Alexander Anikin's blog

My personal blog

Impersonation

with 2 comments

For changing current user you can use several types of impersonation Windows (loginName and password required) and Claims (upnName required).

1. Windows Impersonation

        // Logon types.
        public const int LOGON32_LOGON_INTERACTIVE = 2;
        public const int LOGON32_LOGON_NETWORK = 3;
        public const int LOGON32_LOGON_BATCH = 4;
        public const int LOGON32_LOGON_SERVICE = 5;
        public const int LOGON32_LOGON_UNLOCK = 7;
        public const int LOGON32_LOGON_NETWORK_CLEARTEXT = 8;
        public const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
        // Use the unmanaged LogonUser function to get the user token for
        // the specified user, domain, and password.
        public const int LOGON32_PROVIDER_DEFAULT = 0;
        [DllImport(“advapi32.dll”, SetLastError = true)]
        public static extern bool LogonUser(
            string lpszUsername,
            string lpszDomain,
            string lpszPassword,
            int dwLogonType,
            int dwLogonProvider,
            out IntPtr phToken
            );

And getting WindowsIdentity by phToken then, and do WindowsIdentity.Impersonate().

Note1: you can use Logon types as you want.

Note2: assembly or executeable !must! have this attribute

[assembly: IsolatedStorageFilePermission(SecurityAction.RequestMinimum, UsageAllowed = IsolatedStorageContainment.AssemblyIsolationByUser)]
или
[assembly: PermissionSet(SecurityAction.RequestMinimum, Name=”FullTrust”)]
 
 2. Claims Impersonation (using C2WTS service)

Using Windows Identity Foundation and C2WTS service.

Get WindowsIdentity wi = S4Uclient.UpnLogon(userPrincipalName);

userPrincipalName like user@domain.com

Don’t forget change <allowedCallers> section in C2WTS.exe.config (C:\Program Files\Windows Identity Foundation\v3.5).

And impersonating then.

Note: this type of impersonation get LOGON32_LOGON_NETWORK type only, so you can issues with network resources access.

 

Logon types differencies:

LOGON32_LOGON_INTERACTIVE
This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operations; therefore, it is inappropriate for some client/server applications, such as a mail server.
LOGON32_LOGON_NETWORK
This logon type is intended for high performance servers to authenticate plaintext passwords. The LogonUser function does not cache credentials for this logon type.

 

Advertisements

Written by Alex Anikin

November 2, 2010 at 9:32 am

Posted in Security

2 Responses

Subscribe to comments with RSS.

  1. Its such as you learn my thoughts! You appear to grasp so much about this, like you wrote the guide in it or something. I think that you could do with some p.c. to drive the message home a little bit, however other than that, this is fantastic blog. A great read. I’ll definitely be back.

    armatura,арматура

    November 5, 2011 at 2:19 pm

  2. Hi there everyone, it’s my first go to see at this web page, and post is really fruitful for me, keep up posting these articles or reviews.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: