Problem with access to shared folder

Question

Problem with access to shared folder

Petr Hanák 0

Question is related to the own MSRPC service developed in C++ using VisualStudio 2022.
Service runs on domain server (win 2016).
Authentication to service is done by SCHANNEL using TLS
Client accessing the service is a domain user.
Service impersonates an authenticated client and starts the next own process by the function CreateProcessAsUser with the impersonated client access token.
The process needs access to local folders on domain server and shared folders on the next computer (win 7) in domain.
Starting process and access to local folders works without any problem.
Access rights to shared folder are set as full access for anyone but attempt to access shared folder doesn't work.
Unfortunately attempting to access shared folder by the function GetFileAttributes return INVALID_FILE_ATTRIBUTES and function GetLastError returns ACCESS DENIED.

Can you please advise me what I need to set/change to allow access to shared folders?

Thanks a lot, best regards

Petr

Tianyu Sun-MSFT 34,436 Reputation points Microsoft External Staff

2023-10-02T09:05:11.4933333+00:00

Hello @Petr Hanák,

Welcome to Microsoft Q&A forum.

If you re-share the folder, will it work? I am thinking if some local(on that Win 7 machine) policy/filters block the shared folder. I will help to add Windows 7 tag for better help.
Petr Hanák 0 Reputation points

2023-10-02T09:54:09.7533333+00:00
Hi @Tianyu Sun-MSFT

Resharing folder doesn't work. I did some new tests and:

In my previous description is described the desired usage scenario: The domain user DU calls the RPC service -> the service impersonates the user, calls the process P as DU and process accesses the shared folders. And as I wrote it doesn't work.

But when I start process P directly as DU on domain server (it means without RPC service) the process accesses to shared folder without any problem.

Next, I tried to trace the network communication to win 7 and I can see that attempt to access the shared folder starts with an NTLM authentication. And in the authentication message is the field user empty. I'm not NTLM expert but I expect that there should be a name of DU.

I hope it'll help you to better understand the situation.

Regards

Petr

1 answer

Your answer

Tianyu Sun-MSFT 34,436 Reputation points Microsoft External Staff

2023-10-02T09:05:11.4933333+00:00

Hello @Petr Hanák,

Welcome to Microsoft Q&A forum.

If you re-share the folder, will it work? I am thinking if some local(on that Win 7 machine) policy/filters block the shared folder. I will help to add Windows 7 tag for better help.
Petr Hanák 0 Reputation points

2023-10-02T09:54:09.7533333+00:00

Hi @Tianyu Sun-MSFT

Resharing folder doesn't work. I did some new tests and:

In my previous description is described the desired usage scenario: The domain user DU calls the RPC service -> the service impersonates the user, calls the process P as DU and process accesses the shared folders. And as I wrote it doesn't work.

But when I start process P directly as DU on domain server (it means without RPC service) the process accesses to shared folder without any problem.

Next, I tried to trace the network communication to win 7 and I can see that attempt to access the shared folder starts with an NTLM authentication. And in the authentication message is the field user empty. I'm not NTLM expert but I expect that there should be a name of DU.

I hope it'll help you to better understand the situation.

Regards

Petr

Answer 1

Gary Nebbett 6,216

Hello Petr,

This looks like a "double hop" authentication problem (see https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463).

Impersonating the client on the ("first") server allows resources local to that server to be accessed, but there are probably no credentials available to authenticate with a second server. The link above contains a more detailed description of the problem and a potential solution ("delegation").

Gary

Petr Hanák 0 Reputation points

2023-10-02T11:15:52.9533333+00:00

Hello Gary

I've done some research on "double hop problem" and delegation, but everything I've found relates to situations where Kerberos is used for authenticating from the client machine to the first server. But in my case I need to use SCHANNEL authentication based on certificates. And I don't know how to set the first server for using the Kerberos for authentication to the second server.

Is't possible to configure a windows server to do this?

Regards

Petr
Gary Nebbett 6,216 Reputation points

2023-10-02T13:10:03.2066667+00:00

Hello Petr,

You could check whether "Kerberos Protocol Transition and Constrained Delegation" (see, for example, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc739587(v=ws.10)) could help.

Otherwise, you will need to redesign/rethink your application.

Gary
Petr Hanák 0 Reputation points

2023-10-10T15:04:38.85+00:00

Hello Garry,

I have read a lot of information about delegation and it seems that the only windows protocol that supports delegation is kerberos. I decided to replace schannel with kerberos. But I have a problem with the function RpcBindingSetAuthInfoEx. There is a parameter RPC_SECURITY_QOS where I can set the impersonation type. I suppose I need delegation.

If the impersonation type in is RPC_C_IMP_LEVEL_IMPERSONATE I am able to authenticate with kerberos to the RPC service, perform user impersonation and run the process under that user.

BUT if the impersonation type is RPC_C_IMP_LEVEL_DELEGATE the attempt to communicate with the RPC service ends with an RPC_SEC_PKG_ERROR error.

Do you have any idea what this error means?
Gary Nebbett 6,216 Reputation points

2023-10-10T18:05:19.13+00:00

Hello Petr,

Kerberos is always the protocol that is "transitioned to", but I think that any mechanism (including certificate mapping) can be used for the initial hop (the "transitioned from" authentication mechanism).

RPC_S_SEC_PKG_ERROR probably indicates that delegation is failing - are the prerequisites for constrained delegation being met?

Gary
Petr Hanák 0 Reputation points

2023-10-11T07:31:22.23+00:00

Hello Gary

Today I found this info:

If you pass the token to another process (via CreateProcessAsUser() for example), even if delegation is enabled, the process can only access secured resources locally.

Is't true?

Petr
Gary Nebbett 6,216 Reputation points

2023-10-11T10:10:37.85+00:00

Hello Petr,

That quoted text is missing a lot of context that might make it easier to judge its correctness.

My understanding is that "credentials" are shared within a "logon session" and that a process created via CreateProcessAsUser will have access to credentials for remote access purposes based on the token AuthenticationId LUID.

Gary

Share via

Problem with access to shared folder

1 answer

Your answer