Email Password Remember me?  Lost your password?

• Download demo project - 8.32 KB

Introduction

I've been a member of the CodeProject for over 3 years now, and still haven't contributed any articles - until now.

While designing a Windows Forms-based application, to administrate containers in our Active Directory, I needed a way to allow binding to the AD using alternate credentials. Windows impersonation was the answer. This sample app demonstrates how to use unmanaged code by calling LogonUser() contained within the advapi32.dll, and pass a token handle back to your .NET application using WindowsImpersonationContext.

One of the downfalls to the LogonUser()function is that the password get passed in clear-text.

Partial Source Code

using System.Runtime.InteropServices; // DllImport

using System.Security.Principal; // WindowsImpersonationContext

using System.Security.Permissions; // PermissionSetAttribute

...

public WindowsImpersonationContext 
    ImpersonateUser(string sUsername, string sDomain, string sPassword)
{
    // initialize tokens

    IntPtr pExistingTokenHandle = new IntPtr(0);
    IntPtr pDuplicateTokenHandle = new IntPtr(0);
    pExistingTokenHandle = IntPtr.Zero;
    pDuplicateTokenHandle = IntPtr.Zero;
    
    // if domain name was blank, assume local machine

    if (sDomain == "")
        sDomain = System.Environment.MachineName;

    try
    {
        string sResult = null;

        const int LOGON32_PROVIDER_DEFAULT = 0;

        // create token

        const int LOGON32_LOGON_INTERACTIVE = 2;
        //const int SecurityImpersonation = 2;


        // get handle to token

        bool bImpersonated = LogonUser(sUsername, sDomain, sPassword, 
            LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, 
                ref pExistingTokenHandle);

        // did impersonation fail?

        if (false == bImpersonated)
        {
            int nErrorCode = Marshal.GetLastWin32Error();
            sResult = "LogonUser() failed with error code: " + 
                nErrorCode + "\r\n";

            // show the reason why LogonUser failed

            MessageBox.Show(this, sResult, "Error", 
                MessageBoxButtons.OK, MessageBoxIcon.Error);
        }

        // Get identity before impersonation

        sResult += "Before impersonation: " + 
            WindowsIdentity.GetCurrent().Name + "\r\n";

        bool bRetVal = DuplicateToken(pExistingTokenHandle, 
            (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, 
                ref pDuplicateTokenHandle);

        // did DuplicateToken fail?

        if (false == bRetVal)
        {
            int nErrorCode = Marshal.GetLastWin32Error();
            // close existing handle

            CloseHandle(pExistingTokenHandle); 
            sResult += "DuplicateToken() failed with error code: " 
                + nErrorCode + "\r\n";

            // show the reason why DuplicateToken failed

            MessageBox.Show(this, sResult, "Error", 
                MessageBoxButtons.OK, MessageBoxIcon.Error);
            return null;
        }
        else
        {
            // create new identity using new primary token

            WindowsIdentity newId = new WindowsIdentity
                                        (pDuplicateTokenHandle);
            WindowsImpersonationContext impersonatedUser = 
                                        newId.Impersonate();

            // check the identity after impersonation

            sResult += "After impersonation: " + 
                WindowsIdentity.GetCurrent().Name + "\r\n";
            
            MessageBox.Show(this, sResult, "Success", 
                MessageBoxButtons.OK, MessageBoxIcon.Information);
            return impersonatedUser;
        }
    }
    catch (Exception ex)
    {
        throw ex;
    }
    finally
    {
        // close handle(s)

        if (pExistingTokenHandle != IntPtr.Zero)
            CloseHandle(pExistingTokenHandle);
        if (pDuplicateTokenHandle != IntPtr.Zero) 
            CloseHandle(pDuplicateTokenHandle);
    }
}

Points of Interest

This code won't work on Windows 98 or ME because they do not utilize user tokens. Code was built and run using Visual Studio.NET 2002 on Windows XP Service Pack 1.

One of the other uses for this code I've found is, for instantiating COM components that must run in an alternate security context to that of the logged-on user.

If anyone has a more secure method of achieving the same thing, please let me know.

History

• Version 1.0 - 04.25.03 - First release version

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

Windows 2008 server smithafebinkal 19:45 3 Dec '08   Hi Does this code work with windows 2008 server. I am getting command failed error . Can you please help. Thanks, Smitha. Sign In·View Thread·PermaLink 5.00/5 This process not working with a WPF application!!! Arshad Kunnath 2:36 31 Jul '08   I have tried the same process both in forms and WPF applications unfortunately am failed to impersonate user in WPF application. Did i missed anything while impersonating a user in WPF application? Sign In·View Thread·PermaLink Re: This process not working with a WPF application!!! Marc Merritt 3:59 31 Jul '08   This was written in 2003 using the 1.0 Framework version. It's no longer necessary to use P/Invoke for impersonation. Take a look at System.Threading.Thread.CurrentPrincipal. Sign In·View Thread·PermaLink 2.00/5 It may be.... Willian.BR 9:55 15 May '08   Hi, It's a nice work. Congratulations! But, I would like to run a small windows service application. It will make some tasks and than the service may run another process but with other local credentials. The main service will run under SYSTEM account. Can you help me? Thanks! Willian S. Rodrigues willian_cpp_br@hotmail.com Sign In·View Thread·PermaLink Windows CE .net questions_c 3:28 1 Oct '07   I would like to have this funcionality in an ActiveX running in Windows CE .net Do you know if this is possible? Thanks, Antonio. Antonio Sign In·View Thread·PermaLink Re: Windows CE .net Marc Merritt 16:18 1 Oct '07   The compact framework has no support for the WindowsImpersonationContext class that I see, so the short answer would be no. However, I'm sure there are plenty of ways to achieve this using a P/Invoke approach. Sign In·View Thread·PermaLink Re: Windows CE .net Pram_Singh41 5:22 20 Jul '09   did you find a way out to run on Windows CE Sign In·View Thread·PermaLink Error Code 1326 [modified] collapo 1:56 21 Aug '07   Hi, I've tried to use your code, or at least some of it in my project, and I've encountered the following problem: The code runs, impersonates finely on local computer, but when I try to impersonate a user on an other computer (e.g. "Comp" , "User", "") I get error code 1326, the domain IS "Comp", username IS "User" and there is no password on it. So I don't know the solution for my problem. I've tried your sample application, which encountered the same. Could you provide me some information about this? OK, I know that if there is no passwd on the share I needn't use this code, but the use of it should not end in the result written above, or is it? After trying I noticed, that this program impersonates on local computer, because when I've tried to impersonate an admin user on an other computer, which has the same name and passwd as the admin of the local computer, it impersonated on the local computer. Is it possible or I'm missunderstanding something? thanks in advance: collapo -- modified at 7:13 Tuesday 21st August, 2007 Thx in advance: Collapo Sign In·View Thread·PermaLink 2.00/5 Re: Error Code 1326 mirh 2:59 10 Oct '07   Hi It is possible. You use mirrored accounts. In this way you can have access to local resources on the OTHER machine. But the question is how to achieve this (ex. access to files on other machines with NTFS rights sets on local account) without creating mirrored accounts on both? Mirek Sign In·View Thread·PermaLink 2.90/5 Error 1314 m.aldegheri 7:28 3 Aug '06   Hi, I'm using Win 2000 Server and the sample application return: LogonUser() failed with error code: 1314 and then: DuplicateToken() failed with error code: 6 This error encurred only in a machine, in other machine works fine. I search the code on web and I think that I have to set some permission. But I don't know what. Please help me, thanks Matteo Sign In·View Thread·PermaLink 1.67/5 Re: Error 1314 m.aldegheri 23:23 3 Aug '06   I'm sorry, setting the permission "Act as part of the operating system" works fine. Sorry again Sign In·View Thread·PermaLink 1.75/5 Re: Error 1314 MunkieFish 8:49 11 Apr '07   How do you do that? Can you show me an example. Sign