Contents

Ø     Testing SSPIChat

Ø     SSPIChat Delegation

 

Testing SSPIChat

The instructions below briefly describe possible ways to set up and test the SSPIChat sample. It is recommended to have two networked computers (but it could be tested on a single machine). You will need at least two user accounts.

 

  1. On the sever computer, log in as USER1 and start SSPIChat. Select the following options:
  1. Click the Connect button.  The server will now wait for a connecting client.
  2. On the client computer, log in as USER2 and start SSPIChat. Select the following options:
  1. Click the Connect button.
  2. At this point, you should have a connection and you can use the chat box to send text between the client and server.

 

SSPIChat Delegation

In order to utilize delegation, the following criteria must be met: 

  1. The server’s account must be trusted for delegation in the domain.
  2. Mutual authentication must be selected.
  3. Both client and server must be communicating using Kerberos.
  4. The server process should be running in the system account.

 

Trusting an Account for Delegation

  1. Open the MMC and select the snap-in for Active Directory Users and Computers
  2. Select your domain, and find the computer you wish to trust for delegation under the “Computers” folder
  3. Right-click on the computer’s name in the right pane, and select “Properties”
  4. On the “General Tab” check the checkbox to “Trust computer for delegation”
  5. Click the “Ok” or “Apply” button

Launching the SSPIChat sample in the System Account

 

Steps that must be taken once:

  1. On the sever computer, log in as USER1, which must have administrative privileges.
  2. Start TrusteeMan, which was discussed in Chapter 9.
  3. Grant the following privileges for USER1:

·        SeAssignPrimaryTokenPrivilege

·        SeEnableDelegationPrivilege

·        SeIncreaseQuotaPrivilege

·        SeTcbPrivilege

  1. Log out and log back in so that USER1 includes the new privileges.

 

Steps that must be taken each time you launch a process:

  1. Start TokenMaster, which was discussed in Chapter 11. The status box should indicate that it is running as the system:

·        "Token Master, Status - Token Master running as SYSTEM"

·        If TokenMaster is not running as “SYSTEM” be sure that you are logged in with an account for which you did steps 1-4 above.

  1. Select System from the Processes drop-down list.
  2. Click the OpenProcessToken button and click Yes in the Duplicate Token message box.
  3. In the "Create a Process With The Current Token" section browse to the location of "12 SSPIChat.exe".
  4. Click the CreateProcessAsUser button. SSPIChat should start and display "SSPIChat is running as "SYSTEM"" in the title bar.

 

Additional points on launching processes in the system account:

 

Setting up SSPIChat for delegation (server):

  1. In SSPIChat, select the following options:

·        Select the Server option.

·        From the Security Package drop-down list, select the Kerberos security package.

·        Check the Mutual Auth, and Delegation check boxes (encryption is optional).

  1. Click the Connect button.

 

Setting up SSPIChat for delegation (client):

  1. On the client computer, log in as USER2 and start SSPIChat. Select the following options:

·        Select the Client option.

·        In the Connect To box, identify the server computer. This can be an Internet address (www.northwind.microsoft.com), an IP address (xxx.xxx.xxx.xxx), or a server name (SERVER1).

·        From the Security Package drop-down list, select the Kerberos security package.

·        In the Server Account Name box, type the name of the server, "SERVER1"

·        Check the Mutual Auth, and Delegation check boxes (encryption is optional).

  1. Click the Connect button.

 

You should notice a second SSPIChat window display on the server computer.  This window is in the same process as the server instance of SSPIChat. This second window is running with a thread that is impersonating the client’s user context. You may now use this second window to initiate a chat session with a third-tier server.  You must continue to use the Kerberos security package, however.