How to use LogonUser properly to impersonate domain user from workgroup client

c# .net winforms c#-2.0 impersonation

109,986

Solution 1

Very few posts suggest using LOGON_TYPE_NEW_CREDENTIALS instead of LOGON_TYPE_NETWORK or LOGON_TYPE_INTERACTIVE. I had an impersonation issue with one machine connected to a domain and one not, and this fixed it. The last code snippet in this post suggests that impersonating across a forest does work, but it doesn't specifically say anything about trust being set up. So this may be worth trying:

const int LOGON_TYPE_NEW_CREDENTIALS = 9;
const int LOGON32_PROVIDER_WINNT50 = 3;
bool returnValue = LogonUser(user, domain, password,
            LOGON_TYPE_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50,
            ref tokenHandle);

MSDN says that LOGON_TYPE_NEW_CREDENTIALS only works when using LOGON32_PROVIDER_WINNT50.

Solution 2

this works for me, full working example (I wish more people would do this):

//logon impersonation
using System.Runtime.InteropServices; // DllImport
using System.Security.Principal; // WindowsImpersonationContext
using System.Security.Permissions; // PermissionSetAttribute

...

class Program {

    // obtains user token
    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword,
        int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

    // closes open handes returned by LogonUser
    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    public extern static bool CloseHandle(IntPtr handle);

    public void DoWorkUnderImpersonation() {
        //elevate privileges before doing file copy to handle domain security
        WindowsImpersonationContext impersonationContext = null;
        IntPtr userHandle = IntPtr.Zero;
        const int LOGON32_PROVIDER_DEFAULT = 0;
        const int LOGON32_LOGON_INTERACTIVE = 2;
        string domain = ConfigurationManager.AppSettings["ImpersonationDomain"];
        string user = ConfigurationManager.AppSettings["ImpersonationUser"];
        string password = ConfigurationManager.AppSettings["ImpersonationPassword"];

        try {
            Console.WriteLine("windows identify before impersonation: " + WindowsIdentity.GetCurrent().Name);

            // if domain name was blank, assume local machine
            if (domain == "")
                domain = System.Environment.MachineName;

            // Call LogonUser to get a token for the user
            bool loggedOn = LogonUser(user,
                                        domain,
                                        password,
                                        LOGON32_LOGON_INTERACTIVE,
                                        LOGON32_PROVIDER_DEFAULT,
                                        ref userHandle);

            if (!loggedOn) {
                Console.WriteLine("Exception impersonating user, error code: " + Marshal.GetLastWin32Error());
                return;
            }

            // Begin impersonating the user
            impersonationContext = WindowsIdentity.Impersonate(userHandle);

            Console.WriteLine("Main() windows identify after impersonation: " + WindowsIdentity.GetCurrent().Name);

            //run the program with elevated privileges (like file copying from a domain server)
            DoWork();

        } catch (Exception ex) {
            Console.WriteLine("Exception impersonating user: " + ex.Message);
        } finally {
            // Clean up
            if (impersonationContext != null) {
                impersonationContext.Undo();
            }

            if (userHandle != IntPtr.Zero) {
                CloseHandle(userHandle);
            }
        }
    }


    private void DoWork() {
        //everything in here has elevated privileges

        //example access files on a network share through e$ 
        string[] files = System.IO.Directory.GetFiles(@"\\domainserver\e$\images", "*.jpg");
    }
}

Solution 3

I was having the same problem. Don't know if you've solved this or not, but what I was really trying to do was access a network share with AD credentials. WNetAddConnection2() is what you need to use in that case.

