Authorization
zoltanharmath opened this issue · comments
Hi,
I understand the authentication part of this solution. How the authorization piece works? If the user is authenticated how can I get the group membership back?
Thank you,
-Zoltan
Can I get the authZ information back directly from the token or should I impersonate the authenticated client?
I think if the authenticated client is impersonated I can extract the group membership from the access token. But this looks like a bit complicated direction.
Theoretically how the authZ works? Is it part of the SSPI? I don't think so.
OK, I solved this. :) It is easy.
- Impersonation is required
- Once it is impersonated in that thread we have to open the thread (OpenThread function)
- Once the Thread is opened we have to open the thread token (OpenThreadToken)
- Once we have the thread token we have to duplicate it (DuplicateTokenEx or DuplicateToken)
- With this duplicated token we can call the AccessCheck API to get the authorization result back
I have a working prototype it is working fine. This is not SSPI function so I go and close this.
This is not part of the SSPI so I go and close it. For authorization we should use the AccessCheck (https://msdn.microsoft.com/en-us/library/windows/desktop/aa374815(v=vs.85).aspx) function or the AuthZ.dll.