How to use LogonUser properly to impersonate domain user from workgroup client
Solution 1
Very few posts suggest using LOGON_TYPE_NEW_CREDENTIALS
instead of LOGON_TYPE_NETWORK
or LOGON_TYPE_INTERACTIVE
. I had an impersonation issue with one machine connected to a domain and one not, and this fixed it.
The last code snippet in this post suggests that impersonating across a forest does work, but it doesn't specifically say anything about trust being set up. So this may be worth trying:
const int LOGON_TYPE_NEW_CREDENTIALS = 9;
const int LOGON32_PROVIDER_WINNT50 = 3;
bool returnValue = LogonUser(user, domain, password,
LOGON_TYPE_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50,
ref tokenHandle);
MSDN says that LOGON_TYPE_NEW_CREDENTIALS
only works when using LOGON32_PROVIDER_WINNT50
.
Solution 2
this works for me, full working example (I wish more people would do this):
//logon impersonation
using System.Runtime.InteropServices; // DllImport
using System.Security.Principal; // WindowsImpersonationContext
using System.Security.Permissions; // PermissionSetAttribute
...
class Program {
// obtains user token
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword,
int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
// closes open handes returned by LogonUser
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle);
public void DoWorkUnderImpersonation() {
//elevate privileges before doing file copy to handle domain security
WindowsImpersonationContext impersonationContext = null;
IntPtr userHandle = IntPtr.Zero;
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_INTERACTIVE = 2;
string domain = ConfigurationManager.AppSettings["ImpersonationDomain"];
string user = ConfigurationManager.AppSettings["ImpersonationUser"];
string password = ConfigurationManager.AppSettings["ImpersonationPassword"];
try {
Console.WriteLine("windows identify before impersonation: " + WindowsIdentity.GetCurrent().Name);
// if domain name was blank, assume local machine
if (domain == "")
domain = System.Environment.MachineName;
// Call LogonUser to get a token for the user
bool loggedOn = LogonUser(user,
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref userHandle);
if (!loggedOn) {
Console.WriteLine("Exception impersonating user, error code: " + Marshal.GetLastWin32Error());
return;
}
// Begin impersonating the user
impersonationContext = WindowsIdentity.Impersonate(userHandle);
Console.WriteLine("Main() windows identify after impersonation: " + WindowsIdentity.GetCurrent().Name);
//run the program with elevated privileges (like file copying from a domain server)
DoWork();
} catch (Exception ex) {
Console.WriteLine("Exception impersonating user: " + ex.Message);
} finally {
// Clean up
if (impersonationContext != null) {
impersonationContext.Undo();
}
if (userHandle != IntPtr.Zero) {
CloseHandle(userHandle);
}
}
}
private void DoWork() {
//everything in here has elevated privileges
//example access files on a network share through e$
string[] files = System.IO.Directory.GetFiles(@"\\domainserver\e$\images", "*.jpg");
}
}
Solution 3
I was having the same problem. Don't know if you've solved this or not, but what I was really trying to do was access a network share with AD credentials. WNetAddConnection2()
is what you need to use in that case.
Solution 4
I have been successfull at impersonating users in another domain, but only with a trust set up between the 2 domains.
var token = IntPtr.Zero;
var result = LogonUser(userID, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token);
if (result)
{
return WindowsIdentity.Impersonate(token);
}
Solution 5
It's better to use a SecureString:
var password = new SecureString();
var phPassword phPassword = Marshal.SecureStringToGlobalAllocUnicode(password);
IntPtr phUserToken;
LogonUser(username, domain, phPassword, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, out phUserToken);
And:
Marshal.ZeroFreeGlobalAllocUnicode(phPassword);
password.Dispose();
Function definition:
private static extern bool LogonUser(
string pszUserName,
string pszDomain,
IntPtr pszPassword,
int dwLogonType,
int dwLogonProvider,
out IntPtr phToken);
Related videos on Youtube
RichardTheKiwi
A programmer who works with Microsoft SQL Server. SQL Server Minesweeper, anyone? Interesting posts: SQL Server: How to rotate a table 45 degrees? SQL Server: A Puzzle solved in SQL SQL Server: Recursive CTE, why Row_Number doesn't work SQL Server: Clustered index key update = delete + update! Other interesting posts: SQL: SUMPRODUCT operator in MSSQL, MySQL, Oracle? SQL Server: SQRT() vs POW() bake off SQL Server: String or binary data would be truncated SQL: Check if string is numeric (MSSQL, MySQL, Oracle) SQL Server: Better ISDATE function for format 103 (dmy) SQL Server: Symmetric matrix manipulation Oracle: Using MODEL to perform iterative calculations Essential Online Tools: SQL Fiddle Format tab values as Text-Table
Updated on February 13, 2022Comments
-
RichardTheKiwi over 2 years
ASP.NET: Impersonate against a domain on VMWare
This question is what I am asking, but the answer does not provide details on how the _token is derived. It seems to only use
WindowsIdentity.GetCurrent().Token
so there's no impersonation happening.Can I impersonate a user on a different Active Directory domain in .NET?
This next question has conflicting answers, with the accepted one bearing a comment "I'm beginning to suspect that my problem lies elsewhere." Not helpful.
LogonUser works only for my domain
This next question seems to imply it is not possible, but it deals with 2 domains so I am not sure if it is relevant.
My real question is:
- Is it possible? And if so,
- How? or Where did I go wrong?
What I have tried so far is, using the code from http://msdn.microsoft.com/en-us/library/chf6fbt4%28v=VS.80%29.aspx
bool returnValue = LogonUser(user, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ref tokenHandle); // after this point, returnValue = false
The Win32 error is
Logon failure: unknown user name or bad password
-
Nicholas Blumhardt over 10 yearsBe aware that
LOGON_TYPE_NEW_CREDENTIALS
appears not to validate the credentials until they're used to access a network resource, so it can't be used for authentication the wayLOGON_TYPE_NETWORK
can. -
Justin Skiles almost 10 yearsHow do you prevent the contents of
password
from leaking via memory dumps or attached debuggers on a compromised system? I notice that you left it hanging around in memory. -
MikeTeeVee almost 10 yearsI had the same issue impersonating against a different domain than the one my application ran in. The other domain also did not have trust. I would receive the nonsensical error "The system cannot find the file specified". Changing 0,2 to 9,3 like you suggested above worked! Now I can read in files from a file share on a different domain. Thanks man, you saved me from a lot of pain!
-
Zaid Amir about 8 yearsSo what was the DNS issue. I think I have this issue on one of our sites
-
Daniel about 7 yearsThanks, it works, but nevertheless the whole issue is strange. I tried to authenticate to impersonate within the same network and I always got the 'Unknown user name or bad password' message when using LOGON32_LOGON_INTERACTIVE. On my dev machine all worked fine. I'd love to trace the cause to the bottom, but where shall I start?
-
takrl about 7 years@Daniel Good question. I only found this by experimenting with the options given in the docs, not because I knew how or why it works ;-)
-
Cee McSharpface almost 7 yearsthese APIs are so picky. I got almost the same solution, and it failed because of the wrong combination of logonprovider and logontype. interactive in connection with default is fine, while newcredentials only works with winnt50... using this approach,
Environment.Username
really returns the impersonated account, if that is what you need use this solution. -
David Burg over 4 yearsYes the doc of the underlying winapi is quite clear on that. Quote "When you have finished using the password, clear the password from memory by calling the SecureZeroMemory function. For more information about protecting passwords, see Handling Passwords."