Click here to Skip to main content
15,878,543 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hello,

I have a c# application which impersonate other users on my domain using their credentials(User name and password).

It's working as expected. However an attempt to impersonate a User on a PC in a certain Workgroup that is connected to my domain would give me an error:

Login Failure: unknown user name or bad password.

This is the method that does the actual impersonation:

C#
private void ImpersonateValidUser(
    string userName,
    string domain,
    string password) {
    WindowsIdentity tempWindowsIdentity = null;
    IntPtr token = IntPtr.Zero;
    IntPtr tokenDuplicate = IntPtr.Zero;
    try {
        if (RevertToSelf()) {

            if (LogonUser(
                userName,
                domain,
                password,
                LOGON32_LOGON_INTERACTIVE,
                LOGON32_PROVIDER_DEFAULT,
                ref token) != 0) {
                if (DuplicateToken(token, 2, ref tokenDuplicate) != 0) {
                    tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                    impersonationContext = tempWindowsIdentity.Impersonate();
                }
                else {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
            }
            else {
                throw new Win32Exception(Marshal.GetLastWin32Error());
            }
        }
        else {
            throw new Win32Exception(Marshal.GetLastWin32Error());
        }
    }
    finally {
        if (token != IntPtr.Zero) {
            CloseHandle(token);
        }
        if (tokenDuplicate != IntPtr.Zero) {
            CloseHandle(tokenDuplicate);
        }
    }
}


And as I said, this works perfectly if I try to impersonate a user on my domain. What I want is to be able to impersonate a User on a PC that's in a workgroup connected to my domain.

Any idea how to resolve this issue?

Thank you
Posted
Updated 27-Sep-10 4:08am
v3

Issue resolved.

To allow cross domain impersonation, one must use LOGON32_LOGON_NEW_CREDENTIALS(9) instead of LOGON32_LOGON_INTERACTIVE(2)in the LogonUser() parameters.

Cheers
 
Share this answer
 
If the computer on which you're performing the impersonation is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then the impersonation attempt will fail.

So, set up a trust, and see if it then works.
 
Share this answer
 
Comments
deadwood88 27-Sep-10 7:54am    
The User I'm trying to impersonate is on a PC which is part of a workgroup(not domain) connected to my domain. Does what you've said above apply to this scenario as well?
If the computer on which you're performing the impersonation is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then the impersonation attempt will fail.

So, set up a trust, and see if it then works.

For more info, try googling "cross-domain impersonation".
 
Share this answer
 
Comments
deadwood88 27-Sep-10 8:57am    
I tried that. I didnt find what i was looking for.
I want to impersonate a user on a workgroup(not domain) connected to my domain.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900