Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (63)

Windows Impersonation using C#

By , 29 Apr 2003
 

Impersonation

Introduction

I've been a member of the CodeProject for over 3 years now, and still haven't contributed any articles - until now.

While designing a Windows Forms-based application, to administrate containers in our Active Directory, I needed a way to allow binding to the AD using alternate credentials. Windows impersonation was the answer. This sample app demonstrates how to use unmanaged code by calling LogonUser() contained within the advapi32.dll, and pass a token handle back to your .NET application using WindowsImpersonationContext.

One of the downfalls to the LogonUser()function is that the password get passed in clear-text.

Partial Source Code

using System.Runtime.InteropServices; // DllImport
using System.Security.Principal; // WindowsImpersonationContext
using System.Security.Permissions; // PermissionSetAttribute
...

public WindowsImpersonationContext 
    ImpersonateUser(string sUsername, string sDomain, string sPassword)
{
    // initialize tokens
    IntPtr pExistingTokenHandle = new IntPtr(0);
    IntPtr pDuplicateTokenHandle = new IntPtr(0);
    pExistingTokenHandle = IntPtr.Zero;
    pDuplicateTokenHandle = IntPtr.Zero;
    
    // if domain name was blank, assume local machine
    if (sDomain == "")
        sDomain = System.Environment.MachineName;

    try
    {
        string sResult = null;

        const int LOGON32_PROVIDER_DEFAULT = 0;

        // create token
        const int LOGON32_LOGON_INTERACTIVE = 2;
        //const int SecurityImpersonation = 2;

        // get handle to token
        bool bImpersonated = LogonUser(sUsername, sDomain, sPassword, 
            LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, 
                ref pExistingTokenHandle);

        // did impersonation fail?
        if (false == bImpersonated)
        {
            int nErrorCode = Marshal.GetLastWin32Error();
            sResult = "LogonUser() failed with error code: " + 
                nErrorCode + "\r\n";

            // show the reason why LogonUser failed
            MessageBox.Show(this, sResult, "Error", 
                MessageBoxButtons.OK, MessageBoxIcon.Error);
        }

        // Get identity before impersonation
        sResult += "Before impersonation: " + 
            WindowsIdentity.GetCurrent().Name + "\r\n";

        bool bRetVal = DuplicateToken(pExistingTokenHandle, 
            (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, 
                ref pDuplicateTokenHandle);

        // did DuplicateToken fail?
        if (false == bRetVal)
        {
            int nErrorCode = Marshal.GetLastWin32Error();
            // close existing handle
            CloseHandle(pExistingTokenHandle); 
            sResult += "DuplicateToken() failed with error code: " 
                + nErrorCode + "\r\n";

            // show the reason why DuplicateToken failed
            MessageBox.Show(this, sResult, "Error", 
                MessageBoxButtons.OK, MessageBoxIcon.Error);
            return null;
        }
        else
        {
            // create new identity using new primary token
            WindowsIdentity newId = new WindowsIdentity
                                        (pDuplicateTokenHandle);
            WindowsImpersonationContext impersonatedUser = 
                                        newId.Impersonate();

            // check the identity after impersonation
            sResult += "After impersonation: " + 
                WindowsIdentity.GetCurrent().Name + "\r\n";
            
            MessageBox.Show(this, sResult, "Success", 
                MessageBoxButtons.OK, MessageBoxIcon.Information);
            return impersonatedUser;
        }
    }
    catch (Exception ex)
    {
        throw ex;
    }
    finally
    {
        // close handle(s)
        if (pExistingTokenHandle != IntPtr.Zero)
            CloseHandle(pExistingTokenHandle);
        if (pDuplicateTokenHandle != IntPtr.Zero) 
            CloseHandle(pDuplicateTokenHandle);
    }
}

Points of Interest

This code won't work on Windows 98 or ME because they do not utilize user tokens. Code was built and run using Visual Studio.NET 2002 on Windows XP Service Pack 1.

One of the other uses for this code I've found is, for instantiating COM components that must run in an alternate security context to that of the logged-on user.

If anyone has a more secure method of achieving the same thing, please let me know.

History

  • Version 1.0 - 04.25.03 - First release version

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

 Marc Merritt
Architect
United States United States
Member
I live in southeastern Pennsylvania, USA with my lovely wife and two beautiful daughters. Life is good. My hobbies are motorcycles, motorcycles, and motorcycles.
 
