Click here to Skip to main content
15,072,933 members
Articles / Programming Languages / Visual Basic
Posted 6 Jun 2006


97 bookmarked

User Impersonation in .NET

Rate me:
Please Sign up or sign in to vote.
4.62/5 (30 votes)
6 Jun 2006CPOL2 min read
This sample shows how to switch between security contexts within the same process. It also demonstrates how this can be done on a single or multiple threads.


This sample shows how to switch between security contexts within the same process. It also demostrates how this can be done on a single or multiple threads.

Why It's Here

I was looking through the Message Board on The Code Project site and came across a very interesting question. One of the members was asking how to access a file on another computer in a Workgroup without being prompted to specify user credentials.

I started researching the topic and found the solution in the .NET class library reference. I was impressed by the elegance of the solution, so I decided to have it published here for the benefit of other fellow-developers.


The main class within the project is the ImpersonateUser that uses Win32 API function LogonUser and the .NET class WindowsImpersonationContext that represents the Windows user before impersonation.

To impersonate a different user, the class follows three distincts steps as listed below.

Step 1

Using LogonUser, it creates a new security token and obtains a handle to it.

bool returnValue = LogonUser(
    ref tokenHandle);           // tokenHandle is a new security token

Step 2

Using this handle, it creates an instance of the WindowsIdentity class.

WindowsIdentity newId = new WindowsIdentity(tokenHandle);

Step 3

It then uses the WindowsIdentity.Impersonate() method that returns WindowsImpersonationContext to assign the new security token to the current WindowsImpersonationContext.

// Declared in the ImpersonateUser class
private static WindowsImpersonationContext impersonatedUser;

// used within the class Impersonate method
impersonatedUser = newId.Impersonate();

Main Class

Here's the code for the ImpersonateUser class:

public class ImpersonateUser
    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool LogonUser(
            String lpszUsername,
            String lpszDomain,
            String lpszPassword,
            int dwLogonType,
            int dwLogonProvider,
            ref IntPtr phToken);

    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    public extern static bool CloseHandle(IntPtr handle);

    private static IntPtr tokenHandle = new IntPtr(0);
    private static WindowsImpersonationContext impersonatedUser;

    // If you incorporate this code into a DLL, be sure to demand that it
    // runs with FullTrust.
    [PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
    public void Impersonate(string domainName, string userName, string password) {
    try {
        // Use the unmanaged LogonUser function to get the user token for
        // the specified user, domain, and password.
        const int LOGON32_PROVIDER_DEFAULT = 0;
        // Passing this parameter causes LogonUser to create a primary token.
        const int LOGON32_LOGON_INTERACTIVE = 2;
        tokenHandle = IntPtr.Zero;
        // ---- Step - 1 
        // Call LogonUser to obtain a handle to an access token.
        bool returnValue = LogonUser(
                            ref tokenHandle);         // tokenHandle - new security token

        if (false == returnValue) {
            int ret = Marshal.GetLastWin32Error();
            Console.WriteLine("LogonUser call failed with error code : " + ret);
            throw new System.ComponentModel.Win32Exception(ret);

        // ---- Step - 2 
        WindowsIdentity newId = new WindowsIdentity(tokenHandle);
        // ---- Step - 3 
        impersonatedUser = newId.Impersonate();
    catch (Exception ex) {
    Console.WriteLine("Exception occurred. " + ex.Message);

    // Stops impersonation
    public void Undo() {
        // Free the tokens.
        if (tokenHandle != IntPtr.Zero)


ImpersonateUser iU = new ImpersonateUser();
// TODO: Replace credentials
iU.Impersonate("remoteMachine", "userID", "password");
// Next lines of code will run in the security context of the user specified above
// ....
// Revert back to the previous user identity

Please download the source code and run the demo project - it will give you a better idea how easy it is to use the class.

How To Use ImpersUsr.dll

  1. Download and extract ImpersUsr.dll
  2. Create a Console type project
  3. Add a reference to ImpersUsr.dll
  4. Instantiate the ImpersonateUser class
  5. Call ImpersonateUser.Impersonate(..) method
  6. Code whatever you need to run in the new security context
  7. Call ImpersonateUser.Undo() method to stop impersonating


Please download the source to see how to start a separate thread in a different security context.


  • 6th June, 2006: Initial post


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Alex B. Clarke
Web Developer
United Kingdom United Kingdom
Alex B. Clarke is a professioinal software developer specialising in .Net, C#, Asp.Net, SQL, ADSI, CDO, and other technolgies. He writes applications that automate business processes.

Comments and Discussions

GeneralMy vote of 5 Pin
Member 1300799228-Nov-17 9:55
MemberMember 1300799228-Nov-17 9:55 
Questionwindostation Pin
ricardodn44-May-13 2:51
Memberricardodn44-May-13 2:51 
Questiongetting error Pin
Pyakaa17-Dec-12 1:50
MemberPyakaa17-Dec-12 1:50 
QuestionSeven Pin
nuno.cabaco15-Mar-12 6:57
Membernuno.cabaco15-Mar-12 6:57 
GeneralThanks Pin
Member 447960329-Jul-10 18:51
MemberMember 447960329-Jul-10 18:51 
GeneralThanks :) Pin
ronchese30-Dec-09 4:34
Memberronchese30-Dec-09 4:34 
GeneralimpersonatedUser.Undo(); Pin
joseph_81tr20-Dec-09 21:55
Memberjoseph_81tr20-Dec-09 21:55 
GeneralRe: impersonatedUser.Undo(); Pin
joseph_81tr20-Dec-09 22:10
Memberjoseph_81tr20-Dec-09 22:10 
GeneralRe: impersonatedUser.Undo(); Pin
Alex B. Clarke22-Dec-09 7:16
MemberAlex B. Clarke22-Dec-09 7:16 
GeneralTears of Joy! Pin
gutharius4-Jan-09 9:19
Membergutharius4-Jan-09 9:19 
GeneralAccessViolationException Pin
drdaveh30-Apr-08 3:24
Memberdrdaveh30-Apr-08 3:24 
AnswerRe: AccessViolationException Pin
Ifligus5-May-08 5:01
MemberIfligus5-May-08 5:01 
GeneralNamespace... Pin
thatrickguy15-Jun-07 11:45
Memberthatrickguy15-Jun-07 11:45 
GeneralFailure on Vista Pin
Steve Harding30-May-07 3:54
MemberSteve Harding30-May-07 3:54 
GeneralRe: Failure on Vista Pin
Alex B. Clarke1-Jun-07 8:39
MemberAlex B. Clarke1-Jun-07 8:39 
GeneralException: Maximum number of clients connected Pin
inno125-Apr-07 3:56
Memberinno125-Apr-07 3:56 
GeneralImpersonate in Web App Pin
Bradley McGuffey7-Mar-07 8:59
MemberBradley McGuffey7-Mar-07 8:59 
GeneralRe: Impersonate in Web App [modified] Pin
marccp20-Mar-07 3:10
Membermarccp20-Mar-07 3:10 
GeneralThank you Pin
grazza9825-Feb-07 23:53
Membergrazza9825-Feb-07 23:53 
Generalimpersonate error [modified] Pin
JakeFront21-Jul-06 3:34
professionalJakeFront21-Jul-06 3:34 
GeneralRe: impersonate error Pin
Alex B. Clarke21-Jul-06 7:24
MemberAlex B. Clarke21-Jul-06 7:24 
GeneralRe: impersonate error Pin
JakeFront23-Jul-06 23:09
professionalJakeFront23-Jul-06 23:09 
GeneralRe: impersonate error Pin
Alex B. Clarke24-Jul-06 4:37
MemberAlex B. Clarke24-Jul-06 4:37 
GeneralRe: impersonate error Pin
JakeFront24-Jul-06 4:51
professionalJakeFront24-Jul-06 4:51 
GeneralRe: impersonate error Pin
Alex B. Clarke24-Jul-06 5:47
MemberAlex B. Clarke24-Jul-06 5:47 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.