Re: Impersonation and UNC network resources

From: Colin Nicholls (colin_at_spacefold.com)
Date: 03/11/05 

Date: Fri, 11 Mar 2005 10:26:00 -0800

Joe -

Thanks for your suggestions. Very helpful. I added some debug code to report
the Principal.WindowsIdentity like you suggested. Let me describe what I am
seeing and see if it makes sense:

I'm logged into my laptop as LAPTOP\colin. LAPTOP is WindowsXP, not part of
the domain.
I run my test program, which attempts to impersonate DOMAIN\netuser.

Here is the console.WriteLine() debug output that I see:

   Current/Normal user: LAPTOP\colin
   After impersonating: LAPTOP\netuser
   Directory exists: False
   Create folder: Error: Could not find a part of the path \\SERVER\Share.

(LAPTOP\netuser exists and has the same password as DOMAIN\netuser.)

I've read and been told that LogonUser() works on local accounts. It seems
that it ignores the domain part of the account and finds a local user and
successfully logs in using that.

I suspect that if LAPTOP were part of the NT DOMAIN, and there was a trust
relationship thingy in place, then the network resource would be available.

I ran the same test on the Win2k workstation. Now I see:

   Current/Normal user: DOMAIN\colin
   Error: LogonUser failed with error code : 1314

In other words, I am logged into the workstation with my NT Domain
credentials...

Just for kicks, my Workstation's Local Security Policy setting for "Act as
part of the operating system" looks like this:

   WORKSTATION\netuser [x]
   WORKSTATION\aspnet [x]
   DOMAIN\colin [x]

Perhaps instead of trying to impersonate "DOMAIN\netuser", I should be
trying to impersonate "WORKSTATION\netuser" and then rely on the trust
relationship thing.

- Colin