Re: Impersonating when creating a process from inside a SQL Server Assembly

Maybe I'm just misremembering and only the ThreadPool does this
automatically now? I'm sure Dominick or someone will correct me.

In any case, if you just spin up a thread with the Thread class, you should
be able to impersonate by passing in the WindowsIdentity in the state for
the thread and then just impersonating it manually. It is a little
annoying, but should work.

Regardless, creating a new Process will always use the process identity
unless you start the process with explicit credentials or perhaps attempt
that pinvoke technique I mentioned.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Keith" <keith@xxxxxxx> wrote in message
news:euNsMo9HHHA.960@xxxxxxxxxxxxxxxxxxxxxxx
Joe,

Thanks for the reply. I'm aware that you can't create processes this way,
but I've seen posts in this ng where they claim you can create a new
Thread that way but I can't get that to work either. Inside the thread
the current WindowsIdentity is still WINDOWS SERVICE.

Can you confirm that creating a new Thread with an impersonated
WindowsIdentity should work? If it does, would creating a new process
inside that thread have the correct WindowsIdentity?

k

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:e26Rr67HHHA.420@xxxxxxxxxxxxxxxxxxxxxxx
It doesn't work this way. Processes created with the Process class
inherit the process token, not the impersonated token. The Process class
allows you to specify credentials in .NET 2.0, but I don't know if that
would help you in your use case, as you don't have the user's password.

You could try calling CreateProcessWithTokenW, but you'd probably also
need to call DuplicateTokenEx to convert the impersonation token in the
WindowsIdentity into a primary token.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Keith" <keith@xxxxxxx> wrote in message
news:%23miCQt7HHHA.1044@xxxxxxxxxxxxxxxxxxxxxxx
Hello,

This is my situation: I'm trying to impersonate a different user when
creating a process from inside a .NET assembly on SQL Server. Basically
the flow looks like this:

stored procedure->static C# function in Assembly->Process created in
Asembly->External Application

This works, but the external app fails because the current
WindowsIdentity is NT AUTHORITY/WINDOWS SERVICE. ; it needs to be
someone else.

Now, when you are inside a .NET assembly in SQL Server, you have access
to an object called SqlContext, and it contains (among other things) a
WindowsIdentity object that is the login user who called the stored
procedure in the first place. This is the user I want to impersonate
but I can't seem to get it to work.

In other postings I've read that you can't get this to work with a
Process - apparently the process still inherits the Principal token and
but the Impersonation token - but it DOES work with Threads. So I
thought I'd spawn a new Thread with the correct identity and launch my
process from inside. To test the Thread idea I used:

ParameterizedThreadStart pts = new
ParameterizedThreadStart(someThreadFunction);
Thread thread = new Thread(pts);

WindowsIdentity contextID = SqlContext.WindowsIdentity;
using (WindowsImpersonationContext wip = contextID.Impersonate())
{
thread.Start(test);
while (thread.ThreadState == System.Threading.ThreadState.Running) { }
wip.Undo();
}

But inside the Thread function (someThreadFunction) the
WindowsIdentity.GetCurrent() still returns NT AUTHORITY/WINDOWS SERVICE.

Am I going about this all wrong? Is this even possible?

Any advice/suggestions appreciated!

Keith







.

Relevant Pages

  • Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... There is no Group property on the WindowsIdentity object in .NET 2.0, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error
    ... tokenGroups to simulate what the protocol transition logon is doing. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... WindowsIdentity id = HttpContext.Current.User.Identity; ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonating user
    ... authenticate them somehow? ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... However we want to impersonate the user. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: refreshing windowsidentity for user group changes
    ... Are you saying that you use the WindowsIdentity constructor that just takes ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... contains the user group that the user was removed from. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: COM dll thread security issue while accessing from ASP.NET
    ... I save a reference to the current WindowsIdentity ... IIS authenticated user account. ... impersonate the identity of the WindowsIdentity object saved above. ... the 'Impersonator' event handler is running inside the COM dll thread, ...
    (microsoft.public.dotnet.security)