[BUG] HTTPS and restricted token

Started by fixer, October 25, 2017, 01:36:35 PM

Previous topic - Next topic

fixer

This one is marked as bug, but I'm not sure whether it's a bug or a feature. I don't see any obvious reason to make this feature, but who knows, probably there is more than meets the eye.

If you use a restricted token (here I mean token created with CreateRestrictedToken API function with a non-empty list of RestrictedSids, so IsTokenRestricted for this token returns true) for Internet Explorer, you'll notice that HTTP works OK, but HTTPS fails. And it's not just Internet Explorer, some other programs based on similar API calls also mishandle HTTPS. So what's the problem?

The problem lies in AcquireCredentialsHandle API function that is needed to establish encrypted HTTPS connection. It goes to Microsoft Unified Security Protocol Provider that doesn't have SECPKG_FLAG_RESTRICTED_TOKENS flag set. And that means it'll return E_NO_CREDENTIALS error for a requesting client with restricted token and hence failed connection.

So take care if you plan on using restricted tokens. Some programs may not operate correctly.