In·View Thread·PermaLink 1.00/5 Re: Error 1314 uppals 14:06 12 Apr '07   * Log in as Administrator * Execute gpedit.msc * Go to "Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment" and add the account being impersonated to “Act as part of the operating system”. Sign In·View Thread·PermaLink 2.00/5 Help needed Windows 2000 SP4 still getting 1314! -- Re: Error 1314 devvvy 21:41 21 Feb '08   I'm using Windows 2000 SP4 still getting 1314 error (C# .net 2.0) I've configured both impersonated and impersonating account as "Act as part of the operating system" but still getting 1314 error! http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/win2kpol/w2kadm03.mspx[^] Perhaps because both are DOMAIN account? Thanks devy Sign In·View Thread·PermaLink Re: Help needed Windows 2000 SP4 still getting 1314! -- Re: Error 1314 Marc Merritt 4:02 26 Feb '08   If you have a global policy that overrides this setting then it explains why you cannot get it to work. Sign In·View Thread·PermaLink 2.00/5 how to use this in case of a local account? yossof elnaggar 21:29 27 Jun '06   i used this solution to impersonate a domain user, but can't do with a local account. the problem is: - i have a workgroup, has two machine (mac1 & mac2) - i create a local account on (mac1) [username=ysa,password=123] - i create a shared folder on (mac1) called "Images", and assign the local user [ysa] to it. - i want to access this shared folder from (mac2) Yossef Elnaggar Sign In·View Thread·PermaLink 1.20/5 Re: how to use this in case of a local account? hk11 20:04 12 Jul '07   http://www.codeproject.com/csharp/cpimpersonation1.asp?forumid=15321&select=2128115&df=100#xx2128115xx Sign In·View Thread·PermaLink 2.00/5 First call takes too long schweeneh 7:04 4 Apr '06   The first call to ImpersonateUser() takes about 10 or more seconds, I assume this is because of the Import statements (I read an article that explained exactly why it takes so long but honestly didn't fully understand it). On the second call though, it's instantaneous. Is there a way to speed this process up or maybe Import the dlls when I start my application so that when I make the first call it doesn't get bogged down. Thanks, Chris -- modified at 12:23 Tuesday 4th April, 2006 Sign In·View Thread·PermaLink 1.00/5 Re: First call takes too long Marc Merritt 3:24 12 Jun '06   10 seconds seems a bit excessive..? Honestly, I was still learning .NET when I wrote this article over 3 years ago, so I'd recommend using Uwe Keim's code instead of mine. His code is much more up-to-date and easier to use. I'd be curious to know if you are still incurring the latency issue, so let me know. Thanks! Sign In·View Thread·PermaLink 4.70/5 A similar article Uwe Keim 0:59 24 Apr '05   Please see also my article [^] that is similar to this one. -- Affordable Windows-based CMS for only 99 €: try www.zeta-producer.com for free! Sign In·View Thread·PermaLink Re: A similar article craigg75 6:57 3 Nov '06   Actually it's -- http://www.codeproject.com/csharp/ZetaImpersonator.asp Sign In·View Thread·PermaLink Re: A similar article Uwe Keim 7:14 3 Nov '06   Oh, they moved it to the official section . thanks! http://www.codeproject.com/csharp/ZetaImpersonator.asp[^] -- Try our Windows-based CMS: www.zeta-producer.com Try our ticket helpdesk system: www.zeta-helpdesk.com See me working: www.magerquark.com Sign In·View Thread·PermaLink Impersonation chriskoiak 6:13 16 Mar '04   Hi, Is it possible to contain impersonation to a given AppDomain rather than impersonation consuming the full process? I have a service running under the local system account, but need to impersonate the current user for some functionality (e.g. accessing the current users network share). However I don't want the full service to change it's access rights. I can spawn a seperate process (which impersonates a specifed user) but this therefore consumes more memory. My service needs to run as the Local System account (not a specified account particular to the domain). Any ideas? Thanks Chris Sign In·View Thread·PermaLink 1.00/5 Re: Impersonation tee_jay 23:08 10 Apr '06   Hi, Even i have the same query.. I also want to impersonate a