Solution 4

I have been successfull at impersonating users in another domain, but only with a trust set up between the 2 domains.

var token = IntPtr.Zero;
var result = LogonUser(userID, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token);
if (result)
{
    return WindowsIdentity.Impersonate(token);
}

Solution 5

It's better to use a SecureString:

var password = new SecureString();
var phPassword phPassword = Marshal.SecureStringToGlobalAllocUnicode(password);
IntPtr phUserToken;
LogonUser(username, domain, phPassword, LOGON32_LOGON_INTERACTIVE,  LOGON32_PROVIDER_DEFAULT, out phUserToken);

And:

Marshal.ZeroFreeGlobalAllocUnicode(phPassword);
password.Dispose();

Function definition:

private static extern bool LogonUser(
  string pszUserName,
  string pszDomain,
  IntPtr pszPassword,
  int dwLogonType,
  int dwLogonProvider,
  out IntPtr phToken);

View more solutions

109,986

RichardTheKiwi

A programmer who works with Microsoft SQL Server. SQL Server Minesweeper, anyone? Interesting posts: SQL Server: How to rotate a table 45 degrees? SQL Server: A Puzzle solved in SQL SQL Server: Recursive CTE, why Row_Number doesn't work SQL Server: Clustered index key update = delete + update! Other interesting posts: SQL: SUMPRODUCT operator in MSSQL, MySQL, Oracle? SQL Server: SQRT() vs POW() bake off SQL Server: String or binary data would be truncated SQL: Check if string is numeric (MSSQL, MySQL, Oracle) SQL Server: Better ISDATE function for format 103 (dmy) SQL Server: Symmetric matrix manipulation Oracle: Using MODEL to perform iterative calculations Essential Online Tools: SQL Fiddle Format tab values as Text-Table

Updated on February 13, 2022

Comments

RichardTheKiwi over 2 years
ASP.NET: Impersonate against a domain on VMWare

This question is what I am asking, but the answer does not provide details on how the _token is derived. It seems to only use WindowsIdentity.GetCurrent().Token so there's no impersonation happening.

Can I impersonate a user on a different Active Directory domain in .NET?

This next question has conflicting answers, with the accepted one bearing a comment "I'm beginning to suspect that my problem lies elsewhere." Not helpful.

LogonUser works only for my domain

This next question seems to imply it is not possible, but it deals with 2 domains so I am not sure if it is relevant.

My real question is:
- Is it possible? And if so,
- How? or Where did I go wrong?
What I have tried so far is, using the code from http://msdn.microsoft.com/en-us/library/chf6fbt4%28v=VS.80%29.aspx
```
bool returnValue = LogonUser(user, domain, password,
            LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT,
            ref tokenHandle);
// after this point, returnValue = false
```
The Win32 error is

Logon failure: unknown user name or bad password
Nicholas Blumhardt over 10 years

Be aware that LOGON_TYPE_NEW_CREDENTIALS appears not to validate the credentials until they're used to access a network resource, so it can't be used for authentication the way LOGON_TYPE_NETWORK can.
Justin Skiles almost 10 years

How do you prevent the contents of password from leaking via memory dumps or attached debuggers on a compromised system? I notice that you left it hanging around in memory.
MikeTeeVee almost 10 years

I had the same issue impersonating against a different domain than the one my application ran in. The other domain also did not have trust. I would receive the nonsensical error "The system cannot find the file specified". Changing 0,2 to 9,3 like you suggested above worked! Now I can read in files from a file share on a different domain. Thanks man, you saved me from a lot of pain!
Zaid Amir about 8 years

So what was the DNS issue. I think I have this issue on one of our sites
Daniel about 7 years

Thanks, it works, but nevertheless the whole issue is strange. I tried to authenticate to impersonate within the same network and I always got the 'Unknown user name or bad password' message when using LOGON32_LOGON_INTERACTIVE. On my dev machine all worked fine. I'd love to trace the cause to the bottom, but where shall I start?
takrl about 7 years

@Daniel Good question. I only found this by experimenting with the options given in the docs, not because I knew how or why it works ;-)
Cee McSharpface almost 7 years

these APIs are so picky. I got almost the same solution, and it failed because of the wrong combination of logonprovider and logontype. interactive in connection with default is fine, while newcredentials only works with winnt50... using this approach, Environment.Username really returns the impersonated account, if that is what you need use this solution.
David Burg over 4 years

Yes the doc of the underlying winapi is quite clear on that. Quote "When you have finished using the password, clear the password from memory by calling the SecureZeroMemory function. For more information about protecting passwords, see Handling Passwords."