support kerberos constrained delegation using SSPI for multiprocess

Question

I need to support Kerberos constrained delegation for our C++ HTTP server product on Windows using SSPI.

For a single process server, the follow workflow can be used

Answer 1

What you need to do is get a handle to a token in the parent process and duplicate it into the child process.

You do it this way:

In the parent process call ImpersonateSecurityContext as you normally would. This will set your identity. Then call QuerySecurityContextToken to get a handle to the token of that identity. Once you have the handle call DuplicateHandle, but where the target process is a handle to the child process. The returned lpTargetHandle is a locally referenced handle in the target process (the child). You will some how need to transfer this value to the target process.

Once the child process has the handle value you can call ImpersonateLoggedOnUser passing the handle value. At this point the local identity should be the user in question and any outbound calls will use that when creating the new context.

Keep in mind though that the child process will need the SeImpersonatePrivilege.