Click here to Skip to main content
Click here to Skip to main content

User Impersonation in .NET

, 6 Jun 2006 CPOL
Rate this:
Please Sign up or sign in to vote.
This sample shows how to switch between security contexts within the same process. It also demonstrates how this can be done on a single or multiple threads.

Description

This sample shows how to switch between security contexts within the same process. It also demostrates how this can be done on a single or multiple threads.

Why It's Here

I was looking through the Message Board on The Code Project site and came across a very interesting question. One of the members was asking how to access a file on another computer in a Workgroup without being prompted to specify user credentials.

I started researching the topic and found the solution in the .NET class library reference. I was impressed by the elegance of the solution, so I decided to have it published here for the benefit of other fellow-developers.

Explanation

The main class within the project is the ImpersonateUser that uses Win32 API function LogonUser and the .NET class WindowsImpersonationContext that represents the Windows user before impersonation.

To impersonate a different user, the class follows three distincts steps as listed below.

Step 1

Using LogonUser, it creates a new security token and obtains a handle to it.

bool returnValue = LogonUser(
    userName,
    domainName,
    password,
    LOGON32_LOGON_INTERACTIVE,
    LOGON32_PROVIDER_DEFAULT,
    ref tokenHandle);           // tokenHandle is a new security token

Step 2

Using this handle, it creates an instance of the WindowsIdentity class.

   WindowsIdentity newId = new WindowsIdentity(tokenHandle);

Step 3

It then uses the WindowsIdentity.Impersonate() method that returns WindowsImpersonationContext to assign the new security token to the current WindowsImpersonationContext.

   // Declared in the ImpersonateUser class
   private static WindowsImpersonationContext impersonatedUser;
   
   // used within the class Impersonate method
   impersonatedUser = newId.Impersonate();

Main Class

Here's the code for the ImpersonateUser class:

public class ImpersonateUser
{
    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool LogonUser(
            String lpszUsername,
            String lpszDomain,
            String lpszPassword,
            int dwLogonType,
            int dwLogonProvider,
            ref IntPtr phToken);

    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    public extern static bool CloseHandle(IntPtr handle);

    private static IntPtr tokenHandle = new IntPtr(0);
    private static WindowsImpersonationContext impersonatedUser;

    // If you incorporate this code into a DLL, be sure to demand that it
    // runs with FullTrust.
    [PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
    public void Impersonate(string domainName, string userName, string password) {
    try {
        // Use the unmanaged LogonUser function to get the user token for
        // the specified user, domain, and password.
        const int LOGON32_PROVIDER_DEFAULT = 0;
        // Passing this parameter causes LogonUser to create a primary token.
        const int LOGON32_LOGON_INTERACTIVE = 2;
        tokenHandle = IntPtr.Zero;
            
        // ---- Step - 1 
        // Call LogonUser to obtain a handle to an access token.
        bool returnValue = LogonUser(
                            userName,
                            domainName,
                            password,
                            LOGON32_LOGON_INTERACTIVE,
                            LOGON32_PROVIDER_DEFAULT,
                            ref tokenHandle);         // tokenHandle - new security token

        if (false == returnValue) {
            int ret = Marshal.GetLastWin32Error();
            Console.WriteLine("LogonUser call failed with error code : " + ret);
            throw new System.ComponentModel.Win32Exception(ret);
        }

        // ---- Step - 2 
        WindowsIdentity newId = new WindowsIdentity(tokenHandle);
                
        // ---- Step - 3 
        impersonatedUser = newId.Impersonate();
    }
    catch (Exception ex) {
    Console.WriteLine("Exception occurred. " + ex.Message);
    }
}

    // Stops impersonation
    public void Undo() {
        impersonatedUser.Undo();
        // Free the tokens.
        if (tokenHandle != IntPtr.Zero)
        CloseHandle(tokenHandle);
    }
}

Example

ImpersonateUser iU = new ImpersonateUser();
// TODO: Replace credentials
iU.Impersonate("remoteMachine", "userID", "password");
   
// Next lines of code will run in the security context of the user specified above
// ....
   
// Revert back to the previous user identity
iU.Undo();

Please download the source code and run the demo project - it will give you a better idea how easy it is to use the class.

How To Use ImpersUsr.dll

  1. Download and extract ImpersUsr.dll
  2. Create a Console type project
  3. Add a reference to ImpersUsr.dll
  4. Instantiate the ImpersonateUser class
  5. Call ImpersonateUser.Impersonate(..) method
  6. Code whatever you need to run in the new security context
  7. Call ImpersonateUser.Undo() method to stop impersonating

Multithreading

Please download the source to see how to start a separate thread in a different security context.

History

  • 6th June, 2006: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Alex B. Clarke
Web Developer
United Kingdom United Kingdom
Alex B. Clarke is a professioinal software developer specialising in .Net, C#, Asp.Net, SQL, ADSI, CDO, and other technolgies. He writes applications that automate business processes.

Comments and Discussions

 
Questionwindostation Pinmemberricardodn44-May-13 2:51 
Hi Alex, I need to develop an application that creates windowstation and can run any application within it, with full permission. Still could not find any exmplo, you can show me some reference?
Questiongetting error PinmemberPyakaa17-Dec-12 1:50 
QuestionSeven Pinmembernuno.cabaco15-Mar-12 6:57 
GeneralThanks PinmemberMember 447960329-Jul-10 18:51 
GeneralThanks :) Pinmemberronchese30-Dec-09 4:34 
GeneralimpersonatedUser.Undo(); Pinmemberjoseph_81tr20-Dec-09 21:55 
GeneralRe: impersonatedUser.Undo(); Pinmemberjoseph_81tr20-Dec-09 22:10 
GeneralRe: impersonatedUser.Undo(); PinmemberAlex B. Clarke22-Dec-09 7:16 
GeneralTears of Joy! Pinmembergutharius4-Jan-09 9:19 
GeneralAccessViolationException Pinmemberdrdaveh30-Apr-08 3:24 
AnswerRe: AccessViolationException PinmemberIfligus5-May-08 5:01 
GeneralNamespace... Pinmemberthatrickguy15-Jun-07 11:45 
GeneralFailure on Vista PinmemberSteve Harding30-May-07 3:54 
GeneralRe: Failure on Vista PinmemberAlex B. Clarke1-Jun-07 8:39 
GeneralException: Maximum number of clients connected Pinmemberinno125-Apr-07 3:56 
GeneralImpersonate in Web App PinmemberBradley McGuffey7-Mar-07 8:59 
GeneralRe: Impersonate in Web App [modified] Pinmembermarccp20-Mar-07 3:10 
GeneralThank you Pinmembergrazza9825-Feb-07 23:53 
Generalimpersonate error [modified] PinmemberJakeFront21-Jul-06 3:34 
GeneralRe: impersonate error PinmemberAlex B. Clarke21-Jul-06 7:24 
GeneralRe: impersonate error PinmemberJakeFront23-Jul-06 23:09 
GeneralRe: impersonate error PinmemberAlex B. Clarke24-Jul-06 4:37 
GeneralRe: impersonate error PinmemberJakeFront24-Jul-06 4:51 
GeneralRe: impersonate error PinmemberAlex B. Clarke24-Jul-06 5:47 
GeneralRe: impersonate error PinmemberJakeFront24-Jul-06 6:33 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web04 | 2.8.141015.1 | Last Updated 6 Jun 2006
Article Copyright 2006 by Alex B. Clarke
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid