[cvsnt-dev] Re: NtCreateToken & SeImpersonatePrivilege

Tony Hoyle tmh at nodomain.org
Sun May 23 01:04:09 BST 2004

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.

KJK::Hyperion wrote:

> Tony Hoyle wrote:
>>2. S4U (Win2k3 domain only)
> what's this?


>>3. LSA/Setuid
> and is this authenticated somehow? or is the fact that the caller has 
> the TCB privilege enough?

The service has to have enough privelege to call 
LsaRegisterLogonProcess/LsaLogonUser, which is at least TCB (as it's calling a 
subauth package) and I suspect come other privileges too.  The DLL also does 
an extra check for things like disabled accounts, etc.

Of course if you don't trust it it's an option not to install it :)  If one of 
the first two methods is OK for your setup or you're always using SSPI, etc. 
then it'll not affect anything.


Te audire no possum. Musa sapientum fixa est in aure.

Tony Hoyle <tmh at nodomain.org>  Key ID: 104D/4F4B6917 2003-09-13
Fingerprint: 063C AFB4 3026 F724 0AA2  02B8 E547 470E 4F4B 6917

More information about the cvsnt-dev mailing list