Description
This sample shows how to switch between security contexts within the same process. It also demostrates how this can be done on a single or multiple threads.
Why It's Here
I was looking through the Message Board on The Code Project site and came across a very interesting question. One of the members was asking how to access a file on another computer in a Workgroup without being prompted to specify user credentials.
I started researching the topic and found the solution in the .NET class library reference. I was impressed by the elegance of the solution, so I decided to have it published here for the benefit of other fellow-developers.
Explanation
The main class within the project is the ImpersonateUser that uses Win32 API function LogonUser and the .NET class WindowsImpersonationContext that represents the Windows user before impersonation.
To impersonate a different user, the class follows three distincts steps as listed below.
Step 1
Using LogonUser, it creates a new security token and obtains a handle to it.
bool returnValue = LogonUser(
userName,
domainName,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);
Step 2
Using this handle, it creates an instance of the WindowsIdentity class.
WindowsIdentity newId = new WindowsIdentity(tokenHandle);
Step 3
It then uses the WindowsIdentity.Impersonate() method that returns WindowsImpersonationContext to assign the new security token to the current WindowsImpersonationContext.
private static WindowsImpersonationContext impersonatedUser;
impersonatedUser = newId.Impersonate();
Main Class
Here's the code for the ImpersonateUser class:
public class ImpersonateUser
{
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(
String lpszUsername,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle);
private static IntPtr tokenHandle = new IntPtr(0);
private static WindowsImpersonationContext impersonatedUser;
[PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
public void Impersonate(string domainName, string userName, string password) {
try {
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_INTERACTIVE = 2;
tokenHandle = IntPtr.Zero;
bool returnValue = LogonUser(
userName,
domainName,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);
if (false == returnValue) {
int ret = Marshal.GetLastWin32Error();
Console.WriteLine("LogonUser call failed with error code : " + ret);
throw new System.ComponentModel.Win32Exception(ret);
}
WindowsIdentity newId = new WindowsIdentity(tokenHandle);
impersonatedUser = newId.Impersonate();
}
catch (Exception ex) {
Console.WriteLine("Exception occurred. " + ex.Message);
}
}
public void Undo() {
impersonatedUser.Undo();
if (tokenHandle != IntPtr.Zero)
CloseHandle(tokenHandle);
}
}
Example
ImpersonateUser iU = new ImpersonateUser();
iU.Impersonate("remoteMachine", "userID", "password");
iU.Undo();
Please download the source code and run the demo project - it will give you a better idea how easy it is to use the class.
How To Use ImpersUsr.dll
- Download and extract ImpersUsr.dll
- Create a Console type project
- Add a reference to ImpersUsr.dll
- Instantiate the
ImpersonateUser class - Call
ImpersonateUser.Impersonate(..) method - Code whatever you need to run in the new security context
- Call
ImpersonateUser.Undo() method to stop impersonating
Multithreading
Please download the source to see how to start a separate thread in a different security context.
History
- 6th June, 2006: Initial post
Alex B. Clarke is a professioinal software developer specialising in .Net, C#, Asp.Net, SQL, ADSI, CDO, and other technolgies. He writes applications that automate business processes.
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
