Click here to Skip to main content
11,485,334 members (77,825 online)
Click here to Skip to main content

User Impersonation in .NET

, 6 Jun 2006 CPOL 127.9K 3.7K 89
Rate this:
Please Sign up or sign in to vote.
This sample shows how to switch between security contexts within the same process. It also demonstrates how this can be done on a single or multiple threads.

Description

This sample shows how to switch between security contexts within the same process. It also demostrates how this can be done on a single or multiple threads.

Why It's Here

I was looking through the Message Board on The Code Project site and came across a very interesting question. One of the members was asking how to access a file on another computer in a Workgroup without being prompted to specify user credentials.

I started researching the topic and found the solution in the .NET class library reference. I was impressed by the elegance of the solution, so I decided to have it published here for the benefit of other fellow-developers.

Explanation

The main class within the project is the ImpersonateUser that uses Win32 API function LogonUser and the .NET class WindowsImpersonationContext that represents the Windows user before impersonation.

To impersonate a different user, the class follows three distincts steps as listed below.

Step 1

Using LogonUser, it creates a new security token and obtains a handle to it.

bool returnValue = LogonUser(
    userName,
    domainName,
    password,
    LOGON32_LOGON_INTERACTIVE,
    LOGON32_PROVIDER_DEFAULT,
    ref tokenHandle);           // tokenHandle is a new security token

Step 2

Using this handle, it creates an instance of the WindowsIdentity class.

   WindowsIdentity newId = new WindowsIdentity(tokenHandle);

Step 3

It then uses the WindowsIdentity.Impersonate() method that returns WindowsImpersonationContext to assign the new security token to the current WindowsImpersonationContext.

   // Declared in the ImpersonateUser class
   private static WindowsImpersonationContext impersonatedUser;
   
   // used within the class Impersonate method
   impersonatedUser = newId.Impersonate();

Main Class

Here's the code for the ImpersonateUser class:

public class ImpersonateUser
{
    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool LogonUser(
            String lpszUsername,
            String lpszDomain,
            String lpszPassword,
            int dwLogonType,
            int dwLogonProvider,
            ref IntPtr phToken);

    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    public extern static bool CloseHandle(IntPtr handle);

    private static IntPtr tokenHandle = new IntPtr(0);
    private static WindowsImpersonationContext impersonatedUser;

    // If you incorporate this code into a DLL, be sure to demand that it
    // runs with FullTrust.
    [PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
    public void Impersonate(string domainName, string userName, string password) {
    try {
        // Use the unmanaged LogonUser function to get the user token for
        // the specified user, domain, and password.
        const int LOGON32_PROVIDER_DEFAULT = 0;
        // Passing this parameter causes LogonUser to create a primary token.
        const int LOGON32_LOGON_INTERACTIVE = 2;
        tokenHandle = IntPtr.Zero;
            
        // ---- Step - 1 
        // Call LogonUser to obtain a handle to an access token.
        bool returnValue = LogonUser(
                            userName,
                            domainName,
                            password,
                            LOGON32_LOGON_INTERACTIVE,
                            LOGON32_PROVIDER_DEFAULT,
                            ref tokenHandle);         // tokenHandle - new security token

        if (false == returnValue) {
            int ret = Marshal.GetLastWin32Error();
            Console.WriteLine("LogonUser call failed with error code : " + ret);
            throw new System.ComponentModel.Win32Exception(ret);
        }

        // ---- Step - 2 
        WindowsIdentity newId = new WindowsIdentity(tokenHandle);
                
        // ---- Step - 3 
        impersonatedUser = newId.Impersonate();
    }
    catch (Exception ex) {
    Console.WriteLine("Exception occurred. " + ex.Message);
    }
}

    // Stops impersonation
    public void Undo() {
        impersonatedUser.Undo();
        // Free the tokens.
        if (tokenHandle != IntPtr.Zero)
        CloseHandle(tokenHandle);
    }
}

Example

ImpersonateUser iU = new ImpersonateUser();
// TODO: Replace credentials
iU.Impersonate("remoteMachine", "userID", "password");
   
// Next lines of code will run in the security context of the user specified above
// ....
   
// Revert back to the previous user identity
iU.Undo();

Please download the source code and run the demo project - it will give you a better idea how easy it is to use the class.

How To Use ImpersUsr.dll

  1. Download and extract ImpersUsr.dll
  2. Create a Console type project
  3. Add a reference to ImpersUsr.dll
  4. Instantiate the ImpersonateUser class
  5. Call ImpersonateUser.Impersonate(..) method
  6. Code whatever you need to run in the new security context
  7. Call ImpersonateUser.Undo() method to stop impersonating

Multithreading

Please download the source to see how to start a separate thread in a different security context.

History

  • 6th June, 2006: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Alex B. Clarke
Web Developer
United Kingdom United Kingdom
Alex B. Clarke is a professioinal software developer specialising in .Net, C#, Asp.Net, SQL, ADSI, CDO, and other technolgies. He writes applications that automate business processes.

Comments and Discussions

 
Questionwindostation Pin
ricardodn44-May-13 3:51
memberricardodn44-May-13 3:51 
Questiongetting error Pin
Pyakaa17-Dec-12 2:50
memberPyakaa17-Dec-12 2:50 
QuestionSeven Pin
nuno.cabaco15-Mar-12 7:57
membernuno.cabaco15-Mar-12 7:57 
GeneralThanks Pin
Member 447960329-Jul-10 19:51
memberMember 447960329-Jul-10 19:51 
GeneralThanks :) Pin
ronchese30-Dec-09 5:34
memberronchese30-Dec-09 5:34 
GeneralimpersonatedUser.Undo(); Pin
joseph_81tr20-Dec-09 22:55
memberjoseph_81tr20-Dec-09 22:55 
GeneralRe: impersonatedUser.Undo(); Pin
joseph_81tr20-Dec-09 23:10
memberjoseph_81tr20-Dec-09 23:10 
GeneralRe: impersonatedUser.Undo(); Pin
Alex B. Clarke22-Dec-09 8:16
memberAlex B. Clarke22-Dec-09 8:16 
GeneralTears of Joy! Pin
gutharius4-Jan-09 10:19
membergutharius4-Jan-09 10:19 
GeneralAccessViolationException Pin
drdaveh30-Apr-08 4:24
memberdrdaveh30-Apr-08 4:24 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.150520.1 | Last Updated 6 Jun 2006
Article Copyright 2006 by Alex B. Clarke
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid