How does authentication and logon work on Windows with Kerberos? What I want to achieve is to logon a user on a server and run a process for that user.
As a first step, I create a Kerberos ticket on the client and send it to the server. On the server, I do not know the API to logon the user given its ticket. Of course I can accept the security context using AcceptSecurityContext (SSPI), but that does not initiate a logon.
I think that some SSH implementations for Windows do exactly that. But I want to know how and what API they probably use?
There are a few ways you can do this. You do need to call
AcceptSecurityContext
on the ticket to get a security context. This is what bootstraps everything in Windows. From there you can do a couple different things.Usually you call
ImpersonateSecurityContext
so the current thread understands what user it thinks it needs to be. After that you can callQuerySecurityContextToken
to get a Windows access token handle. With this handle you then callCreateProcessAsUser
. You can also tell it to do things like load the profile if necessary.This doesn't really do a logon like
LogonUserX
does, but it effectively starts a process as that user, which is usually what people are looking to accomplish.