run as a user.

run as a user.

Post by RGF2aWQgVG » Wed, 29 Nov 2006 04:48:01


I am trying to run impersonating another user (I prompt for the domain admin
uname & pw to use that). But when I ask for the CurrentPrincipal, it's still
me, not the domain user.

IntPtr tokenHandle = new IntPtr(0);
bool returnValue = LogonUser(userName, domainName,
password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);
if (returnValue == false)
throw new Exception("Windows logon Error: " + Marshal.GetLastWin32Error());
WindowsIdentity identity = new WindowsIdentity(tokenHandle);
WindowsImpersonationContext impersonationContext = identity.Impersonate();

// xx is still me
object xx = Thread.CurrentPrincipal;

--
thanks - dave
david_at_windward_dot_net
http://www.yqcomputer.com/

Cubicle Wars - http://www.yqcomputer.com/
 
 
 

run as a user.

Post by Willy Deno » Wed, 29 Nov 2006 05:44:36


Did you set the PrincipalPolicy for the AppDomain to WindowsPrincipal, before creating a new
WindowsIdentity?

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
//Logon user here

Willy.

 
 
 

run as a user.

Post by RGF2aWQgVG » Wed, 29 Nov 2006 07:13:02

Yes I have:
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

3rd line of code in my main before any form is even instantiated.

--
thanks - dave
david_at_windward_dot_net
http://www.yqcomputer.com/

Cubicle Wars - http://www.yqcomputer.com/
 
 
 

run as a user.

Post by wawan » Wed, 29 Nov 2006 11:31:20

Hi Dave,

Your code works correctly on my side, after impersonation,
Thread.CurrentPrincipal.Identity.Name correctly shows the impersonated
user's name. Is it possible to create a small reproducible project and send
it to me? Thanks.

My test environment is: Visual Studio 2005, Windows XP SP2.

Sincerely,
Walter Wang ( XXXX@XXXXX.COM , remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://www.yqcomputer.com/ #notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://www.yqcomputer.com/
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

run as a user.

Post by RGF2aWQgVG » Wed, 29 Nov 2006 12:38:01

Here you go. Same issue - list the Name as me, not sa (I use sa instead of
administrator for our domain admin username).

using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Threading;

namespace TestImpersonate
{
class Program
{
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle);

const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_NETWORK = 3;

static void Main(string[] args)
{
string username = "sa";
string password = "*****";

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
string domainName = Thread.CurrentPrincipal.Identity.Name;
domainName = domainName.Substring(0, domainName.IndexOf('\\'));

IntPtr tokenHandle = new IntPtr(0);
bool returnValue = LogonUser(username, domainName, password,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);
if (returnValue == false)
throw new Exception("Windows logon Error: " +
Marshal.GetLastWin32Error());

WindowsIdentity identity = new WindowsIdentity(tokenHandle);
WindowsImpersonationContext impersonationContext = identity.Impersonate();

IPrincipal prin = Thread.CurrentPrincipal;
Console.Out.WriteLine("user = " + prin.Identity.Name);

impersonationContext.Undo();
impersonationContext.Dispose();
CloseHandle(tokenHandle);

}
}
}


--
thanks - dave
david_at_windward_dot_net
http://www.yqcomputer.com/

Cubicle Wars - http://www.yqcomputer.com/
 
 
 

run as a user.

Post by RGF2aWQgVG » Wed, 29 Nov 2006 12:42:01

I just tried WindowsIdentity.GetCurrent().Name - it does give sa. Why the
difference?

--
thanks - dave
david_at_windward_dot_net
http://www.yqcomputer.com/

Cubicle Wars - http://www.yqcomputer.com/
 
 
 

run as a user.

Post by wawan » Wed, 29 Nov 2006 16:41:10

Hi Dave,

Neither Impersonate nor Undo changes the Principal object associated with
the current call context. Rather, impersonation and reverting change the
token associated with the current operating system process:

#Impersonating and Reverting
http://www.yqcomputer.com/ (VS.71).aspx


The identity object encapsulates information about the user or entity being
validated. The principal object represents the security context under which
code is running.

#Principal and Identity Objects
http://www.yqcomputer.com/ (VS.71).aspx

You may find following article useful to understand the concepts:

#WhatIsAToken
http://www.yqcomputer.com/
ml



Regards,
Walter Wang ( XXXX@XXXXX.COM , remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

run as a user.

Post by wawan » Wed, 29 Nov 2006 16:42:51

To associate the impersonated WindowsIdentity to Thread.CurrentPrincipal:

Thread.CurrentPrincipal = new WindowsPrincipal(identity);



Regards,
Walter Wang ( XXXX@XXXXX.COM , remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

run as a user.

Post by RGF2aWQgVG » Wed, 29 Nov 2006 23:54:02

I guess that makes sense - thanks

--
thanks - dave
david_at_windward_dot_net
http://www.yqcomputer.com/

Cubicle Wars - http://www.yqcomputer.com/
 
 
 

run as a user.

Post by Willy Deno » Thu, 30 Nov 2006 00:11:24


There isn't any difference, both should return the same principal name, unless Impersonate
had failed.

Willy.
 
 
 

run as a user.

Post by RGF2aWQgVG » Thu, 30 Nov 2006 03:54:22

Hi;

Ok, I added Thread.CurrentPrincipal = new WindowsPrincipal(identity); but I
still get an error when calling this code (2nd line):
DirectoryEntry dom = new DirectoryEntry();
DirectoryEntry group = dom.Children.Add("CN=" + activeDirGroups[ind],
"group");

The above code works fine if I am running as the Domain Admin and don't have
to do the impersonate thing. But when I try to do it while impersonating, I
get an error.

Any ideas?

--
thanks - dave
david_at_windward_dot_net
http://www.yqcomputer.com/

Cubicle Wars - http://www.yqcomputer.com/
 
 
 

run as a user.

Post by Willy Deno » Thu, 30 Nov 2006 04:58:57


LOGON32_LOGON_NETWORK cannot be used to acces the network, please read the LogonUser
function description in the SDK doc's. There is no need to impersonate either, all you have
to do is use a DirectoryEntry constructor overload that takes the credentials of the user
with appropriate privileges to access the AD.

Willy.
 
 
 

run as a user.

Post by RGF2aWQgVG » Thu, 30 Nov 2006 06:21:01

That solved it - thank you. (It also makes sense that impersonation can't go
over the network now that you mention it.)

One last question. I do the following. Is this best? Or is there a way to
pass in the LDAP url for the Active Directory on the domain on:
DirectoryEntry dom = new DirectoryEntry();
dom.Username = "sa";
dom.Password = "*****";
DirectoryEntry group = dom.Children.Add("CN=My New Group", "group");
group.Properties["samAccountName"].Value = "My New Group";
group.Properties["description"].Value = "all about me";
group.CommitChanges();



--
thanks - dave
david_at_windward_dot_net
http://www.yqcomputer.com/

Cubicle Wars - http://www.yqcomputer.com/