search

antiduh / nsspi

A C# / .Net interface to the Win32 SSPI authentication API
BSD 2-Clause "Simplified" License
64 stars 34 forks source link

Authorization #13

Closed zoltanharmath closed 6 years ago

zoltanharmath commented 6 years ago

Hi,

I understand the authentication part of this solution. How the authorization piece works? If the user is authenticated how can I get the group membership back?

Thank you, -Zoltan

antiduh commented 6 years ago

Hi. That's not supported right now (though, look through the recent commits, they may be relevant). It looks like it's pretty easy to add, so I'll look into it in a few days.

On Fri, Jul 20, 2018, 10:24 PM zoliharmath notifications@github.com wrote:

Hi,

I understand the authentication part of this solution. How the authorization piece works? If the user is authenticated how can I get the group membership back?

Thank you, -Zoltan

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/antiduh/nsspi/issues/13, or mute the thread https://github.com/notifications/unsubscribe-auth/AIvvFFnSDxftyNpz-nIF5IuVp22Nrch7ks5uIpDYgaJpZM4VZdDN .

zoltanharmath commented 6 years ago

Can I get the authZ information back directly from the token or should I impersonate the authenticated client? I think if the authenticated client is impersonated I can extract the group membership from the access token. But this looks like a bit complicated direction. Theoretically how the authZ works? Is it part of the SSPI? I don't think so.

zoltanharmath commented 6 years ago

OK, I solved this. :) It is easy.

  1. Impersonation is required
  2. Once it is impersonated in that thread we have to open the thread (OpenThread function)
  3. Once the Thread is opened we have to open the thread token (OpenThreadToken)
  4. Once we have the thread token we have to duplicate it (DuplicateTokenEx or DuplicateToken)
  5. With this duplicated token we can call the AccessCheck API to get the authorization result back

I have a working prototype it is working fine. This is not SSPI function so I go and close this.

zoltanharmath commented 6 years ago

This is not part of the SSPI so I go and close it. For authorization we should use the AccessCheck (https://msdn.microsoft.com/en-us/library/windows/desktop/aa374815(v=vs.85).aspx) function or the AuthZ.dll.