SE_TCB_PRIVILEGE being removed from the process token for OWA and ECP processes (w3wp) since Exchange 2010

  • Article

 

Summary

IIS provides the ability to handle events in the HTTP request pipeline. Customized C++ module can make calls to LsaLogonUser to impersonate a user when pre-defined event is triggered. Such customized C++ module can be used with Outlook Web Access (OWA) and Exchange Control Panel (ECP) of Exchange 2010, however, the result returned is a HTTP 500 error.

This behavior is the result of the SE_TCB_PRIVILEGE being removed from the process token for OWA and ECP processes (w3wp) since Exchange 2010. The removal of this privilege is not isolated to LocalSystem. The process identity for the OWA and ECP application pools can be LocalSystem or any user account that is granted the 'Act as part of operating system' privilege, but this problem always happens.

More Information

When customized C++ modules call LsaLogonUser, they are using KERB_S4U_LOGON structure to implement protocol transition for authentication, and this API including this structure will require process has SeTcbPrivilege permission.

By default, Local System account and IIS service has this privilege, which listed below.

C:\Windows\system32>sc qprivs w3svc
[SC] QueryServiceConfig2 SUCCESS
SERVICE_NAME: w3svc
PRIVILEGES : SeAssignPrimaryTokenPrivilege
: SeAuditPrivilege
: SeBackupPrivilege
: SeChangeNotifyPrivilege
: SeCreateGlobalPrivilege
: SeDebugPrivilege
: SeImpersonatePrivilege
: SeIncreaseQuotaPrivilege
: SeRestorePrivilege
: SeTcbPrivilege

But since Exchange 2010, OWA code on purposely removed SeTcbPrivilege permission, which breaks the authentication.

For earlier versions of Exchange servers, SeTcbPrivilege was needed because DAV runs in the same AppPool and needs to connect to the LSA. Now that in Exchange 2010, DAV is no longer part of Exchange, thus it is no longer necessary to keep the SeTcbPrivilege enabled. This privilege is dangerous because it allows code that runs in that w3wp process to manipulate its own access token and get the same level of access as local system.

 

Regards,

Microsoft GBSD DSI Team