Re: Create remote object with specified credentials.
- From: "Heliotic" <Heliotic@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 30 Oct 2005 21:26:02 -0800
Thanks Nicholas,
I finally have it authenticating to the remote server (which is a great
relief, since the helpfile explicitly states that LogonUser can't provide
this functionality)
However I continue to get access denied when I try to instance the object. I
know the authentication code is working, because I replaced the COM code with
some code to copy a file, and it worked fine.
Here is the code I am currently using (apologies for the spam):
IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);
string userName = txtUserName.Text, domainName = txtDomain.Text, password
= txtPassword.Text;
const int LOGON32_PROVIDER_WINNT50 = 3;
const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
const int SecurityDelegation = 3;
tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;
// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domainName, password,
LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, ref tokenHandle);
if (returnValue == false)
{
int ret = Marshal.GetLastWin32Error();
MessageBox.Show("LogonUser failed with error code : "+ ret.ToString() );
MessageBox.Show("\nError: "+ ret.ToString() +" ,"+ GetErrorMessage(ret));
int errorCode = 0x5; //ERROR_ACCESS_DENIED
throw new System.ComponentModel.Win32Exception(errorCode);
return;
}
MessageBox.Show("Did LogonUser Succeed? " + returnValue.ToString() );
MessageBox.Show("Value of Windows NT token: " + tokenHandle.ToString() );
bool retVal = DuplicateToken(tokenHandle, SecurityDelegation, ref
dupeTokenHandle);
if (false == retVal)
{
CloseHandle(tokenHandle);
Console.WriteLine("Exception thrown in trying to duplicate token.");
return;
}
//Impersonation.
MessageBox.Show("Before impersonation: " +
WindowsIdentity.GetCurrent().Name);
WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
WindowsImpersonationContext impersonatedUser = newId.Impersonate();
MessageBox.Show("After impersonation: " +
WindowsIdentity.GetCurrent().Name);
Type t = Type.GetTypeFromProgID( "Microsoft.Update.Session",
txtDomain.Text );
UpdateSession UpdSess = (UpdateSession) Activator.CreateInstance(t);
IUpdateSearcher UpdSrch = UpdSess.CreateUpdateSearcher();
ISearchResult sr = UpdSrch.Search("IsInstalled=0 and Type='Software'");
MessageBox.Show( "Found "+ sr.Updates.Count.ToString() + " updates" );
foreach( IUpdate temp in sr.Updates )
MessageBox.Show( temp.Description.ToString() );
impersonatedUser.Undo();
// Free the tokens.
if (tokenHandle != IntPtr.Zero)
CloseHandle(tokenHandle);
if (dupeTokenHandle != IntPtr.Zero)
CloseHandle(dupeTokenHandle);
return;
The other strange thing I've noticed is that the 'after impersonation'
message still displays my local userid instead of the remote one. (Even when
the copy worked successfully).
In my searching, I've come across some references to a feature within COM
where it will ignore impersonated access. Does that apply here? If so, is
there a way to bypass it?
"Nicholas Paldino [.NET/C# MVP]" wrote:
> Heliotic,
>
> You can make a call to LogonUser through the P/Invoke layer to get a
> user token for a user (given a username and password). When you have that
> token, you can pass it to the constructor or Impersonate method on the
> WindowsIdentity class to impersonate that user. It will return to you a
> WindowsImpersonationContext instance which you then must call Undo upon to
> revert back to the the original user identity.
>
> You would then place your call to Activator.CreateInstance in between
> the call to Impersonate and Undo.
>
> Check the "about" documentation for the WindowsImpersonationContext
> class for an example of the calls you need to make.
>
> Hope this helps.
>
> --
> - Nicholas Paldino [.NET/C# MVP]
> - mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> "Heliotic" <Heliotic@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:734BA861-4741-4A00-89A9-E65BCA656073@xxxxxxxxxxxxxxxx
> > Hi everyone,
> >
> > Currently I am working on an application that will perform a remote scan
> > of
> > a specified server using the following code:
> >
> > Type t = Type.GetTypeFromProgID( "Microsoft.Update.Session", "proact" );
> > UpdateSession UpdSess = (UpdateSession) Activator.CreateInstance(t);
> >
> > This code works quite well, as long as the user you are currently
> > authenticated to also has administrative access on the target device. This
> > won't always be the case, so I need to be able to prompt the user for a
> > name
> > and password on the target server to use instead.
> >
> > What is the best way to do this?
> >
> > John.
> > PS: I'm fairly new to this whole remote object game, so if there is a
> > 'better' way to hook into the Windows Update Agent, please let me know.
>
>
>
.
- References:
- Re: Create remote object with specified credentials.
- From: Nicholas Paldino [.NET/C# MVP]
- Re: Create remote object with specified credentials.
- Prev by Date: Clean up binary data for UTF-8?
- Next by Date: delete a file
- Previous by thread: Re: Create remote object with specified credentials.
- Next by thread: Colour Custom Cursor
- Index(es):
Relevant Pages
|
