AcquireCredentials problem running inside iis

aliwaheed1975@yahoo.com aliwaheed1975 at yahoo.com
Thu May 11 14:11:05 EDT 2006 

I have a website in IIS which has been configured to run with Windows
Authentication and I have <identity impersonate="true" /> in my
web.config.

I know that my configuration works correctly as when I look at the
identity under which the thread is running I can see that it is the
user's account.

My aim is to generate a security token to authenticate the user against
one of our single-sign-on(SSO) servers(written in-house). I am using
the SSPI samples (Microsoft Security SSPI Classes) which I downloaded
from your website to generate tokens in order to perform an sspi
authentication with our SSO server.

The problem I have is that when a user logs on although the thread in
iis seems to run under the user's account, the SSPI call seems to
generate credentials for 'anonymous user'.

When I log on from the machine where iis is running (and I am the
interactive user),  the token is generated with my details. Which is
the correct behaviour.

When I log on from another machine where I am the interactive user (
and iis is still running on the original machine where I am the
interactive user ) the token seems to be generated for 'anonymous
user'.

Is there a way I can get the call to AcquireCredentials and
subsequently to InitializeSecurityContext to yield a token relating to
the currently logged on user.

This is the signature for acquireCredentials:

SECURITY_STATUS sResult = AcquireCredentialsHandle(
					NULL,											// [in] name of principal. NULL = principal of
current security context
					pszPackageName,									// [in] name of package
					fCredentialUse,									// [in] flags indicating use.
					pszLogonID,											// [in] pointer to logon identifier.  NULL =
we're not specifying the id of another logon session
					NULL,											// [in] package-specific data.  NULL = default
credentials for security package
					NULL,											// [in] pointer to GetKey function.  NULL = we're
not using a callback to retrieve the credentials
					NULL,											// [in] value to pass to GetKey
					this->credentialHandle,							// [out] credential handle (this
must be already allocated)
					&tsExpiry										// [out] lifetime of the returned credentials
			);


Initially (for the above described symptoms), instead of pszlogonid
there was a null being passed in. I have tried to pass in an SID and
even the logoin session id (luid) but this causes the function to
return -2146893050 which i'm pretty sure is SEC_E_NOT_OWNER. I get this
error now, on the iis machine as well as the remote machine.

Is there something i am missing here?
Can anyone help?
Who shot J.R?

I hope Keith Brown is reading im sure he'd sort this out in a flash.

More information about the Kerberos mailing list