Back in a few days... | Home | A bit quiet...
Back - and code for impersonating users...

Well, had a lovely break...now for some code, this will let you 'impersonate' a user - really handy when, for instance, trying to upload a file to a network location...as usual, no idea where I found this, if it was youre, let me know!

using System;
using System.Web;
using System.Web.Security;
using System.Security.Principal;
using System.Runtime.InteropServices;

namespace Components.Security
{
    /// 
    /// Summary description for ImpersonateUser.
    /// 
    public class ImpersonateUser
    {
        public const int LOGON32_LOGON_INTERACTIVE = 2;
        public const int LOGON32_PROVIDER_DEFAULT = 0;
        WindowsImpersonationContext impersonationContext;
        [DllImport("advapi32.dll", CharSet = CharSet.Auto)]
            public static extern int LogonUser(    string lpszUserUname,
                                                string lpszDomain,
                                                string lpszPassword,
                                                int dwLogonType,
                                                int dwLogonProvider,
                                                ref IntPtr phToken);
        [DllImport("advapi32.dll", CharSet = System.Runtime.InteropServices.CharSet.Auto, SetLastError=true)]
            public extern static int DuplicateToken(IntPtr hToken,
                                                    int impersonationLevel,
                                                    ref IntPtr hNewToken);
        public bool impersonateValidUser(string userName, string domain, string password)
        {
            WindowsIdentity tempWindowsIdentity;
            IntPtr token = IntPtr.Zero;
            IntPtr tokenDuplicate = IntPtr.Zero;
            if(LogonUser(userName, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
            {
                if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)
                {
                    tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                    impersonationContext = tempWindowsIdentity.Impersonate();
                    return (impersonationContext != null);                    
                }
                else
                {
                    return false;
                }
            }
            else
            {
                return false;
            }
        }
        public void undoImpersonation()
        {
            impersonationContext.Undo();
        }
        
    }
}
posted on Friday, December 05, 2003 10:16 PM | Print

Comments

Gravatar
# re: Back - and code for impersonating users...
Posted by Jon Galloway on 1/8/2004 1:25 AM
Scott-
Have you used this from ASP.NET? You didn't mention the context. This seems like a better approach than the shotgun <identity impersonate="true" /> in the web.config, which sets impersonation for the whole website. I'm working on a project that will do this and would like to limit the impersonation as much as possible.
Sorry to haunt your site, you just seem to have all the .NET goodies.
-Jon
Gravatar
# re: Back - and code for impersonating users...
Posted by Scott Galloway on 1/8/2004 9:12 AM
Yes, I used the code specifically for file upload from ASP.NET.
I agree that the more fine grained you are with impersonation, the better - I wrapped the impersonation around 4 lines of code, with the rest of the site running as the normal ASPNET uset.
Gravatar
# From one web server to another
Posted by David Kafrissen on 3/18/2004 10:07 PM
Can this code be used to go from one web server to another?

Assuming all machines are Windows XP, I have Machine A serving up web pages with forms authentication with users/passwords in SQL database.

I want to bring up second machine URL in an IFrame and log on for the user. The second machine web application is written by another company and uses Windows NT security and assume that I know all users and passwords for second machine.

Can the first machine use this impersonation technique and just hit the second URL?

Thanks in advance,

David Kafrissen
Gravatar
# re: Back - and code for impersonating users...
Posted by Scott Galloway on 3/18/2004 10:20 PM
No, sorry...this technique won't work across domains.
Gravatar
# From one web server to another
Posted by David Kafrissen on 3/18/2004 10:39 PM
Which domains the computers are in are under my control because "we" administer all the application in question.

So I join the computers into the same domain and this will work?

Regards,

David Kafrissen
Gravatar
# re: Back - and code for impersonating users...
Posted by Scott Galloway on 3/18/2004 10:44 PM
I haven't tried that configuration I'm afraid...so I really can't say....
Gravatar
# Impersonation when using IFrame
Posted by David Kafrissen on 3/22/2004 6:52 PM
I was thinking more about this and here is another problem.

Suppose you have some asp.net psuedo code:

success = impersonateuser("user", "domain", password)

IFrame.txt = "somerl"

if success then
undoimpersonation

The problem is that the IFrame is a redirection on the user's browser, correct?

So how could one accomplish this.

Both servers are under our administrative control, but they are different applications so I do want to bring the second application in an IFrame or something.

Any thoughts?

Thanks in advance,

Dave
Gravatar
# re: Back - and code for impersonating users...
Posted by Scott Galloway on 3/22/2004 8:50 PM
Hmm...so your actualy problem is that you need both frames to use the same authorization details - or that you need to automatically log in the IFrame server based on the credentials used in the main app - if it's the latter you actually have a bunch of options...you may be glad to know. First there's the option of passing the login details in the query string to the page in the iframe, this page can then use the code I put above to log in the user - you'd want to encrypt the querystring obviously but this is fairly trivial in .NET.
Second, you can use a web service to provide a sort of unified login service for both machines - just storing the appropriate details in two separate encrypted cookies, one for each server - then when you authenticate on the IFrame server you can use this encrypted cookie to login to that machine...an y help???
Gravatar
# re: Back - and code for impersonating users...
Posted by David Kafrissen on 3/23/2004 6:30 PM
You wrote:

> Any Help?

Not sure. What I have is machine A. Which is an ASP.net application that I wrote. I am using forms authentication with user information stored in an mssql database.

I have machine B which is an application whose code I have no control over.

I have discovered that I can solve the problem with an IFrame with this syntax.

http://user:password@machine.com

The problem is, as I understand it, Microsoft has just removed from the client, with a security path, this functionality.

It is in this knowledge base article:
http://support.microsoft.com/default.aspx?kbid=834489

which also lists as a workaround using the IAuthenticate interface somehow.

At this point I have no idea how I would use this interface in VB.net to get the desired effect.

Thanks in advance,
Dave
Gravatar
# re: Back - and code for impersonating users...
Posted by Arno Richard on 10/21/2004 1:08 PM
Dave,

I'm experiencing exactly the same situation, and just posted my question on Microsoft's dotnet.framework.aspnet.security forum...

Have you found a way to resolve your problem, or after 6 months, have you given up???

Thanks,
Arnaud Richard
Gravatar
# re: Back - and code for impersonating users...
Posted by Scott Galloway on 10/21/2004 2:23 PM
Never had any need to go further to be honest, I have seen a method of doing this...it is out there somewhere...
Gravatar
# re: Back - and code for impersonating users...
Posted by Arno Richard on 10/21/2004 3:05 PM
ok thanks for the update & encouragements, I'll keep digging... but now I may not be digging for nothing, as I was starting to wonder.
Post Comment
Title *  
Name *  
Email
Url
Comment *  
Please add 4 and 2 and type the answer here: