{"id":3263,"date":"2011-03-17T17:20:00","date_gmt":"2011-03-17T17:20:00","guid":{"rendered":"https:\/\/test.simple-talk.com\/uncategorized\/my-application-had-a-windowsidentity-crisis\/"},"modified":"2016-07-28T10:50:21","modified_gmt":"2016-07-28T10:50:21","slug":"my-application-had-a-windowsidentity-crisis","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/blogs\/my-application-had-a-windowsidentity-crisis\/","title":{"rendered":"My application had a WindowsIdentity crisis"},"content":{"rendered":"

The project I have been working on this week to test computer environments needs to do various actions as a user other than the one running the application. For instance, it looks up an installed Windows Service, finds out who the startup user is, and tries to connect to a database as that Windows user. Later on, it will need to access a file in the context of the currently logged-in user. With ASP .NET, this is super-easy: just go into Web.Config and set up the “identity impersonate” node, which can either impersonate a named user or the one who had logged into the website if authentication was enabled. With Windows applications, this is not so straightforward. There may be something I am overlooking, but the limitation seems to be that you can only change the security context on the current thread: any threads spawned by the impersonated thread also inherit the impersonated credentials. Impersonation is easy enough to do, once you figure out how. Here is my code for impersonating a user on the current thread: <\/p>\n

    \n
  1.         using System;<\/li>\n
  2.         using System.ComponentModel;<\/li>\n
  3.         using System.Runtime.InteropServices;<\/li>\n
  4.         using System.Security.Principal;<\/li>\n
  5.         public class ImpersonateUser<\/li>\n
  6.         {<\/li>\n
  7.                 IntPtr userHandle;<\/li>\n
  8.   [DllImport(“advapi32.dll”, SetLastError = true)]<\/li>\n
  9.                 static extern bool LogonUser(<\/li>\n
  10.                         string lpszUsername,<\/li>\n
  11.                         string lpszDomain,<\/li>\n
  12.                         string lpszPassword,<\/li>\n
  13.                         LogonType dwLogonType,<\/li>\n
  14.                         LogonProvider dwLogonProvider,<\/li>\n
  15.                         out IntPtr phToken<\/li>\n
  16.                         );<\/li>\n
  17.  <\/li>\n
  18.  <\/li>\n
  19.                 [DllImport(“kernel32.dll”, SetLastError = true)]<\/li>\n
  20.                 static extern bool CloseHandle(IntPtr hHandle);<\/li>\n
  21.  <\/li>\n
  22.  <\/li>\n
  23.                 enum LogonType : int<\/li>\n
  24.                 {<\/li>\n
  25.                         Interactive = 2,<\/li>\n
  26.                         Network = 3,<\/li>\n
  27.                         Batch = 4,<\/li>\n
  28.                         Service = 5,<\/li>\n
  29.                         NetworkCleartext = 8,<\/li>\n
  30.                         NewCredentials = 9,<\/li>\n
  31.                 }<\/li>\n
  32.  <\/li>\n
  33.  <\/li>\n
  34.                 enum LogonProvider : int<\/li>\n
  35.                 {<\/li>\n
  36.                         Default = 0,<\/li>\n
  37.                 }<\/li>\n
  38.                 public static WindowsImpersonationContext Impersonate(string user, string domain, string password)<\/li>\n
  39.                 {<\/li>\n
  40.   IntPtr userHandle = IntPtr.Zero;<\/li>\n
  41.                         bool loggedOn = LogonUser(<\/li>\n
  42.                                 user,<\/li>\n
  43.                                 domain,<\/li>\n
  44.                                 password,<\/li>\n
  45.                                 LogonType.Interactive,<\/li>\n
  46.                                 LogonProvider.Default,<\/li>\n
  47.                                 out userHandle);<\/li>\n
  48.  <\/li>\n
  49.  <\/li>\n
  50.  <\/li>\n
  51.                         if (!loggedOn)<\/li>\n
  52.                         throw new Win32Exception(Marshal.GetLastWin32Error());<\/li>\n
  53.  <\/li>\n
  54.                         WindowsIdentity identity = new WindowsIdentity(userHandle);<\/li>\n
  55.                         WindowsPrincipal principal = new WindowsPrincipal(identity);<\/li>\n
  56.                         System.Threading.Thread.CurrentPrincipal = principal;<\/li>\n
  57.                         return identity.Impersonate();<\/li>\n
  58.   }<\/li>\n
  59.         }<\/li>\n
  60.  <\/li>\n
  61. \/* Call impersonation *\/<\/li>\n
  62. ImpersonateUser.Impersonate(“UserName”,”DomainName”,”Password”);<\/li>\n
  63. \/* When you want to go back to the original user *\/<\/li>\n
  64. WindowsIdentity.Impersonate(IntPtr.Zero);<\/li>\n<\/ol>\n

    When you want to stop impersonating, you can call Impersonate() again with a null pointer. This will allow you to simulate a variety of different Windows users from the same applicaiton.<\/p>\n","protected":false},"excerpt":{"rendered":"

    The project I have been working on this week to test computer environments needs to do various actions as a user other than the one running the application. For instance, it looks up an installed Windows Service, finds out who the startup user is, and tries to connect to a database as that Windows user….…<\/p>\n","protected":false},"author":27149,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2],"tags":[],"coauthors":[],"class_list":["post-3263","post","type-post","status-publish","format-standard","hentry","category-blogs"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/3263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/27149"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=3263"}],"version-history":[{"count":2,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/3263\/revisions"}],"predecessor-version":[{"id":42006,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/3263\/revisions\/42006"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=3263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=3263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=3263"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=3263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}