Programmatic Account Impersonation

[Scott Berry]

Does anyone know if it is possible to write an application so that if
a user enters their NT username and password the application's
security context can be changed to run under their account.

In the same way that you can set up COM+ or Task Scheduler to run
under a different account by entering in the username and password of
that account.

Any help would be appreciated.

Scott

 

[Peter Rilling]

If you are talking about just an application, then I believe the process
that the application runs in inherits the current identity. If I login as
John Smith, then the application will run within the context of John Smith.
If another people later logs in, the current context will be applied
accordingly, I think.

COM+ and Services and Scheduled tasks are different in that they need to be
able to run in contexts that are independent of the current user. They may
also need to run when no user is logged in.

Now, application can impersonate other people. I have not done this, but
you can check out the WindowsIdentity.Impersonate method and see if this
helps.

 

[Nice Chap]

Yes this is possible in dotnet with help from advapi32.dll/kernel32. These
are the steps involved. There is a good exmaple of it on MSDN also.

1. Logon using ADVADPI32.dll/kernel and get the security token.
2. Use System.Security.Principal.WindowsIdentity.Impersonate.
3. The method will return a WindowsImpersonationContext object.
4. Store this object and Call WindowsImpersonationContext.undo if you wanted
to retain the original logon after you are done with impersonation.