[cvsnt] Re: problem with domain users and impersonation

Glen Starrett grstarrett at cox.net
Fri Jul 4 00:04:51 BST 2003 

I believe that under NT4 by default users couldn't login to servers without
explicitly granting them the log on locally right.  That caused problems
with the MSFTP service, you can't log into the FTP server without log on
locally rights--not that isn't even interactive--but I *believe* FTP was
impersonating the user to get the same effect you are seeking (application
of NTFS permissions to the remote user).

Now, that does not hold true for IIS.  When you use NT authentication
against NT4 IIS it does so without requiring local login.

Win2K changed that and now allows users to log in interactively by default.
I suppose that eliminated the "bug" that people couldn't log into FTP server
by default <a bit cynical perhaps, but entirely possible>.  Perhaps it was a
change for something more modern, like Terminal Server.


Glen Starrett

-----Original Message-----
From: cvsnt-bounces at cvsnt.org [mailto:cvsnt-bounces at cvsnt.org]On Behalf
Of Tony Hoyle
Sent: Thursday, July 03, 2003 3:11 PM
To: cvsnt at cvsnt.org
Subject: [cvsnt] Re: problem with domain users and impersonation


Rolf Wilms wrote:


> However I'm not sure if this would work. Using the SSPI protocol (from the
> client to the CVSNT server) already doesn't work with option b). In this
> case, does the server use the SSPI protocol to authenticate the user
> (against the domain), or does it also use LogonUser here?

The SSPI authentication is pure SSPI, so if that doesn't work then mucking
around with SSPI locally won't work either...

> Or any other clue to avoid specifying the CVSNT server on that list of
> eight computers?

You could remove the interactive login right from the user, but that would
probably remove them from the domain entirely... I'm not sure it's possible
with NT4 domains - possibly Active Directory (although you'd have to ask an
MCSE as I'm not aware of such an option).

Tony

_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt

More information about the cvsnt mailing list