How to use LogonUser properly to impersonate domain user from workgroup client

Question

ASP NET  Impersonate against a domain on VMWare  This question is what I am asking  but the answer does not provide details on how the  token is derived  It seems to only use WindowsIdentity GetCurrent   Token so there s no impersonation happening   Can I impersonate a user on a different Active Directory domain in  NET   This next question has conflicting answers  with the accepted one bearing a comment  I m beginning to suspect that my problem lies elsewhere    Not helpful   LogonUser works only for my domain  This next question seems to imply it is not possible  but it deals with 2 domains so I am not sure if it is relevant   My real question is    Is it possible  And if so  How  or Where did I go wrong    What I have tried so far is  using the code from http   msdn microsoft com en-us library chf6fbt4 28v VS 80 29 aspx  bool returnValue   LogonUser user  domain  password              LOGON32 LOGON NETWORK  LOGON32 PROVIDER DEFAULT              ref tokenHandle      after this point  returnValue   false   The Win32 error is     Logon failure  unknown user name or bad password

User · Answer

I have been successfull at impersonating users in another domain  but only with a trust set up between the 2 domains   var token   IntPtr Zero  var result   LogonUser userID  domain  password  LOGON32 LOGON INTERACTIVE  LOGON32 PROVIDER DEFAULT  ref token   if  result        return WindowsIdentity Impersonate token

User · Answer

Invalid login password could be also related to issues in your DNS server - that s what happened to me and cost me good 5 hours of my life  See if you can specify ip address instead on domain name

User · Answer

this works for me  full working example  I wish more people would do this      logon impersonation using System Runtime InteropServices     DllImport using System Security Principal     WindowsImpersonationContext using System Security Permissions     PermissionSetAttribute       class Program           obtains user token      DllImport  advapi32 dll   SetLastError   true       public static extern bool LogonUser string pszUsername  string pszDomain  string pszPassword          int dwLogonType  int dwLogonProvider  ref IntPtr phToken           closes open handes returned by LogonUser      DllImport  kernel32 dll   CharSet   CharSet Auto       public extern static bool CloseHandle IntPtr handle        public void DoWorkUnderImpersonation               elevate privileges before doing file copy to handle domain security         WindowsImpersonationContext impersonationContext   null          IntPtr userHandle   IntPtr Zero          const int LOGON32 PROVIDER DEFAULT   0          const int LOGON32 LOGON INTERACTIVE   2          string domain   ConfigurationManager AppSettings  ImpersonationDomain            string user   ConfigurationManager AppSettings  ImpersonationUser            string password   ConfigurationManager AppSettings  ImpersonationPassword             try               Console WriteLine  windows identify before impersonation      WindowsIdentity GetCurrent   Name                   if domain name was blank  assume local machine             if  domain                        domain   System Environment MachineName                  Call LogonUser to get a token for the user             bool loggedOn   LogonUser user                                          domain                                          password                                          LOGON32 LOGON INTERACTIVE                                          LOGON32 PROVIDER DEFAULT                                          ref userHandle                if   loggedOn                    Console WriteLine  Exception impersonating user  error code      Marshal GetLastWin32Error                     return                                Begin impersonating the user             impersonationContext   WindowsIdentity Impersonate userHandle                Console WriteLine  Main   windows identify after impersonation      WindowsIdentity GetCurrent   Name                  run the program with elevated privileges  like file copying from a domain server              DoWork               catch  Exception ex                Console WriteLine  Exception impersonating user      ex Message             finally                  Clean up             if  impersonationContext    null                    impersonationContext Undo                               if  userHandle    IntPtr Zero                    CloseHandle userHandle                                       private void DoWork               everything in here has elevated privileges            example access files on a network share through e           string   files   System IO Directory GetFiles     domainserver e  images      jpg

User · Answer

It s better to use a SecureString   var password   new SecureString    var phPassword phPassword   Marshal SecureStringToGlobalAllocUnicode password   IntPtr phUserToken  LogonUser username  domain  phPassword  LOGON32 LOGON INTERACTIVE   LOGON32 PROVIDER DEFAULT  out phUserToken     And   Marshal ZeroFreeGlobalAllocUnicode phPassword   password Dispose      Function definition   private static extern bool LogonUser    string pszUserName    string pszDomain    IntPtr pszPassword    int dwLogonType    int dwLogonProvider    out IntPtr phToken

User · Answer

Very few posts suggest using LOGON TYPE NEW CREDENTIALS instead of LOGON TYPE NETWORK or LOGON TYPE INTERACTIVE  I had an impersonation issue with one machine connected to a domain and one not  and this fixed it  The last code snippet in this post suggests that impersonating across a forest does work  but it doesn t specifically say anything about trust being set up  So this may be worth trying   const int LOGON TYPE NEW CREDENTIALS   9  const int LOGON32 PROVIDER WINNT50   3  bool returnValue   LogonUser user  domain  password              LOGON TYPE NEW CREDENTIALS  LOGON32 PROVIDER WINNT50              ref tokenHandle     MSDN says that LOGON TYPE NEW CREDENTIALS only works when using LOGON32 PROVIDER WINNT50

User · Answer

I was having the same problem  Don t know if you ve solved this or not  but what I was really trying to do was access a network share with AD credentials  WNetAddConnection2   is what you need to use in that case

[c#] How to use LogonUser properly to impersonate domain user from workgroup client

Examples related to c#

Examples related to .net

Examples related to winforms

Examples related to c#-2.0

Examples related to impersonation