Discussion:
win32 code for s4u2proxy
(too old to reply)
pmoore
2006-05-08 23:55:01 UTC
Permalink
I want to access a service on another machine using client creds got by
protcol transition.
I can get s4u creds fine (LsaLogonUser)
I Impersonate the use fine (ImpersonateLoggedOnUser)
I then call AcquireCredentialsHandle (cos I want to do InitSecContext next)
This fails with 80090305 - unknown security package. However if I remove the
ImpersonateClient call all works fine.
Jeffrey Tan[MSFT]
2006-05-09 06:48:22 UTC
Permalink
Hi pmoore,

Thanks for your post!

Can you mark each API calling with client or server flag? Then I can
understand the C/S model much better. Also, do you use which authentication
protocal in SSPI? Kebros or NTLM? Which version of OS are the Client/Server
running on?

I hope you can provide some detailed description for your overall
application model for better understanding.

Based on my experience, 0x80090305 is mapped to SEC_E_SECPKG_NOT_FOUND.
There are several existing discussion records by searching
"SEC_E_SECPKG_NOT_FOUND AcquireCredentialsHandle" in google. You can give
them a review first.

This error can even be caused by code error, please refer to the discussion
link below(Take care of the link-break):
http://groups.google.com/group/microsoft.public.dotnet.security/browse_frm/t
hread/d2cf8286f14076d7/424337c772a28fea?lnk=st&q=SEC_E_SECPKG_NOT_FOUND+Acqu
ireCredentialsHandle&rnum=1&hl=zh-CN#424337c772a28fea

Also, I have found that "Joe Kaplan \(MVP - ADSI\)" has added a reply to
you in the "microsoft.public.dotnet.security" newsgroup, you can give it a
check.

Thanks

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
pmoore
2006-05-09 16:57:01 UTC
Permalink
This is all code running on one machine. Its pretty simple.

LsaConnectUntrusted->OK
LsaLoginUser (in S4U) mode -> OK
ImpersonateLoggedInUser (using token from above call) -> OK
AcquireCredentialsHandle(...,"Kerberos",...) ->0x800900305
Post by Jeffrey Tan[MSFT]
Hi pmoore,
Thanks for your post!
Can you mark each API calling with client or server flag? Then I can
understand the C/S model much better. Also, do you use which authentication
protocal in SSPI? Kebros or NTLM? Which version of OS are the Client/Server
running on?
I hope you can provide some detailed description for your overall
application model for better understanding.
Based on my experience, 0x80090305 is mapped to SEC_E_SECPKG_NOT_FOUND.
There are several existing discussion records by searching
"SEC_E_SECPKG_NOT_FOUND AcquireCredentialsHandle" in google. You can give
them a review first.
This error can even be caused by code error, please refer to the discussion
http://groups.google.com/group/microsoft.public.dotnet.security/browse_frm/t
hread/d2cf8286f14076d7/424337c772a28fea?lnk=st&q=SEC_E_SECPKG_NOT_FOUND+Acqu
ireCredentialsHandle&rnum=1&hl=zh-CN#424337c772a28fea
Also, I have found that "Joe Kaplan \(MVP - ADSI\)" has added a reply to
you in the "microsoft.public.dotnet.security" newsgroup, you can give it a
check.
Thanks
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Joe Kaplan (MVP - ADSI)
2006-05-09 21:42:40 UTC
Permalink
What if you try "Negotiate" there instead?

