Re: Using windows auth and alternate credentials for sql server

From: TS (manofsteele_at_311.com)
Date: 05/10/04 

Date: Mon, 10 May 2004 09:23:13 -0500

Why is it so easy to do impersonation in asp.net and so much harder for a
windows app?

""Ying-Shen Yu[MSFT]"" <v-yiy@online.microsoft.com> wrote in message
news:iCnG37MNEHA.3316@cpmsftngxa10.phx.gbl...
> Hello,
>
> The WindowsIdentity class is useful to represent a user. Before doing
> that,you need to call the LogonUser API to get the token of the user with
> its username and password. Basically, you may take following steps to do
> it:
>
> 1. Get the Username and Password from the TextBoxs on the form
> 2. Get the security token of specific user with LogonUser API via PInvoke
> 3. Create a temp WindowsIdentity with the token
>
> If you want to impersonate that user to access some resources are only
> available to him, you need to take the following two additional steps:
>
> 4. Impersonate the specific user with the temp WindowsIdentity
> 5. Undo the Impersonation
>
> You may refer to the following article to get some sample codes:
>
> http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158
>
> For your convenience, I also attached a sample code here:
>
> using System;
> using System.Runtime.InteropServices;
> using System.Security.Principal;
> using System.Security.Permissions;
>
> [assembly:SecurityPermissionAttribute(SecurityAction.RequestMinimum,
> UnmanagedCode=true)]
> public class Class1
> {
> [DllImport("advapi32.dll")]
> public static extern bool LogonUser(String lpszUsername, String
> lpszDomain, String lpszPassword,
> int dwLogonType, int dwLogonProvider, out int phToken);
>
> public static void Main(string[] args)
> {
> // The Windows NT user token.
> int token1;
>
> // Get the user token for the specified user, machine, and password
> using the unmanaged LogonUser method.
> bool loggedOn = LogonUser(
> // User name.
> "bob",
> // Machine name, you may get current machine name using
> Environment.MachineName
> "AARDVARK",
> // Password.
> "coffee",
> // Logon type = LOGON32_LOGON_NETWORK_CLEARTEXT.
> 3,
> // Logon provider = LOGON32_PROVIDER_DEFAULT.
> 0,
> // The user token for the specified user is returned here.
> out token1);
>
> Console.WriteLine("LogonUser called");
>
> // Call GetLastError to try to determine why logon failed if it did
> not succeed.
> int ret = Marshal.GetLastWin32Error();
>
> Console.WriteLine("LogonUser Success? " + loggedOn);
> Console.WriteLine("NT Token Value: " + token1);
> if (ret != 0) Console.WriteLine("Error code (126 == \"Specified
> module could not be found\"): " + ret);
>
> //Starting impersonation here:
> Console.WriteLine("\n\nBefore impersonation:\n");
> WindowsIdentity mWI1 = WindowsIdentity.GetCurrent();
> Console.WriteLine(mWI1.Name);
> Console.WriteLine(mWI1.Token);
>
> IntPtr token2 = new IntPtr(token1);
>
> Console.WriteLine("\n\nNew identity created:\n");
> WindowsIdentity mWI2 = new WindowsIdentity(token2);
> Console.WriteLine(mWI2.Name);
> Console.WriteLine(mWI2.Token);
>
> // Impersonate the user.
> WindowsImpersonationContext mWIC = mWI2.Impersonate();
>
> Console.WriteLine("\n\nAfter impersonation:\n");
> WindowsIdentity mWI3 = WindowsIdentity.GetCurrent();
> Console.WriteLine(mWI3.Name);
> Console.WriteLine(mWI3.Token);
>
> // Revert to previous identity.
> mWIC.Undo();
>
> Console.WriteLine("\n\nAfter impersonation is reverted:\n");
> WindowsIdentity mWI4 = WindowsIdentity.GetCurrent();
> Console.WriteLine(mWI4.Name);
> Console.WriteLine(mWI4.Token);
> }
> }
>
>
> Best regards,
>
> Ying-Shen Yu [MSFT]
> Microsoft Community Support
> Get Secure! - www.microsoft.com/security
>
> This posting is provided "AS IS" with no warranties and confers no rights.
> This mail should not be replied directly, please remove the word "online"
> before sending mail.
>

Relevant Pages

  • RE: Using windows auth and alternate credentials for sql server
    ... The WindowsIdentity class is useful to represent a user. ... Get the security token of specific user with LogonUser API via PInvoke ... Impersonate the specific user with the temp WindowsIdentity ...
    (microsoft.public.dotnet.framework.windowsforms)
  • Re: Problem with Protocol Transition
    ... then the token is impersonation level. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services ... I'm just setting httpcontext.current.user to be a new WindowsIdentity ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Problem with Protocol Transition
    ... I set up a domain account called DPool and gave it act as part of the ... then the token is impersonation level. ... Joe Kaplan-MS MVP Directory Services Programming ... I'm just setting httpcontext.current.user to be a new WindowsIdentity ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Hybrid sql server and asp.net windows authentication
    ... With Windows authentication, impersonation will just make whoever ... changing the process account is done by changing the ... To impersonate any WindowsIdentity, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... are using under the hood when you use the WindowsIdentity "UPN" ctor. ... the token returned by the API will either be an Impersonation ... Only accounts with with that privilege can create an ... only the SYSTEM account has ...
    (microsoft.public.dotnet.security)