not the user's.
In Windows, when a process is created, by default it shares the process
token of the calling process. However, the server process can duplicate
the impersonation token to a primary token and assign this to the
process being spawned. See the CreateProcessAsUser API in MSDN for more
information.
More information about the Kerberos
mailing list