Click here to Skip to main content
15,888,351 members
Search within:


Articles / Programming Languages / C#
 
Article

Windows Impersonation using C#

Rate me:
Please Sign up or sign in to vote.
4.77/5 (49 votes)
29 Apr 2003CPOL 722.4K   15.7K   149   74
An article demonstrating how to use Windows impersonation in your C# code

Impersonation

Introduction

I've been a member of the CodeProject for over 3 years now, and still haven't contributed any articles - until now.

While designing a Windows Forms-based application, to administrate containers in our Active Directory, I needed a way to allow binding to the AD using alternate credentials. Windows impersonation was the answer. This sample app demonstrates how to use unmanaged code by calling LogonUser() contained within the advapi32.dll, and pass a token handle back to your .NET application using WindowsImpersonationContext.

One of the downfalls to the LogonUser()function is that the password get passed in clear-text.

Partial Source Code

C#
using System.Runtime.InteropServices; // DllImport
using System.Security.Principal; // WindowsImpersonationContext
using System.Security.Permissions; // PermissionSetAttribute
...

public WindowsImpersonationContext 
    ImpersonateUser(string sUsername, string sDomain, string sPassword)
{
    // initialize tokens
    IntPtr pExistingTokenHandle = new IntPtr(0);
    IntPtr pDuplicateTokenHandle = new IntPtr(0);
    pExistingTokenHandle = IntPtr.Zero;
    pDuplicateTokenHandle = IntPtr.Zero;
    
    // if domain name was blank, assume local machine
    if (sDomain == "")
        sDomain = System.Environment.MachineName;

    try
    {
        string sResult = null;

        const int LOGON32_PROVIDER_DEFAULT = 0;

        // create token
        const int LOGON32_LOGON_INTERACTIVE = 2;
        //const int SecurityImpersonation = 2;

        // get handle to token
        bool bImpersonated = LogonUser(sUsername, sDomain, sPassword, 
            LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, 
                ref pExistingTokenHandle);

        // did impersonation fail?
        if (false == bImpersonated)
        {
            int nErrorCode = Marshal.GetLastWin32Error();
            sResult = "LogonUser() failed with error code: " + 
                nErrorCode + "\r\n";

            // show the reason why LogonUser failed
            MessageBox.Show(this, sResult, "Error", 
                MessageBoxButtons.OK, MessageBoxIcon.Error);
        }

        // Get identity before impersonation
        sResult += "Before impersonation: " + 
            WindowsIdentity.GetCurrent().Name + "\r\n";

        bool bRetVal = DuplicateToken(pExistingTokenHandle, 
            (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, 
                ref pDuplicateTokenHandle);

        // did DuplicateToken fail?
        if (false == bRetVal)
        {
            int nErrorCode = Marshal.GetLastWin32Error();
            // close existing handle
            CloseHandle(pExistingTokenHandle); 
            sResult += "DuplicateToken() failed with error code: " 
                + nErrorCode + "\r\n";

            // show the reason why DuplicateToken failed
            MessageBox.Show(this, sResult, "Error", 
                MessageBoxButtons.OK, MessageBoxIcon.Error);
            return null;
        }
        else
        {
            // create new identity using new primary token
            WindowsIdentity newId = new WindowsIdentity
                                        (pDuplicateTokenHandle);
            WindowsImpersonationContext impersonatedUser = 
                                        newId.Impersonate();

            // check the identity after impersonation
            sResult += "After impersonation: " + 
                WindowsIdentity.GetCurrent().Name + "\r\n";
            
            MessageBox.Show(this, sResult, "Success", 
                MessageBoxButtons.OK, MessageBoxIcon.Information);
            return impersonatedUser;
        }
    }
    catch (Exception ex)
    {
        throw ex;
    }
    finally
    {
        // close handle(s)
        if (pExistingTokenHandle != IntPtr.Zero)
            CloseHandle(pExistingTokenHandle);
        if (pDuplicateTokenHandle != IntPtr.Zero) 
            CloseHandle(pDuplicateTokenHandle);
    }
}

Points of Interest

This code won't work on Windows 98 or ME because they do not utilize user tokens. Code was built and run using Visual Studio.NET 2002 on Windows XP Service Pack 1.

One of the other uses for this code I've found is, for instantiating COM components that must run in an alternate security context to that of the logged-on user.

If anyone has a more secure method of achieving the same thing, please let me know.

History

  • Version 1.0 - 04.25.03 - First release version

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Christian Merritt
Zambia Zambia
Living abroad and loving life.

Comments and Discussions

 
FirstPrev Next
GeneralRe: What an attitude... Pin
Christian Merritt27-Oct-03 5:46
Christian Merritt27-Oct-03 5:46 
GeneralIt's cool Pin
Jahava27-Oct-03 13:45
Jahava27-Oct-03 13:45 
GeneralRe: Coding Style Issues Pin
Jonathan C Dickinson5-May-08 1:53
Jonathan C Dickinson5-May-08 1:53 
GeneralError messages Pin
Maximilian Hänel6-May-03 1:24
Maximilian Hänel6-May-03 1:24 
GeneralRe: Error messages Pin
Haidong Chen27-May-03 12:15
Haidong Chen27-May-03 12:15 
GeneralRe: Error messages Pin
Haidong Chen27-May-03 12:17
Haidong Chen27-May-03 12:17 
GeneralRe: Error messages Pin
Maximilian Hänel27-May-03 12:47
Maximilian Hänel27-May-03 12:47 
GeneralSeImpersonatePrivilege Pin
geo_m3-May-03 22:56
geo_m3-May-03 22:56 
Just to complete your article, I found following digged somewhere on msdn server, where they talk about Win Server 2003:


...the ability to impersonate is only granted to accounts with the Service SID (Network Service, Local Service, and Local System) and Administrators.

If an account is not granted this privilege and code running as that account attempts to call an impersonation function, the code will not fail, but rather return an identify token.

For impersonation to work, one or more of the following must be true:

1. The requested impersonation level is less than impersonate (that is anonymous or identify level, which should always succeed).

2. The process token has the SeImpersonatePrivilege privilege.

3. A process (or another process in the same logon session) created the token by calling LogonUser with explicit credentials. Let's be honest, if you know an account's password, then you can impersonate them too.

4. The token is for the expected user. In other words, the code is attempting to impersonate the process identity.

5. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user when they are started. This does not apply if the COM server is marked as Activate as Activator.

The intention is to back-port this privilege to prior versions of Windows if customers feel it important to do so.
GeneralThis method won't work on Windows 2000 or Windows NT Pin
Softomatix3-May-03 13:54
Softomatix3-May-03 13:54 
GeneralRe: This method won't work on Windows 2000 or Windows NT Pin
Christian Merritt3-May-03 15:53
Christian Merritt3-May-03 15:53 
GeneralRe: This method won't work on Windows 2000 or Windows NT Pin
Softomatix4-May-03 3:57
Softomatix4-May-03 3:57 
GeneralRe: This method won't work on Windows 2000 or Windows NT Pin
Danko Greiner14-Dec-04 0:44
Danko Greiner14-Dec-04 0:44 
Last Visit: 31-Dec-99 18:00     Last Update: 29-Apr-24 8:19Refreshᐊ Prev123

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 29 Apr 2003

Article Copyright 2003 by Christian Merritt
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-04-02:1