Impersonate a user on a PC that's in a workgroup connected to my domain

Question

0.00/5 (No votes)

See more:

.NET3.5

Hello,

I have a c# application which impersonate other users on my domain using their credentials(User name and password).

It's working as expected. However an attempt to impersonate a User on a PC in a certain Workgroup that is connected to my domain would give me an error:

Login Failure: unknown user name or bad password.

This is the method that does the actual impersonation:

C#

private void ImpersonateValidUser(
    string userName,
    string domain,
    string password) {
    WindowsIdentity tempWindowsIdentity = null;
    IntPtr token = IntPtr.Zero;
    IntPtr tokenDuplicate = IntPtr.Zero;
    try {
        if (RevertToSelf()) {

            if (LogonUser(
                userName,
                domain,
                password,
                LOGON32_LOGON_INTERACTIVE,
                LOGON32_PROVIDER_DEFAULT,
                ref token) != 0) {
                if (DuplicateToken(token, 2, ref tokenDuplicate) != 0) {
                    tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                    impersonationContext = tempWindowsIdentity.Impersonate();
                }
                else {
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                }
            }
            else {
                throw new Win32Exception(Marshal.GetLastWin32Error());
            }
        }
        else {
            throw new Win32Exception(Marshal.GetLastWin32Error());
        }
    }
    finally {
        if (token != IntPtr.Zero) {
            CloseHandle(token);
        }
        if (tokenDuplicate != IntPtr.Zero) {
            CloseHandle(tokenDuplicate);
        }
    }
}

And as I said, this works perfectly if I try to impersonate a user on my domain. What I want is to be able to impersonate a User on a PC that's in a workgroup connected to my domain.

Any idea how to resolve this issue?

Thank you

Posted 27-Sep-10 1:25am

deadwood88

Updated 27-Sep-10 4:08am

v3

Add a Solution

3 solutions

Solution 1

If the computer on which you're performing the impersonation is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then the impersonation attempt will fail.

So, set up a trust, and see if it then works.

Posted 27-Sep-10 1:50am

#realJSOP

Comments

deadwood88 27-Sep-10 7:54am

The User I'm trying to impersonate is on a PC which is part of a workgroup(not domain) connected to my domain. Does what you've said above apply to this scenario as well?

Solution 2

If the computer on which you're performing the impersonation is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then the impersonation attempt will fail.

So, set up a trust, and see if it then works.

For more info, try googling "cross-domain impersonation".

Posted 27-Sep-10 1:50am

#realJSOP

Comments

deadwood88 27-Sep-10 8:57am

I tried that. I didnt find what i was looking for.
I want to impersonate a user on a workgroup(not domain) connected to my domain.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

deadwood88 · Accepted Answer · 2010-09-27T21:02:00

Solution 3

Issue resolved.

To allow cross domain impersonation, one must use LOGON32_LOGON_NEW_CREDENTIALS(9) instead of LOGON32_LOGON_INTERACTIVE(2)in the LogonUser() parameters.

Cheers

Posted 27-Sep-10 21:02pm

deadwood88