[cvsnt-dev] Re: NtCreateToken & SeImpersonatePrivilege

Tony Hoyle tmh at nodomain.org
Sat May 22 21:38:12 BST 2004

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.

KJK::Hyperion wrote:

> oh, so it wasn't a special check in NtCreateToken! I love Microsoft. 
> Even when they break things, they do it in a technically sound way. 
> Anyway, what does CVSNT need a token for? couldn't the token returned 
> by LogonUser do? (it's used for pserver, right? isn't pserver all about 
> plaintext athentication?)

With pserver you don't have the password to do a LogonUser, so it needs to
create a token without one.  The same is true of SSH with RSA authentication, 
which affects cygwin SSH.  CVSNT does in fact try to pass the pserver password 
to LogonUser to see if it can work that way, but most of the time it doesn't 
(because it's not recommended to use domain passwords with pserver, for 
obvious reasons).

The order CVSNT currently uses is:

1. LogonUser
2. S4U (Win2k3 domain only)
3. LSA/Setuid
4. NTCreateToken

If none of these work it fails the login.


Te audire no possum. Musa sapientum fixa est in aure.

Tony Hoyle <tmh at nodomain.org>  Key ID: 104D/4F4B6917 2003-09-13
Fingerprint: 063C AFB4 3026 F724 0AA2  02B8 E547 470E 4F4B 6917

More information about the cvsnt-dev mailing list