Re: Network Impersonation Question
From: Willy Denoyette [MVP] (willy.denoyette@pandora.be)
Date: 07/25/02
- Next message: Chan: "security problems"
- Previous message: Willy Denoyette [MVP]: "Re: CryptoAPI cryptographic service provider (CSP) for this implementation could not be acquired"
- In reply to: Derek Hamilton: "Network Impersonation Question"
- Next in thread: Derek Hamilton: "Re: Network Impersonation Question"
- Reply: Derek Hamilton: "Re: Network Impersonation Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Willy Denoyette [MVP]" <willy.denoyette@pandora.be> Date: Thu, 25 Jul 2002 18:23:53 +0200
Logontype 3 (LOGON32_LOGON_NETWORK) has not network credentials.
Use logontype 8 (LOGON32_LOGON_NETWORK_CLEARTEXT) or 4 (LOGON32_LOGON_BATCH).
And ... remove the STAThread attribute from the Main function.
Willy.
"Derek Hamilton" <derek@capweb.com> wrote in message news:uPeGwr4MCHA.2400@tkmsftngp11...
> I am attempting to impersonate a user and then perform active directory
> updates/searches with that identity. I am not having a problem
> impersonating the user until I try to do a network action. The below is the
> code I'm testing with (sorry about the formatting):
>
> -----Code Block-----
> [assembly:SecurityPermissionAttribute(SecurityAction.RequestMinimum,
> UnmanagedCode=true)]
> namespace ImpersonateTest
> {
> class Class1
> {
> [DllImport("advapi32.dll")]
> public static extern int LogonUser(String lpszUsername, String lpszDomain,
> String lpszPassword,
> int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
>
> [DllImport("advapi32.dll",
> CharSet=System.Runtime.InteropServices.CharSet.Auto, SetLastError=true)]
> public extern static int DuplicateToken(IntPtr hToken, int
> impersonationLevel, ref IntPtr hNewToken);
>
>
> [STAThread]
> static void Main(string[] args)
> {
> Class1 c = new Class1();
> if(c.ValidateUser("user", "domain", "password"))
> {
> Console.WriteLine("Impersonating User");
>
> Console.WriteLine("Connecting to Directory");
> DirectoryEntry objRoot = new DirectoryEntry("LDAP://DC=domain,DC=com");
> foreach (DirectoryEntry de in objRoot.Children)
> {
> Console.WriteLine(de.Path);
> foreach (DirectoryEntry de2 in de.Children)
> {
> Console.WriteLine("" + de2.Path);
> }
> }
> c.impersonationContext.Undo();
> }
> else
> Console.WriteLine("Impersonation failed");
> Console.Read();
> }
>
> public bool ValidateUser(string userName, string domain, string password)
> {
> WindowsIdentity tempWindowsIdentity;
> IntPtr token = IntPtr.Zero;
> IntPtr tokenDuplicate = IntPtr.Zero;
> if(LogonUser(userName, domain, password, 3, 0, ref token) != 0)
> {
> if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)
> {
> tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
> impersonationContext = tempWindowsIdentity.Impersonate();
> if (impersonationContext != null)
> return true;
> else
> return false;
> }
> else
> return false;
> }
> else
> return false;
> }
> WindowsImpersonationContext impersonationContext;
> }
> }
> -----End Block----
>
> I found the ValidateUser code in a knowledge base article (sorry, didn't
> keep the link) and noticed the DuplicateToken call. The hardcoded value 3
> is a value that should set the Security Impersonation level to work on
> network resources also.
>
> I'm wondering if any other type of delegation has to happen to access the
> network as the correct user?
>
> BTW, I don't get any error messages, the application just ends.
>
> TIA,
> Derek Hamilton
>
>
- Next message: Chan: "security problems"
- Previous message: Willy Denoyette [MVP]: "Re: CryptoAPI cryptographic service provider (CSP) for this implementation could not be acquired"
- In reply to: Derek Hamilton: "Network Impersonation Question"
- Next in thread: Derek Hamilton: "Re: Network Impersonation Question"
- Reply: Derek Hamilton: "Re: Network Impersonation Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
