Click here to Skip to main content
15,901,505 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I am having trouble getting the correct type of impersonation token using WindowsIdentity.impersonate(). My code attempts to access a file share using the account of the user who is running it, who has been denied access to it. When this process fails the I attempt to impersonate the Administrator account, who has access to the file share, and access it again. However the ImpersonationLevel of my WindowsImpersonationContext is Impersonation, not Delegation. I have ensured that my process has the SeTcbPrivilege enabled and that the machine that the code runs on has constrained delegation enabled.

From my understanding I am not able to access the file share because it is a network resource, and to access a network resource I need to have a Delegation ImpersonationLevel, Impersonation will only work for accessing resources on the local system (which I have verified as working). Under the properties for my machine on AD I have the cifs service added for WIN-J5H5R939SN7 under the delegation settings.

Are there any other steps I need to take to receive a Delegation token?

C#
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Principal;
using System.Security;
using System.IO;

namespace DelegationTest
{
    class Program
    {

        static bool printDirectory(string directory)
        {
            Console.WriteLine("Attempting to read directory " + directory + " as " + WindowsIdentity.GetCurrent().Name);
            try
            {
                DirectoryInfo dirInfo = new DirectoryInfo(directory);
                FileInfo[] files = dirInfo.GetFiles();
                foreach (FileInfo f in files)
                {
                    Console.WriteLine(f.FullName);
                }
            }
            catch (Exception e)
            {
                //Console.WriteLine(e.ToString());
                Console.WriteLine(e.Message);
                return false;
            }
            return true;
        }
        static void Main(string[] args)
        {
            string dir = @"\\WIN-J5H5R939SN7\demoCA";
            if (!printDirectory(dir))
            {
                Console.WriteLine("Attempt to impersonate Administrator and try again");
                string userName = "Administrator";
                WindowsIdentity wid = new WindowsIdentity(userName);
                WindowsImpersonationContext wic;
                try
                {
                    wic = wid.Impersonate();
                    System.Console.WriteLine(wid.ImpersonationLevel.ToString());
                    printDirectory(dir);
                    wic.Undo();
                }
                catch (Exception e)
                {
                    System.Console.WriteLine(e.Message);
                }
            }

        }
    }
}
Posted

1 solution

"My code attempts to access a file share using the account of the user who is running it, who has been denied access to it. When this process fails the I attempt to impersonate the Administrator account"

Sounds like things are working as they should - you need the administrator password too.

This might help you to do it right (You will still need the password):
A small C# Class for impersonating a User[^]


Best regards
Espen Harlinn
 
Share this answer
 
Comments
Member 8105804 4-Aug-11 12:28pm    
Thanks for the reply.

From what I understand the code should be using the S4U Kerberos Extensions, which should allow me to use Impersonation/Delegation without having the user's password. From what I can tell the code is using the S4U2Self extension, rather than the S4U2Proxy extension, which would provide me with a Delegation token. The KERB_S4U_LOGON structure, which I believe is being used behind the scenes here, does not have a field for the user's password.
Espen Harlinn 4-Aug-11 12:54pm    
Just think about it: If you can access the administrator account using some sort of "magic" from a program running under any other account, the security would be hopelessly compromised ...
Member 8105804 4-Aug-11 17:31pm    
You can't though. The account that the code runs under has to have the SeTcbPrivilege to perform Delegation. The SeTcbPrivilege allows that account to act as though it were it Local System Account. With that level of privilege there isn't anything you can't do anyway.
Espen Harlinn 4-Aug-11 18:40pm    
"My code attempts to access a file share using the account of the user who is running it" made me assume that you where talking about a logged in user.

You have to stop/exit the impersonation of the user, so that the code will run under the Local System Account again to be able to do what you want.

Alternatively you can start a thread when you are initially running under the Local System Account - this thread will the continue to run under the Local System Account. Perhaps creating an active object - see: http://blog.gurock.com/wp-content/uploads/2008/01/activeobjects.pdf
I don't know anything about this author but the pattern is good.
You can also look at my article:http://www.codeproject.com/KB/mcpp/ACEDotNetDemo.aspx
for an example of the pattern in C++

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900