How CreateProcessAsUser on Windows Using Delegated Credentials from SSPI?

Question

I work on a Kerberos logon infrastructure (Single Sign-On) with:

1. A client which is authenticated to the Kerberos Key Distribution Center.
2. A principal service server using Kerberos as authentication.

Server Program is coded in C++.

I have no problem to create a context between my principal (client) and my service principal (server). I also delegated my client credentials to the server, because I need to create a process on the server using client user credentials.

And this is my problem, on the server side, I have a SSPI context and I need to CreateProcessAsUser using a Windows type pHandle.

I do not know how to use my SSPI credentials to create on my server a process as the client user.

I take a look at LsaLogonUser, which seems to do what I want (create a handle from kerberos user credentials) but my problem is the same, I do not know how to use the SSPI Token with this LsaLogonUser.

Thanks in Advance, for your help

Answer 1

Though it is very late but you could obtain a token by doing following:

HANDLE tempHandle;
 if (!QuerySecurityContextToken(hctxt, &tempHandle))
 {
   MyDbg("Could not obtain token for user");
 }