Hartmut Honisch
Fri Dec 13 02:55:00 GMT 2002

Hi Pierre,

I think I found a way to make GetUserName return the correct user after
impersonating a token created my NtCreateToken: The token needs a valid
logon session id, one that is associated with the correct user.

As I mentioned, when logging on, Windows creates a new logon session, and
LSA associates the username with that session.

And even though NtCreateToken allows to specify a TokenUser, It seems that
when impersonating a token, Windows replaces the TokenUser by the user
associated with the token's logon session id. And since create_token uses
the active logon session associated with the _impersonating_ user, not the
user to _be_ impersonated, TokenUser will contain the wrong user name after
impersonating it.

So I successfully tried the following approch:
- use subauthentication to create a new logon session for the new user
- if the token is suitable (i.e. verify_token returns TRUE), use it for
- if the token is not suitable(because of the setgid issues you explained to
me), call create_token, but reuse the subauthentication token's logon
session id in the new token.

I verified that with a token created by NtCreateToken (with the right logon
session id of course), I'm able to impersonate and GetUserName /
GetTokenInformation(...TokenUser...) will give me the correct user.


More information about the Cygwin-developers mailing list