Joe K.
Post by pmoore
This is all code running on one machine. Its pretty simple.
LsaConnectUntrusted->OK
LsaLoginUser (in S4U) mode -> OK
ImpersonateLoggedInUser (using token from above call) -> OK
AcquireCredentialsHandle(...,"Kerberos",...) ->0x800900305
Post by Jeffrey Tan[MSFT]
Hi pmoore,
Thanks for your post!
Can you mark each API calling with client or server flag? Then I can
understand the C/S model much better. Also, do you use which
authentication
protocal in SSPI? Kebros or NTLM? Which version of OS are the
Client/Server
running on?
I hope you can provide some detailed description for your overall
application model for better understanding.
Based on my experience, 0x80090305 is mapped to SEC_E_SECPKG_NOT_FOUND.
There are several existing discussion records by searching
"SEC_E_SECPKG_NOT_FOUND AcquireCredentialsHandle" in google. You can give
them a review first.
This error can even be caused by code error, please refer to the discussion
http://groups.google.com/group/microsoft.public.dotnet.security/browse_frm/t
hread/d2cf8286f14076d7/424337c772a28fea?lnk=st&q=SEC_E_SECPKG_NOT_FOUND+Acqu
ireCredentialsHandle&rnum=1&hl=zh-CN#424337c772a28fea
Also, I have found that "Joe Kaplan \(MVP - ADSI\)" has added a reply to
you in the "microsoft.public.dotnet.security" newsgroup, you can give it a
check.
Thanks
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
pmoore
2006-05-09 21:48:02 UTC
Permalink
8009030e - no credentials are available for package
Post by Joe Kaplan (MVP - ADSI)
What if you try "Negotiate" there instead?
Joe K.
Post by pmoore
This is all code running on one machine. Its pretty simple.
LsaConnectUntrusted->OK
LsaLoginUser (in S4U) mode -> OK
ImpersonateLoggedInUser (using token from above call) -> OK
AcquireCredentialsHandle(...,"Kerberos",...) ->0x800900305
Post by Jeffrey Tan[MSFT]
Hi pmoore,
Thanks for your post!
Can you mark each API calling with client or server flag? Then I can
understand the C/S model much better. Also, do you use which authentication
protocal in SSPI? Kebros or NTLM? Which version of OS are the Client/Server
running on?
I hope you can provide some detailed description for your overall
application model for better understanding.
Based on my experience, 0x80090305 is mapped to SEC_E_SECPKG_NOT_FOUND.
There are several existing discussion records by searching
"SEC_E_SECPKG_NOT_FOUND AcquireCredentialsHandle" in google. You can give
them a review first.
This error can even be caused by code error, please refer to the discussion
http://groups.google.com/group/microsoft.public.dotnet.security/browse_frm/t
hread/d2cf8286f14076d7/424337c772a28fea?lnk=st&q=SEC_E_SECPKG_NOT_FOUND+Acqu
ireCredentialsHandle&rnum=1&hl=zh-CN#424337c772a28fea
Also, I have found that "Joe Kaplan \(MVP - ADSI\)" has added a reply to
you in the "microsoft.public.dotnet.security" newsgroup, you can give it a
check.
Thanks
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Alex Fedotov
2006-05-09 21:55:04 UTC
Permalink
Post by pmoore
This is all code running on one machine. Its pretty simple.
LsaConnectUntrusted->OK
LsaLoginUser (in S4U) mode -> OK
ImpersonateLoggedInUser (using token from above call) -> OK
AcquireCredentialsHandle(...,"Kerberos",...) ->0x800900305
Which logon type do you use with LsaLogonUser?

-- Alex Fedotov
pmoore
2006-05-10 00:33:02 UTC
Permalink
Network
Post by Alex Fedotov
Post by pmoore
This is all code running on one machine. Its pretty simple.
LsaConnectUntrusted->OK
LsaLoginUser (in S4U) mode -> OK
ImpersonateLoggedInUser (using token from above call) -> OK
AcquireCredentialsHandle(...,"Kerberos",...) ->0x800900305
Which logon type do you use with LsaLogonUser?
-- Alex Fedotov
Jeffrey Tan[MSFT]
2006-05-10 07:40:51 UTC
Permalink
Hi pmoore,

Thanks for your feedback.

Based on my knowledge, protocal transition in Kerberos S4U extension
normally involves 3 parts: client machine, front end server, back-end
server.

Your post and reply is somewhat simple regarding the problem context
description. It is really helpful for the understanding to give a more
detailed description with your overall architecture. The error message by
single API is not enough to troubleshoot the root cause, because the
architecture invokes several steps and settings in the protocol.
Post by pmoore
This is all code running on one machine
Can you be specific on which machine? front-end server or back-end server?

What code/applications are executing on client machine, front-end server
and back-end server? I hope you can mark each API calling with
corresponding machine.

Thanks

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
pmoore
2006-05-09 17:01:02 UTC
Permalink
The google search shows up the same thread about a dozen times. It is an
issue with incorrectly p/invoking the API. THis is not my situation, a) i am
not using p/invoke a) the call works fine if I dont call impersonate
Post by Jeffrey Tan[MSFT]
Hi pmoore,
Thanks for your post!
Can you mark each API calling with client or server flag? Then I can
understand the C/S model much better. Also, do you use which authentication
protocal in SSPI? Kebros or NTLM? Which version of OS are the Client/Server
running on?
I hope you can provide some detailed description for your overall
application model for better understanding.
Based on my experience, 0x80090305 is mapped to SEC_E_SECPKG_NOT_FOUND.
There are several existing discussion records by searching
"SEC_E_SECPKG_NOT_FOUND AcquireCredentialsHandle" in google. You can give
them a review first.
This error can even be caused by code error, please refer to the discussion
http://groups.google.com/group/microsoft.public.dotnet.security/browse_frm/t
hread/d2cf8286f14076d7/424337c772a28fea?lnk=st&q=SEC_E_SECPKG_NOT_FOUND+Acqu
ireCredentialsHandle&rnum=1&hl=zh-CN#424337c772a28fea
Also, I have found that "Joe Kaplan \(MVP - ADSI\)" has added a reply to
you in the "microsoft.public.dotnet.security" newsgroup, you can give it a
check.
Thanks
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Continue reading on narkive:
Loading...