recovering password stored with reversible encryption?

I have a server application which needs to log on as a configurable local
user for anonymous access, exactly like IIS does with the IUSR_XXX account.
I understand local passwords can be stored with "reversible encryption".
My question is, how can I retrieve the plaintext password so I can perform
LogonUser with that user and retrieve a token?

Or if I know the username of a local account, how can I perform LogonUser
and retrieve a token?

Re: recovering password stored with reversible encryption?

nevermind, a colleague pointed me to this handy link

http://support.microsoft.com/?id=216828





> I have a server application which needs to log on as a configurable
> local
> user for anonymous access, exactly like IIS does with the IUSR_XXX
> account.
> I understand local passwords can be stored with "reversible
> encryption".
> My question is, how can I retrieve the plaintext password so I can
> perform
> LogonUser with that user and retrieve a token?
> Or if I know the username of a local account, how can I perform
> LogonUser and retrieve a token?
>

Re: recovering password stored with reversible encryption?

AFAIK, the "reversible encryption" scheme is not openly published outside of
Microsoft. In most cases, you should NOT be enabling it, it is for specific
uses.

As the article you posted shows, you can fix your problem if you "turn off
the "Enable Automatic Password Synchronization" option or "Allow IIS to
Control Password" option in the Internet Service Manager. Be sure that you
reset the password in User Manager to ensure that it is correct for this
user account."

But also note this:

http://securityadmin.info/faq.asp#iwam

Like the IUSR account, a copy of the IWAM account password is stored in the
IIS metabase, so that IIS can log on as the IWAM account. IIS cannot log on
as IWAM and/or IUSR if the password in the IIS metabase does not match the
actual password for that user ID in the Windows security database.

The ADSUTIL.VBS command can be used to retrieve or change the IWAM and/or
IUSR ID and/or password stored in the IIS metabase. For example, you may
need to use the command "ADSUTIL GET" to get the IWAM password from the
metabase, then use the Windows 2000 / XP / .NET Local Users and Groups MMC
to change the password on the IWAM account to match.

More information on using the ADSUTIL.VBS command can be found in the
articles below:

http://support.microsoft.com/?kbid=297989
http://support.microsoft.com/?kbid=296851


"Eric Pearson" wrote in message
news:e3cfe936330e8c8543ab9887a30@msnews.microsoft.com...
> nevermind, a colleague pointed me to this handy link
>
> http://support.microsoft.com/?id=216828
>
>
>
>
>
>> I have a server application which needs to log on as a configurable
>> local
>> user for anonymous access, exactly like IIS does with the IUSR_XXX
>> account.
>> I understand local passwords can be stored with "reversible
>> encryption".
>> My question is, how can I retrieve the plaintext password so I can
>> perform
>> LogonUser with that user and retrieve a token?
>> Or if I know the username of a local account, how can I perform
>> LogonUser and retrieve a token?
>>
>
>

Re: recovering password stored with reversible encryption?

actually the article pointed out a much better solution... since I need to
get a login token for an account i create (not IUSER or IWAM), I can just
create a subauthentication module, so that when I call LogonUser, windows
in turn will call MY dll to perform the authentication.



Hello Karl,

> AFAIK, the "reversible encryption" scheme is not openly published
> outside of Microsoft. In most cases, you should NOT be enabling it,
> it is for specific uses.
>
> As the article you posted shows, you can fix your problem if you "turn
> off the "Enable Automatic Password Synchronization" option or "Allow
> IIS to Control Password" option in the Internet Service Manager. Be
> sure that you reset the password in User Manager to ensure that it is
> correct for this user account."
>
> But also note this:
>
> http://securityadmin.info/faq.asp#iwam
>
> Like the IUSR account, a copy of the IWAM account password is stored
> in the IIS metabase, so that IIS can log on as the IWAM account. IIS
> cannot log on as IWAM and/or IUSR if the password in the IIS metabase
> does not match the actual password for that user ID in the Windows
> security database.
>
> The ADSUTIL.VBS command can be used to retrieve or change the IWAM
> and/or IUSR ID and/or password stored in the IIS metabase. For
> example, you may need to use the command "ADSUTIL GET" to get the IWAM
> password from the metabase, then use the Windows 2000 / XP / .NET
> Local Users and Groups MMC to change the password on the IWAM account
> to match.
>
> More information on using the ADSUTIL.VBS command can be found in the
> articles below:
>
> http://support.microsoft.com/?kbid=297989
> http://support.microsoft.com/?kbid=296851
> "Eric Pearson" wrote in message
> news:e3cfe936330e8c8543ab9887a30@msnews.microsoft.com...
>
>> nevermind, a colleague pointed me to this handy link
>>
>> http://support.microsoft.com/?id=216828
>>
>>> I have a server application which needs to log on as a configurable
>>> local
>>> user for anonymous access, exactly like IIS does with the IUSR_XXX
>>> account.
>>> I understand local passwords can be stored with "reversible
>>> encryption".
>>> My question is, how can I retrieve the plaintext password so I can
>>> perform
>>> LogonUser with that user and retrieve a token?
>>> Or if I know the username of a local account, how can I perform
>>> LogonUser and retrieve a token?