user (i'hav his credentials) from inside a service running under local system account so that i can access "Mapped Drives" that are mapped in the context of the user whom i want to impersonate. I gave several experiments to this.. like trying and get the UNC name from the mapped name using WNet APIs but no results.. FYI: I can easily access network shares (using UNC names) to which i had access to. But couldnot access mapped drives. Reason i'm aware of, that drives are mapped on a per user basis i.e. i cannot see a drive mapped in some another user's account. But there must be some workaround.. like impersonating.. (but that too did not help..) If someone has a diffenent vision.. pls let us know.. Love, TJ Sign In·View Thread·PermaLink 3.00/5 Re: Impersonation hk11 20:01 12 Jul '07   Here you go... public class NetworkHelper { // Used to Map UNC from a Windows Service #region Constants //NetResource Scope private const int RESOURCE_CONNECTED = 0x00000001; private const int RESOURCE_GLOBALNET = 0x00000002; private const int RESOURCE_REMEMBERED = 0x00000003; //NetResource Type private const int RESOURCETYPE_ANY = 0x00000000; private const int RESOURCETYPE_DISK = 0x00000001; private const int RESOURCETYPE_PRINT = 0x00000002; //NetResource Usage private const int RESOURCEUSAGE_CONNECTABLE = 0x00000001; private const int RESOURCEUSAGE_CONTAINER = 0x00000002; //NetResource Display Type private const int RESOURCEDISPLAYTYPE_GENERIC = 0x00000000; private const int RESOURCEDISPLAYTYPE_DOMAIN = 0x00000001; private const int RESOURCEDISPLAYTYPE_SERVER = 0x00000002; private const int RESOURCEDISPLAYTYPE_SHARE = 0x00000003; private const int RESOURCEDISPLAYTYPE_FILE = 0x00000004; private const int RESOURCEDISPLAYTYPE_GROUP = 0x00000005; //Flags private const int CONNECT_UPDATE_PROFILE = 0x00000001; private const int CONNECT_UPDATE_RECENT = 0x00000002; private const int CONNECT_TEMPORARY = 0x00000004; private const int CONNECT_INTERACTIVE = 0x00000008; private const int CONNECT_PROMPT = 0x00000010; private const int CONNECT_NEED_DRIVE = 0x00000020; #endregion #region NetResource Structure [StructLayout(LayoutKind.Sequential)] private struct NetResource { public int Scope; public int Type; public int DisplayType; public int Usage; public string LocalName; public string RemoteName; public string Comment; public string Provider; } #endregion #region Win32 Functions [DllImport("mpr.dll", EntryPoint = "WNetAddConnection2A", CharSet = CharSet.Ansi, SetLastError = true)] private static extern int WNetAddConnection2A(ref NetResource netresource, string password, string username, int flags); [DllImport("mpr.dll", EntryPoint = "WNetCancelConnection2", CharSet = CharSet.Ansi, SetLastError = true)] private static extern int WNetCancelConnection2(string drivename, int flag, bool force); #endregion myLib lib = new myLib(); public bool WNetAddConnection(string LocalDrive, string NetworkFolderPath, string User, string Password, bool Force) { bool success = false; try { NetResource netresource = new NetResource(); netresource.Scope = RESOURCE_GLOBALNET; netresource.Type = RESOURCETYPE_DISK; netresource.Usage = RESOURCEUSAGE_CONNECTABLE; netresource.DisplayType = RESOURCEDISPLAYTYPE_SHARE; netresource.LocalName = LocalDrive; netresource.RemoteName = NetworkFolderPath; netresource.Comment = ""; netresource.Provider = ""; int Flag = CONNECT_UPDATE_PROFILE; if (Force) { success = WNetCancelConnection(LocalDrive, true); } int result = WNetAddConnection2A(ref netresource, Password, User, Flag); if (result > 0) { throw new System.ComponentModel.Win32Exception(result); } success = true; } catch (Exception e) { lib.Echo("Error: " + e.Message, myLib.MsgType.FAIL); } return success; } public bool WNetCancelConnection(string LocalDrive, bool Force) { bool success = false; try { int result = WNetCancelConnection2(LocalDrive, CONNECT_UPDATE_PROFILE, Force); if (result > 0) { throw new System.ComponentModel.Win32Exception(result); } success = true; } catch (Exception e) { lib.Echo("Error:" + e.Message, myLib.MsgType.FAIL); } return success; } } Sign In·View Thread·PermaLink 2.00/5

Last Visit: 17:37 22 Nov '09     Last Update: 17:37 22 Nov '09 12 Next »