I run a riders group called Twisties Motorcycle Club. If you're are a rider in the tri-state area, look us up! http://twistiesmc.com/

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
Hint: For improved responsiveness ensure Javascript is enabled and choose 'Normal' from the Layout dropdown and hit 'Update'.
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
First PrevNext
Questionsource code helpmemberPyakaa17 Dec '12 - 1:43 
GeneralMy vote of 5memberkerkenez20004 Apr '12 - 23:35 
QuestionCall LogonUsermemberMember 822764117 Sep '11 - 13:40 
QuestionPlease I need a Helpmemberkaiserssosse11 Aug '11 - 1:41 
AnswerRe: Please I need a Helpmemberdiialer21 Aug '11 - 7:36 
GeneralRe: Please I need a Helpmemberkaiserssosse21 Aug '11 - 21:03 
Thanks for the reply.
 
I think the problem is the computer and the accounts, because with an old account it doesn't work but if we copy the privileges of the account to a new account it works fine, so I don't know which is the problem with all of this.
 
It can be because the accounts are old and when it was created it was done with a winNT version and not with the winXP SP3, or is a problem of cache files in the computer...
 
In some computers works perfectly, in others only works with some users, normally old accounts. This is a mysterious.
Sign In·View Thread·Permalink
GeneralIs Windows Impersionation Thread or Process Level ?memberThomas Haller27 May '11 - 2:42 
GeneralThanksmemberolivier gg14 Feb '11 - 8:43 
GeneralWIndows 7membermoralam13 Jul '10 - 7:58 
GeneralRe: WIndows 7memberMarc Merritt28 Jan '13 - 5:25 
QuestionCross domain impersonationmemberatulsureka18 Apr '10 - 2:25 
AnswerRe: Cross domain impersonationmemberdeadwood8827 Sep '10 - 2:00 
GeneralRe: Cross domain impersonationmemberCstruter26 Oct '10 - 21:38 
GeneralRe: Cross domain impersonationmembersabh2125 Jan '13 - 1:32 
GeneralCreate a folder on a remote computermemberShlomo6 Jan '10 - 1:52 
GeneralWindows 2008 servermembersmithafebinkal3 Dec '08 - 18:45 
GeneralThis process not working with a WPF application!!!memberArshad Kunnath31 Jul '08 - 1:36 
GeneralRe: This process not working with a WPF application!!!memberMarc Merritt31 Jul '08 - 2:59 
GeneralRe: This process not working with a WPF application!!!memberMatei Focseneanu12 May '10 - 5:15 
QuestionIt may be....memberWillian.BR15 May '08 - 8:55 
GeneralWindows CE .netmemberquestions_c1 Oct '07 - 2:28 
GeneralRe: Windows CE .netmemberMarc Merritt1 Oct '07 - 15:18 
GeneralRe: Windows CE .netmemberPram_Singh4120 Jul '09 - 4:22 
GeneralError Code 1326 [modified]membercollapo21 Aug '07 - 0:56 
GeneralRe: Error Code 1326membermirh10 Oct '07 - 1:59 
Last Visit: 31 Dec '99 - 18:00     Last Update: 17 May '13 - 21:44Refresh123 Next »

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
An article demonstrating how to use Windows impersonation in your C# code
Type Article
Licence 
First Posted 29 Apr 2003
Views 413,827
Downloads 7,993
Bookmarked 122 times

, +
Top News

Math Primers for Programmers

Get the Insider News free each morning.
Related Videos
Windows 8: Using the File Picker
Windows 8 Dev: Intro to Developing Windows 8 Store Apps Part 1
A small C# Class for impersonating a User
Command Line Windows Services Manager
[Security] - User Impersonation
Impersonation in SharePoint 2010
A Complete Impersonation Demo in C#.NET
User Impersonation in .NET
Authentication and Authorization in ASP.NET
DPAPI and Triple DES: A powerful combination to secure connection strings and other application settings
Windows Authentication
Impersonation using Code
ASP.NET - Forms authentication user impersonation
LSA Functions - Privileges and Impersonation
How to Access Network Files using asp.net
Accessing impersonated user’s details from code behind in C#
Run an application under current logon user's privileges
Impersonation in an asynchronous threaded WebPart
A security neutral mutex class for the managed platform
NTRemoteProcessControl – Enumerate and control Windows processes and services through WMI and WinForms
Crystal Reports: Fix for "Load report failed" error.
Trace in EventViewer from IIS
Permalink | Advertise | Privacy | Mobile
Web03 | 2.6.130516.1 | Last Updated 30 Apr 2003
Article Copyright 2003 by Marc Merritt
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid