mostlylucid

STATIC ARCHIVE of mostlylucid.co.uk of old
posts - 895, comments - 679, trackbacks - 11

My Links

News

Archives

Post Categories

Misc. Coding

Back - and code for impersonating users...

Well, had a lovely break...now for some code, this will let you 'impersonate' a user - really handy when, for instance, trying to upload a file to a network location...as usual, no idea where I found this, if it was youre, let me know!

using System;
using System.Web;
using System.Web.Security;
using System.Security.Principal;
using System.Runtime.InteropServices;
namespace Components.Security
{
    /// 
    /// Summary description for ImpersonateUser.
    /// 
    public class ImpersonateUser
    {
        public const int LOGON32_LOGON_INTERACTIVE = 2;
        public const int LOGON32_PROVIDER_DEFAULT = 0;
        WindowsImpersonationContext impersonationContext;
        [DllImport("advapi32.dll", CharSet = CharSet.Auto)]
            public static extern int LogonUser(    string lpszUserUname,
                                                string lpszDomain,
                                                string lpszPassword,
                                                int dwLogonType,
                                                int dwLogonProvider,
                                                ref IntPtr phToken);
        [DllImport("advapi32.dll", CharSet = System.Runtime.InteropServices.CharSet.Auto, SetLastError=true)]
            public extern static int DuplicateToken(IntPtr hToken,
                                                    int impersonationLevel,
                                                    ref IntPtr hNewToken);
        public bool impersonateValidUser(string userName, string domain, string password)
        {
            WindowsIdentity tempWindowsIdentity;
            IntPtr token = IntPtr.Zero;
            IntPtr tokenDuplicate = IntPtr.Zero;
            if(LogonUser(userName, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
            {
                if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)
                {
                    tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                    impersonationContext = tempWindowsIdentity.Impersonate();
                    return (impersonationContext != null);                    
                }
                else
                {
                    return false;
                }
            }
            else
            {
                return false;
            }
        }
        public void undoImpersonation()
        {
            impersonationContext.Undo();
        }
        
    }
}

Print | posted on Friday, December 05, 2003 10:16 PM | Filed Under [ .NET Security ]

Feedback

# re: Back - and code for impersonating users...

Scott-
Have you used this from ASP.NET? You didn't mention the context. This seems like a better approach than the shotgun <identity impersonate="true" /> in the web.config, which sets impersonation for the whole website. I'm working on a project that will do this and would like to limit the impersonation as much as possible.
Sorry to haunt your site, you just seem to have all the .NET goodies.
-Jon
1/8/2004 1:25 AM | Jon Galloway

# re: Back - and code for impersonating users...

Yes, I used the code specifically for file upload from ASP.NET.
I agree that the more fine grained you are with impersonation, the better - I wrapped the impersonation around 4 lines of code, with the rest of the site running as the normal ASPNET uset.
1/8/2004 9:12 AM | Scott Galloway

# From one web server to another

Can this code be used to go from one web server to another?

Assuming all machines are Windows XP, I have Machine A serving up web pages with forms authentication with users/passwords in SQL database.

I want to bring up second machine URL in an IFrame and log on for the user. The second machine web application is written by another company and uses Windows NT security and assume that I know all users and passwords for second machine.

Can the first machine use this impersonation technique and just hit the second URL?

Thanks in advance,

David Kafrissen
3/18/2004 10:07 PM | David Kafrissen

# re: Back - and code for impersonating users...

No, sorry...this technique won't work across domains.
3/18/2004 10:20 PM | Scott Galloway

# From one web server to another

Which domains the computers are in are under my control because "we" administer all the application in question.

So I join the computers into the same domain and this will work?

Regards,

David Kafrissen
3/18/2004 10:39 PM | David Kafrissen

# re: Back - and code for impersonating users...

I haven't tried that configuration I'm afraid...so I really can't say....
3/18/2004 10:44 PM | Scott Galloway

# Impersonation when using IFrame

I was thinking more about this and here is another problem.

Suppose you have some asp.net psuedo code:

success = impersonateuser("user", "domain", password)

IFrame.txt = "somerl"

if success then
undoimpersonation

The problem is that the IFrame is a redirection on the user's browser, correct?

So how could one accomplish this.

Both servers are under our administrative control, but they are different applications so I do want to bring the second application in an IFrame or something.

Any thoughts?

Thanks in advance,

Dave
3/22/2004 6:52 PM | David Kafrissen

# re: Back - and code for impersonating users...

Hmm...so your actualy problem is that you need both frames to use the same authorization details - or that you need to automatically log in the IFrame server based on the credentials used in the main app - if it's the latter you actually have a bunch of options...you may be glad to know. First there's the option of passing the login details in the query string to the page in the iframe, this page can then use the code I put above to log in the user - you'd want to encrypt the querystring obviously but this is fairly trivial in .NET.
Second, you can use a web service to provide a sort of unified login service for both machines - just storing the appropriate details in two separate encrypted cookies, one for each server - then when you authenticate on the IFrame server you can use this encrypted cookie to login to that machine...an y help???
3/22/2004 8:50 PM | Scott Galloway

# re: Back - and code for impersonating users...

You wrote:

> Any Help?

Not sure. What I have is machine A. Which is an ASP.net application that I wrote. I am using forms authentication with user information stored in an mssql database.

I have machine B which is an application whose code I have no control over.

I have discovered that I can solve the problem with an IFrame with this syntax.

http://user:[email protected]

The problem is, as I understand it, Microsoft has just removed from the client, with a security path, this functionality.

It is in this knowledge base article:
http://support.microsoft.com/default.aspx?kbid=834489

which also lists as a workaround using the IAuthenticate interface somehow.

At this point I have no idea how I would use this interface in VB.net to get the desired effect.

Thanks in advance,
Dave
3/23/2004 6:30 PM | David Kafrissen

# re: Back - and code for impersonating users...

Dave,

I'm experiencing exactly the same situation, and just posted my question on Microsoft's dotnet.framework.aspnet.security forum...

Have you found a way to resolve your problem, or after 6 months, have you given up???

Thanks,
Arnaud Richard
10/21/2004 1:08 PM | Arno Richard

# re: Back - and code for impersonating users...

Never had any need to go further to be honest, I have seen a method of doing this...it is out there somewhere...
10/21/2004 2:23 PM | Scott Galloway

# re: Back - and code for impersonating users...

ok thanks for the update & encouragements, I'll keep digging... but now I may not be digging for nothing, as I was starting to wonder.
10/21/2004 3:05 PM | Arno Richard

Post Comment

Title  
Name  
Email
Url
Comment   
Please add 1 and 5 and type the answer here:

Powered by: