Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's Blog

:

Engineering and troubleshooting by Directory Master!
Ondrej Sevecek's Blog > Posts > Bez komentáře - jen moje poznámky k řešení potíží s Claims to Windows token service (c2wts)
leden 30
Bez komentáře - jen moje poznámky k řešení potíží s Claims to Windows token service (c2wts)

Tohle ani nečtěte. Jen jsem si chtěl někam poznačit věci, které jsem používal k řešení potíží s claims to windows token service (c2wts, c2wtshost), neboli Windows Identity Foundation(WIF). Nebudu to vysvětlovat, takže jenom pro moji vlastní referenci.

# Kerberos S4U login with UPN only
# Common problems - the caller must be member of "Windows Authorization Access Group"
# or at least have Read permission to tokenGroupsGlobalAndUniversal AD LDAP attribute of the subject account
# If the caller is not member of local Administrators or does not have SeTcbPrivilege, the resulting access token will only be at the Identification level
$s4u = New-Object System.Security.Principal.WindowsIdentity 'sp-admin@gopas.virtual'

# Using identity foundation and the c2wts service
# Common problems - the caller must be listed among the allowedCallers in the c2wtshost.exe.config file or you get the "wts0003: the caller is not authorized to use the service" error.
# Later permission issues manifest themselves with "Token cannot be zero" exception
[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.IdentityModel')
[System.Security.Principal.WindowsIdentity] $winId = [Microsoft.IdentityModel.WindowsTokenService.S4UClient]::UpnLogon("sp-admin@gopas.virtual")

# Get the c2wts named pipe and the net.pipe URL
# The pipe name will be a random {guidguid-guid-guid-guid-guidguidguid}
# it seams like it is always with 8 instances. But the simplest way
# to determine which one it is, is to get the list before and after the c2wts
# service is running and compare
[System.IO.Directory]::GetFiles('\\.\pipe')
pipelist | ? { $_ -like '*-*-*-*-*' }

$pipeName = (t:\sysinternals\handle.exe 'net.pipe:' | ? { $_ -like 'c2wtshost.exe*' } | % { $_.Split('\') } | select -l 1 | % { $_.Split(':') } 

| select -l 1).SubString(1)
$bytes = [convert]::FromBase64String($pipeName)

# The result was
# net.pipe://+/S4U/022694F3-9FBD-422B-B4B2-312E25DAE2A2/
# which is a normalized version of the following: net.pipe://localhost/S4U/022694F3-9FBD-422B-B4B2-312E25DAE2A2/
[System.Text.ASCIIEncoding]::ASCII.GetString($bytes)


# The SharePoint Secure Store error when trying generate key through the central admin
# solution was to make the Secure Store service account be member of local Administrators
# but this is not what would satisfy me :-)
Exception calling "UpnLogon" with "1" argument(s): "Token cannot be zero."
SPSecurityContext Could not retrieve valid windows identity username Token cannot be zero
.Exception.HResult = -2146233087 = COR_E_SYSTEM
.Exception.InnerException.HResult = -2147024809 = COR_E_ARGUMENT

 

Comments

There are no comments for this post.

Add Comment

Sorry comments are disable due to the constant load of spam *


Omlouvám se, ale příval spamu nelze kontrolovat, takže mi prosím pošlete email, pokud máte nějaký dotaz, nebo připomínku.

Title


Pole Title nemusíte vyplňovat, doplní se to samo na stejnou hodnotu jako je nadpis článku.

Author *


Pole Author nesmí být stejné jako pole Title! Mám to tu jako ochranu proti spamu. Roboti to nevyplní dobře :-)

Body *


Email


Emailová adresa, pokud na ni chcete ode mě dostat odpověď. Nikdo jiný než já vaši emailovou adresu neuvidí.

Attachments