Contents
Ø
Testing
SSPIChat
Ø
SSPIChat
Delegation
Testing
SSPIChat
The
instructions below briefly describe possible ways to set up and test the
SSPIChat sample. It is recommended to have two networked computers (but it
could be tested on a single machine). You will need at least two user accounts.
- On the sever computer, log in
as USER1 and start SSPIChat. Select the following options:
- Select the Server option.
- From the Security Package
drop-down list, select a security package (NT LanMan/Kerberos/Negotiate).
- Select the appropriate check
boxes.
- Click the Connect button. The server will now wait for a
connecting client.
- On the client computer, log in
as USER2 and start SSPIChat. Select the following options:
- Select the client option.
- In the Connect To box,
identify the server computer. This can be an Internet address
(www.northwind.microsoft.com), an IP address (xxx.xxx.xxx.xxx), or a
server name (SERVER1).
- From the Security Package
drop-down list, select the same security package as selected on the
server computer.
- In the Server Account Name
box, type the name of the account on the server, "USER1". If the server is running in the server
machine’s system account, you should enter the machine’s name here.
- Select the appropriate check
boxes.
- Click the Connect button.
- At this point, you should have
a connection and you can use the chat box to send text between the client
and server.
SSPIChat Delegation
In order
to utilize delegation, the following criteria must be met:
- The server’s account must be
trusted for delegation in the domain.
- Mutual authentication must be
selected.
- Both client and server must be
communicating using Kerberos.
- The server process should be
running in the system account.
Trusting an Account for
Delegation
- Open the MMC and select the
snap-in for Active Directory Users and Computers
- Select your domain, and find
the computer you wish to trust for delegation under the “Computers” folder
- Right-click on the computer’s
name in the right pane, and select “Properties”
- On the “General Tab” check the
checkbox to “Trust computer for delegation”
- Click the “Ok” or “Apply”
button
Launching the SSPIChat
sample in the System Account
Steps
that must be taken once:
- On the sever computer, log in
as USER1, which must have administrative privileges.
- Start TrusteeMan, which was
discussed in Chapter 9.
- Grant the following privileges
for USER1:
·
SeAssignPrimaryTokenPrivilege
·
SeEnableDelegationPrivilege
·
SeIncreaseQuotaPrivilege
·
SeTcbPrivilege
- Log out and log back in so
that USER1 includes the new privileges.
Steps
that must be taken each time you launch a process:
- Start TokenMaster, which was
discussed in Chapter 11. The status box should indicate that it is running
as the system:
·
"Token
Master, Status - Token Master running as SYSTEM"
·
If
TokenMaster is not running as “SYSTEM” be sure that you are logged in with an
account for which you did steps 1-4 above.
- Select System from the
Processes drop-down list.
- Click the OpenProcessToken
button and click Yes in the Duplicate Token message box.
- In the "Create a Process
With The Current Token" section browse to the location of "12
SSPIChat.exe".
- Click the CreateProcessAsUser
button. SSPIChat should start and display "SSPIChat is running as
"SYSTEM"" in the title bar.
Additional
points on launching processes in the system account:
- You can use the preceding
steps to launch any process in the system account. Some of the samples in this book are
significantly more capable when run from the system account. You may also
find that it is useful to launch Visual Studio in the system account on a
system, so that you can use it to launch and debug your own software from
the system account.
- The Platform SDK and the
Resource Kit include a tool called SU (which stands for “Super User”),
which provides an alternative technique for launching processes in the
system account.
Setting
up SSPIChat for delegation (server):
- In SSPIChat, select the
following options:
·
Select
the Server option.
·
From
the Security Package drop-down list, select the Kerberos security package.
·
Check
the Mutual Auth, and Delegation check boxes (encryption is optional).
- Click the Connect button.
Setting
up SSPIChat for delegation (client):
- On the client computer, log in
as USER2 and start SSPIChat. Select the following options:
·
Select
the Client option.
·
In
the Connect To box, identify the server computer. This can be an Internet
address (www.northwind.microsoft.com), an IP address (xxx.xxx.xxx.xxx), or a
server name (SERVER1).
·
From
the Security Package drop-down list, select the Kerberos security package.
·
In
the Server Account Name box, type the name of the server, "SERVER1"
·
Check
the Mutual Auth, and Delegation check boxes (encryption is optional).
- Click the Connect button.
You should
notice a second SSPIChat window display on the server computer. This window is in the same process as the
server instance of SSPIChat. This second window is running with a thread that
is impersonating the client’s user context. You may now use this second window
to initiate a chat session with a third-tier server. You must continue to use the Kerberos security package, however.