C# : Windows Impersonation



The WindowsImpersonationContext class provides us with the ability to impersonate an user.

In the following post we're going to look at how to write to a protected shared folder using impersonation.

You will notice that the WindowsImpersonationContext class doesn't have a constructor, nor any static methods defined - one can however get an instance of this class via the Impersonate static method in the WindowsIdentity class, observe: 
 
using (WindowsImpersonationContext context = WindowsIdentity.Impersonate(token))
{
	// Some operation requiring impersonation
}
 

Note, the WindowsImpersonationContext class implements the IDisposable interface which enables us to use the using clause - code out of scope (running outside) the using clause won't be executed within context of the impersonated user.

In order for our impersonation to work, we need to pass a primary token to our method, to retrieve the token, we'll need to import a method from the "Advanced Services" assembly (advapi32.dll) like this: 
 
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
 

And an import to dispose of the token. 
 
[DllImport("kernel32.dll")]
public static extern bool CloseHandle(IntPtr token);
 

You might have noticed the LogonType and LogonProvider parameters in the LogonUser method, we need to tell the API by which means authentication must happen - to simplify this, I created two enum's: 
 
enum LogonType
{
	Interactive = 2,
	Network = 3,
	Batch = 4,
	Service = 5,
	Unlock = 7,
	NetworkClearText = 8,
	NewCredentials = 9
}
 
enum LogonProvider
{
	Default = 0,
	WinNT35 = 1,
	WinNT40 = 2,
	WinNT50 = 3
}
 

I am not going to go into too much depth about these providers, but lets have a quick look at the Interactive and NewCredentials LogonTypes.

Using the Interactive LogonType will look something like this: 
 
IntPtr token = IntPtr.Zero;
bool valid = LogonUser("username",
			"yourdomain.com",
			"password",
			(int)LogonType.Interactive,
			(int)LogonProvider.Default,
			ref token);
if (valid)
{            
	using (WindowsImpersonationContext context = WindowsIdentity.Impersonate(token))
	{
		CloseHandle(token);
		File.WriteAllBytes(@"\\yourserver\someshare\test.txt", new byte[] { });
	}
}
 

Now this is all nice and all when we're impersonating someone thats on the same domain as us, but what about impersonating outside our domain?

This is where I found the NewCredentials LogonType useful, since it authenticates cross domain: 
 
IntPtr token = IntPtr.Zero;
LogonUser("username",
			"yourdomain.com",
			"password",
			(int)LogonType.NewCredentials,
			(int)LogonProvider.WinNT50,
			ref token);
 
using (WindowsImpersonationContext context = WindowsIdentity.Impersonate(token))
{
	CloseHandle(token);
	File.WriteAllBytes(@"\\yourserver\someshare\test.txt", new byte[] { });
}
 

I didnt include the valid bool in the preceding snippet, this is because you'll find that the LogonUser method seems to always return true when using the NewCredentials LogonType since authentication only happens when you're accessing the resource, in this case the File.WriteAllBytes method.



Posted by - Christoff Truter
Date - 2010-05-04 17:23:11




Comments



What a small but great info. Thank you so much. You saved my ass

Posted by - Anonymous
Date - 2013-03-01 09:56:34

I am still getting error as - The trust relationship between this workstation and the primary domain failed.

Posted by - sagar
Date - 2013-01-25 13:51:07

This is pure gold. Thanks!

Posted by - Anonymous
Date - 2012-08-13 14:15:13

Thank you very much

Posted by - kenan hancer
Date - 2012-07-30 10:27:20

Local Account

Do you need a local account with the same name and pw as the account on the different domain?

Posted by - Anonymous
Date - 2012-04-25 21:20:14

Great

Thank you very much! This is exactly what I was looking for. Have a nice day, friend.

Posted by - Fractalist
Date - 2011-11-30 11:38:07

Anonymous

Thanks a lotto

Posted by - Anonymous
Date - 2010-12-24 10:30:37

Well written. Save me heaps of time.

Posted by - Jay
Date - 2010-10-27 03:13:58

Thanks

Thanks A lot many times. This saved me my day. Thanks, Albert

Posted by - Albert
Date - 2010-10-26 14:18:50

Thank you!

Thank you! Your post was exactly what I needed! You saved my time! Best regards!

Posted by - wiygN
Date - 2010-09-08 23:12:20

1 2 Last / 2 Pages (12 Entries)

Post comment

Name *
Email
Title
Body *
Security Code
*
* Required fields

Latest Posts

JavaScript Threading - Part 2 (Worker)


2012-12-18 16:41:34

JavaScript Threading - Part 1 (Timers)


2012-12-18 08:40:27

MS SQL: Parameter Sniffing


2012-05-21 22:38:48

Solving Cross Browser Issues - Part 3 (Mootools and HTML5)


2012-02-23 21:10:09

Solving Cross Browser Issues - Part 2 (GWT and Dart)


2012-02-07 11:40:08

Solving Cross Browser Issues - Part 1 (JQuery and GWT)


2012-01-09 01:18:08

Be the best stalker you can be


2011-12-13 22:33:54

AjaxControlToolkit (ASP.NET/C#) : CascadingDropDown Extender - Part 2


2011-11-03 12:06:22

AjaxControlToolkit (ASP.NET/C#) : CascadingDropDown Extender - Part 1


2011-10-07 19:48:59

Syntactic sugar (C#): Enum


2011-08-04 16:50:18

Top 5 posts

Moving items between listboxes in ASP.net/PHP example


Move items between two listboxes in ASP.net(C#, VB.NET) and PHP
2008-06-12 17:07:43

Simple WYSIWYG Editor


Creating a WYSIWYG textbox for your website is actually quite simple.
2007-02-01 12:00:00

C# YouTube : Google API


Post on how to integrate with YouTube using the Google Data API
2011-03-12 08:37:51

Populate a TreeView Control C#


Populate a TreeView control in a windows application.
2009-08-27 16:01:03

Cross Browser Issues: Firefox Word Wrapping


Firefox word wrapping issues
2008-06-09 09:51:21