R
Ripa Horatiu
Does anyone knows how can I impersonate to another user (basically Administrator) for a piece of my code? I've tried the samples provided by MS but they didn't worked.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
R
Ripa Horatiu
???????????????????????????
I'm doing the impersonation because I don't have rights enough to perform
some tasks. The impersonation is the ability to run threads/processes in a
different security context than the main one. Meaning switching to another
identity (account) for a while with higher (and even if it doesn't have any
sense, lower) privileges.
I'm using XML services and I need to promote to "Administrator" the security
context that a piece of code runs into, to be able to access resources not
accessible with ASPNET account. The sample that microsoft has on its page
does not work, it always throws an error (ret!=0), here's the code:
using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Security.Permissions;
[assembly:SecurityPermissionAttribute(SecurityAction.RequestMinimum,
UnmanagedCode=true)]
public class Class1
{
[DllImport("C:\\WINNT\\System32\\advapi32.dll")]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);
[DllImport("C:\\WINNT\\System32\\Kernel32.dll")]
public static extern int GetLastError();
public static void Main(string[] args)
{
// The Windows NT user token.
int token1;
// Get the user token for the specified user, machine, and password
using the unmanaged LogonUser method.
bool loggedOn = LogonUser(
// User name.
"bob",
// Computer name.
"AARDVARK",
// Password.
"coffee",
// Logon type = LOGON32_LOGON_NETWORK_CLEARTEXT.
3,
// Logon provider = LOGON32_PROVIDER_DEFAULT.
0,
// The user token for the specified user is returned here.
out token1);
Console.WriteLine("LogonUser called");
// Call GetLastError to try to determine why logon failed if it did
not succeed.
int ret = GetLastError();
Console.WriteLine("LogonUser Success? " + loggedOn);
Console.WriteLine("NT Token Value: " + token1);
if (ret != 0) Console.WriteLine("Error code (126 == \"Specified module
could not be found\"): " + ret);
//Starting impersonation here:
Console.WriteLine("\n\nBefore impersonation:\n");
WindowsIdentity mWI1 = WindowsIdentity.GetCurrent();
Console.WriteLine(mWI1.Name);
Console.WriteLine(mWI1.Token);
IntPtr token2 = new IntPtr(token1);
Console.WriteLine("\n\nNew identity created:\n");
WindowsIdentity mWI2 = new WindowsIdentity(token2);
Console.WriteLine(mWI2.Name);
Console.WriteLine(mWI2.Token);
// Impersonate the user.
WindowsImpersonationContext mWIC = mWI2.Impersonate();
Console.WriteLine("\n\nAfter impersonation:\n");
WindowsIdentity mWI3 = WindowsIdentity.GetCurrent();
Console.WriteLine(mWI3.Name);
Console.WriteLine(mWI3.Token);
// Revert to previous identity.
mWIC.Undo();
Console.WriteLine("\n\nAfter impersonation is reverted:\n");
WindowsIdentity mWI4 = WindowsIdentity.GetCurrent();
Console.WriteLine(mWI4.Name);
Console.WriteLine(mWI4.Token);
}
}
--
Horatiu Ripa
Software Development Manager
Business Logic Systems LTD
6-8 Motilor str., 6th floor, 3400 Cluj-Napoca, Romania
Phone: +40 64 438144 Fax: +40 64 438144
Web: www.businesslogic.co.uk
This email (email message and any attachments) is strictly confidential,
possibly privileged and is intended solely for the person or organization to
whom it is addressed. If you are not the intended recipient, you must not
copy, distribute or take any action in reliance on it. If you have received
this email in error, please inform the sender immediately before deleting
it. Business Logic Systems Ltd accepts no responsibility for any advice,
opinion, conclusion or other information contained in this email or arising
from its disclosure.
I'm doing the impersonation because I don't have rights enough to perform
some tasks. The impersonation is the ability to run threads/processes in a
different security context than the main one. Meaning switching to another
identity (account) for a while with higher (and even if it doesn't have any
sense, lower) privileges.
I'm using XML services and I need to promote to "Administrator" the security
context that a piece of code runs into, to be able to access resources not
accessible with ASPNET account. The sample that microsoft has on its page
does not work, it always throws an error (ret!=0), here's the code:
using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Security.Permissions;
[assembly:SecurityPermissionAttribute(SecurityAction.RequestMinimum,
UnmanagedCode=true)]
public class Class1
{
[DllImport("C:\\WINNT\\System32\\advapi32.dll")]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);
[DllImport("C:\\WINNT\\System32\\Kernel32.dll")]
public static extern int GetLastError();
public static void Main(string[] args)
{
// The Windows NT user token.
int token1;
// Get the user token for the specified user, machine, and password
using the unmanaged LogonUser method.
bool loggedOn = LogonUser(
// User name.
"bob",
// Computer name.
"AARDVARK",
// Password.
"coffee",
// Logon type = LOGON32_LOGON_NETWORK_CLEARTEXT.
3,
// Logon provider = LOGON32_PROVIDER_DEFAULT.
0,
// The user token for the specified user is returned here.
out token1);
Console.WriteLine("LogonUser called");
// Call GetLastError to try to determine why logon failed if it did
not succeed.
int ret = GetLastError();
Console.WriteLine("LogonUser Success? " + loggedOn);
Console.WriteLine("NT Token Value: " + token1);
if (ret != 0) Console.WriteLine("Error code (126 == \"Specified module
could not be found\"): " + ret);
//Starting impersonation here:
Console.WriteLine("\n\nBefore impersonation:\n");
WindowsIdentity mWI1 = WindowsIdentity.GetCurrent();
Console.WriteLine(mWI1.Name);
Console.WriteLine(mWI1.Token);
IntPtr token2 = new IntPtr(token1);
Console.WriteLine("\n\nNew identity created:\n");
WindowsIdentity mWI2 = new WindowsIdentity(token2);
Console.WriteLine(mWI2.Name);
Console.WriteLine(mWI2.Token);
// Impersonate the user.
WindowsImpersonationContext mWIC = mWI2.Impersonate();
Console.WriteLine("\n\nAfter impersonation:\n");
WindowsIdentity mWI3 = WindowsIdentity.GetCurrent();
Console.WriteLine(mWI3.Name);
Console.WriteLine(mWI3.Token);
// Revert to previous identity.
mWIC.Undo();
Console.WriteLine("\n\nAfter impersonation is reverted:\n");
WindowsIdentity mWI4 = WindowsIdentity.GetCurrent();
Console.WriteLine(mWI4.Name);
Console.WriteLine(mWI4.Token);
}
}
--
Horatiu Ripa
Software Development Manager
Business Logic Systems LTD
6-8 Motilor str., 6th floor, 3400 Cluj-Napoca, Romania
Phone: +40 64 438144 Fax: +40 64 438144
Web: www.businesslogic.co.uk
This email (email message and any attachments) is strictly confidential,
possibly privileged and is intended solely for the person or organization to
whom it is addressed. If you are not the intended recipient, you must not
copy, distribute or take any action in reliance on it. If you have received
this email in error, please inform the sender immediately before deleting
it. Business Logic Systems Ltd accepts no responsibility for any advice,
opinion, conclusion or other information contained in this email or arising
from its disclosure.
Nicholas Paldino said:Horatiu,
Can you show the code? Also, are you using ASP.NET? The account that
is doing the impersonation has to have the correct permissions in order to
impersonate another user and the ASPNET account does not have them (I think)
by default.
Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)
Does anyone knows how can I impersonate to another user (basically
Administrator) for a piece of my code? I've tried the samples provided by MS
but they didn't worked.