468,321 Members | 1,836 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,321 developers. It's quick & easy.

Change impersonated user during runtime

Hi all!

I have asp.net web application that uses static impersonation. Is it
possible to change the impersonated user during runtime? Within some parts
of my application I would like to impersonate another user in order to
access certain ressources and then switch back to the originally
impersonated user. How can I do this?

Thanks

Markus
Nov 17 '05 #1
5 2956
Can you explain where did LogonUser (see below ) come from

I looked in the List of APIs and could not find it??

[DllImport("advapi32.dll", SetLastError=true)]

public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,

int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);

Thank you

"S. Justin Gengo" <sj*****@aboutfortunate.com> wrote in message news:%2****************@TK2MSFTNGP12.phx.gbl...
Markus,

Here's an article about how to do this:

http://www.netomatix.com/ImpersonateUser.aspx

Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche


"Markus Stehle" <ma***********@web.de> wrote in message
news:eV**************@TK2MSFTNGP09.phx.gbl...
Hi all!

I have asp.net web application that uses static impersonation. Is it
possible to change the impersonated user during runtime? Within some parts
of my application I would like to impersonate another user in order to
access certain ressources and then switch back to the originally
impersonated user. How can I do this?

Thanks

Markus


Nov 17 '05 #2
Hi!

Thanks for the hints. What type of security hole might be created?
markus
"Ken Cox [Microsoft MVP]" <BA************@sympatico.ca> schrieb im
Newsbeitrag news:OX*************@tk2msftngp13.phx.gbl...
There's an example here that might get you started, but it seems to create a security hole.

http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfsystemsecurityprincipalwindowsidentityclassim personatetopic.asp

--
Microsoft MVPs have a question for *you*: Are you patched against the Worm? http://www.microsoft.com/security/se...s/ms03-026.asp

"Markus Stehle" <ma***********@web.de> wrote in message
news:eV**************@TK2MSFTNGP09.phx.gbl...
Hi all!

I have asp.net web application that uses static impersonation. Is it
possible to change the impersonated user during runtime? Within some parts
of my application I would like to impersonate another user in order to
access certain ressources and then switch back to the originally
impersonated user. How can I do this?

Thanks

Markus

Nov 17 '05 #3
Hi Markus,

I don't know what the security risk is, I just know that the code sample
includes this warning:

' This sample can be run only on Windows XP. The default Windows 2000 security
policy
' prevents this sample from executing properly, and changing the policy to
allow
' proper execution presents a security risk.

Perhaps an Windows 2000 admin could help here?

Ken

--
Microsoft MVPs have a question for *you*: Are you patched against the Worm?
http://www.microsoft.com/security/se...s/ms03-026.asp

"Markus Stehle" <ma***********@web.de> wrote in message
news:OV**************@tk2msftngp13.phx.gbl...
Hi!

Thanks for the hints. What type of security hole might be created?
markus
"Ken Cox [Microsoft MVP]" <BA************@sympatico.ca> schrieb im
Newsbeitrag news:OX*************@tk2msftngp13.phx.gbl...
There's an example here that might get you started, but it seems to create a security hole.

http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfsystemsecurityprincipalwindowsidentityclassim personatetopic.asp

--
Microsoft MVPs have a question for *you*: Are you patched against the Worm? http://www.microsoft.com/security/se...s/ms03-026.asp

"Markus Stehle" <ma***********@web.de> wrote in message
news:eV**************@TK2MSFTNGP09.phx.gbl...
Hi all!

I have asp.net web application that uses static impersonation. Is it
possible to change the impersonated user during runtime? Within some parts
of my application I would like to impersonate another user in order to
access certain ressources and then switch back to the originally
impersonated user. How can I do this?

Thanks

Markus


Nov 17 '05 #4
MSNews,

If you refer to the .Net framework documentation as the article suggests, you'll find that this is a reference to a sample code function within a class provided in that documentation:

[Visual Basic]
' This sample demonstrates the use of the WindowsIdentity class to impersonate a user.
' IMPORTANT NOTES:
' This sample can be run only on Windows XP. The default Windows 2000 security policy
' prevents this sample from executing properly, and changing the policy to allow
' proper execution presents a security risk.
' This sample requests the user to enter a password on the console screen.
' Because the console window does not support methods allowing the password to be masked,
' it will be visible to anyone viewing the screen.

Imports System
Imports System.Runtime.InteropServices
Imports System.Security.Principal
Imports System.Security.Permissions
Imports Microsoft.VisualBasic
<Assembly: SecurityPermissionAttribute(SecurityAction.Request Minimum, UnmanagedCode:=True), _
Assembly: PermissionSetAttribute(SecurityAction.RequestMinim um, Name:="FullTrust")>
Module Module1

Public Class ImpersonationDemo

Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As [String], _
ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _
ByRef phToken As IntPtr) As Boolean

<DllImport("kernel32.dll")> _
Public Shared Function FormatMessage(ByVal dwFlags As Integer, ByRef lpSource As IntPtr, _
ByVal dwMessageId As Integer, ByVal dwLanguageId As Integer, ByRef lpBuffer As [String], _
ByVal nSize As Integer, ByRef Arguments As IntPtr) As Integer

End Function

Public Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Boolean
Public Declare Auto Function DuplicateToken Lib "advapi32.dll" (ByVal ExistingTokenHandle As IntPtr, _
ByVal SECURITY_IMPERSONATION_LEVEL As Integer, _
ByRef DuplicateTokenHandle As IntPtr) As Boolean

'GetErrorMessage formats and returns an error message
'corresponding to the input errorCode.
Public Shared Function GetErrorMessage(ByVal errorCode As Integer) As String
Dim FORMAT_MESSAGE_ALLOCATE_BUFFER As Integer = &H100
Dim FORMAT_MESSAGE_IGNORE_INSERTS As Integer = &H200
Dim FORMAT_MESSAGE_FROM_SYSTEM As Integer = &H1000

Dim messageSize As Integer = 255
Dim lpMsgBuf As String
Dim dwFlags As Integer = FORMAT_MESSAGE_ALLOCATE_BUFFER Or FORMAT_MESSAGE_FROM_SYSTEM Or FORMAT_MESSAGE_IGNORE_INSERTS

Dim ptrlpSource As IntPtr = IntPtr.Zero
Dim prtArguments As IntPtr = IntPtr.Zero

Dim retVal As Integer = FormatMessage(dwFlags, ptrlpSource, errorCode, 0, lpMsgBuf, _
messageSize, prtArguments)
If 0 = retVal Then
Throw New Exception("Failed to format message for error code " + errorCode.ToString() + ". ")
End If

Return lpMsgBuf
End Function 'GetErrorMessage
' Test harness.
' If you incorporate this code into a DLL, be sure to demand FullTrust.
<PermissionSetAttribute(SecurityAction.Demand, Name:="FullTrust")> _
Public Overloads Shared Sub Main(ByVal args() As String)

Dim tokenHandle As New IntPtr(0)
Dim dupeTokenHandle As New IntPtr(0)
Try
Dim UserName, MachineName As String

' Get the user token for the specified user, machine, and password using the
' unmanaged LogonUser method.
Console.Write("Enter the name of a machine on which to log on: ")
MachineName = Console.ReadLine()

Console.Write("Enter the login of a user on {0} that you wish to impersonate: ", MachineName)
UserName = Console.ReadLine()

Console.Write("Enter the password for {0}: ", UserName)

Const LOGON32_PROVIDER_DEFAULT As Integer = 0
'This parameter causes LogonUser to create a primary token.
Const LOGON32_LOGON_INTERACTIVE As Integer = 2
Const SecurityImpersonation As Integer = 2

tokenHandle = IntPtr.Zero
dupeTokenHandle = IntPtr.Zero

' Call LogonUser to obtain a handle to an access token.
Dim returnValue As Boolean = LogonUser(UserName, MachineName, Console.ReadLine(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, tokenHandle)

Console.WriteLine("LogonUser called.")

If False = returnValue Then
Dim ret As Integer = Marshal.GetLastWin32Error()
Console.WriteLine("LogonUser failed with error code : {0}", ret)
Console.WriteLine(ControlChars.Cr + "Error: [{0}] {1}" + ControlChars.Cr, ret, GetErrorMessage(ret))

Return
End If

Dim success As String
If returnValue Then success = "Yes" Else success = "No"
Console.WriteLine(("Did LogonUser succeed? " + success))
Console.WriteLine(("Value of Windows NT token: " + tokenHandle.ToString()))

' Check the identity.
Console.WriteLine(("Before impersonation: " + WindowsIdentity.GetCurrent().Name))

Dim retVal As Boolean = DuplicateToken(tokenHandle, SecurityImpersonation, dupeTokenHandle)
If False = retVal Then
CloseHandle(tokenHandle)
Console.WriteLine("Exception thrown in trying to duplicate token.")
Return
End If

' TThe token that is passed to the following constructor must
' be a primary token in order to use it for impersonation.
Dim newId As New WindowsIdentity(dupeTokenHandle)
Dim impersonatedUser As WindowsImpersonationContext = newId.Impersonate()

' Check the identity.
Console.WriteLine(("After impersonation: " + WindowsIdentity.GetCurrent().Name))

' Stop impersonating the user.
impersonatedUser.Undo()

' Check the identity.
Console.WriteLine(("After Undo: " + WindowsIdentity.GetCurrent().Name))

' Free the tokens.
If Not System.IntPtr.op_Equality(tokenHandle, IntPtr.Zero) Then
CloseHandle(tokenHandle)
End If
If Not System.IntPtr.op_Equality(dupeTokenHandle, IntPtr.Zero) Then
CloseHandle(dupeTokenHandle)
End If
Catch ex As Exception
Console.WriteLine(("Exception occurred. " + ex.Message))
End Try
End Sub 'Main
End Class 'Class1
Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message news:Oz**************@TK2MSFTNGP10.phx.gbl...
Can you explain where did LogonUser (see below ) come from

I looked in the List of APIs and could not find it??

[DllImport("advapi32.dll", SetLastError=true)]

public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,

int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);

Thank you

"S. Justin Gengo" <sj*****@aboutfortunate.com> wrote in message news:%2****************@TK2MSFTNGP12.phx.gbl...
Markus,

Here's an article about how to do this:

http://www.netomatix.com/ImpersonateUser.aspx

Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche


"Markus Stehle" <ma***********@web.de> wrote in message
news:eV**************@TK2MSFTNGP09.phx.gbl...
Hi all!

I have asp.net web application that uses static impersonation. Is it
possible to change the impersonated user during runtime? Within some parts
of my application I would like to impersonate another user in order to
access certain ressources and then switch back to the originally
impersonated user. How can I do this?

Thanks

Markus


Nov 17 '05 #5
Hi Markus,

Thanks for the info. Now we all know!

Ken
--
Microsoft MVPs have a question for *you*: Are you patched against the Worm?
http://www.microsoft.com/security/se...s/ms03-026.asp

"Markus Stehle" <ma***********@web.de> wrote in message
news:uh**************@TK2MSFTNGP09.phx.gbl...
Hi Ken!

As far as I know, LogonUser API requires SE_TCB_NAME privilege enabled for
the process when running on a non-XP operating system. For XP (and higher),
the API does not require this privlege to be set, the API itself takes care
for it.

So to make the sample work on a non-XP machine, one must set SE_TCB_NAME
which would lead to a security hole.
Markus

Nov 17 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by Grant Holdom | last post: by
reply views Thread by NPC403 | last post: by
1 post views Thread by howard w | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.