How do you do Impersonation in NET

Question

Is there a simple out of the box way to impersonate a user in  NET   So far I ve been using this class from code project for all my impersonation requirements   Is there a better way to do it by using  NET Framework   I have a user credential set   username  password  domain name  which represents the identity I need to impersonate

User · Answer

You can use this solution   Use nuget package  The source code is available on   Github  https   github com michelcedric UserImpersonation  More detail https   michelcedric wordpress com 2015 09 03 usurpation-didentite-dun-user-c-user-impersonation

User · Answer

Here s my vb net port of Matt Johnson s answer  I added an enum for the logon types  LOGON32 LOGON INTERACTIVE was the first enum value that worked for sql server  My connection string was just trusted  No user name   password in the connection string      lt PermissionSet SecurityAction Demand  Name   FullTrust   gt      Public Class Impersonation     Implements IDisposable      Public Enum LogonTypes            lt summary gt            This logon type is intended for users who will be interactively using the computer  such as a user being logged on             by a terminal server  remote shell  or similar process            This logon type has the additional expense of caching logon information for disconnected operations             therefore  it is inappropriate for some client server applications            such as a mail server             lt  summary gt        LOGON32 LOGON INTERACTIVE   2             lt summary gt            This logon type is intended for high performance servers to authenticate plaintext passwords            The LogonUser function does not cache credentials for this logon type             lt  summary gt        LOGON32 LOGON NETWORK   3             lt summary gt            This logon type is intended for batch servers  where processes may be executing on behalf of a user without            their direct intervention  This type is also for higher performance servers that process many plaintext           authentication attempts at a time  such as mail or Web servers             The LogonUser function does not cache credentials for this logon type             lt  summary gt        LOGON32 LOGON BATCH   4             lt summary gt            Indicates a service-type logon  The account provided must have the service privilege enabled              lt  summary gt        LOGON32 LOGON SERVICE   5             lt summary gt            This logon type is for GINA DLLs that log on users who will be interactively using the computer             This logon type can generate a unique audit record that shows when the workstation was unlocked              lt  summary gt        LOGON32 LOGON UNLOCK   7             lt summary gt            This logon type preserves the name and password in the authentication package  which allows the server to make            connections to other network servers while impersonating the client  A server can accept plaintext credentials            from a client  call LogonUser  verify that the user can access the system across the network  and still            communicate with other servers            NOTE  Windows NT   This value is not supported              lt  summary gt        LOGON32 LOGON NETWORK CLEARTEXT   8             lt summary gt            This logon type allows the caller to clone its current token and specify new credentials for outbound connections            The new logon session has the same local identifier but uses different credentials for other network connections             NOTE  This logon type is supported only by the LOGON32 PROVIDER WINNT50 logon provider            NOTE  Windows NT   This value is not supported              lt  summary gt        LOGON32 LOGON NEW CREDENTIALS   9     End Enum       lt DllImport  advapi32 dll   SetLastError  True  CharSet  CharSet Unicode  gt        Private Shared Function LogonUser lpszUsername As  String   lpszDomain As  String   lpszPassword As  String   dwLogonType As Integer  dwLogonProvider As Integer  ByRef phToken As SafeTokenHandle  As Boolean     End Function      Public Sub New Domain As String  UserName As String  Password As String  Optional LogonType As LogonTypes   LogonTypes LOGON32 LOGON INTERACTIVE        Dim ok   LogonUser UserName  Domain  Password  LogonType  0   SafeTokenHandle        If Not ok Then         Dim errorCode   Marshal GetLastWin32Error           Throw New ApplicationException String Format  Could not impersonate the elevated user   LogonUser returned error code  0     errorCode         End If        WindowsImpersonationContext   WindowsIdentity Impersonate  SafeTokenHandle DangerousGetHandle        End Sub      Private ReadOnly  SafeTokenHandle As New SafeTokenHandle     Private ReadOnly WindowsImpersonationContext As WindowsImpersonationContext      Public Sub Dispose   Implements System IDisposable Dispose       Me WindowsImpersonationContext Dispose         Me  SafeTokenHandle Dispose       End Sub      Public NotInheritable Class SafeTokenHandle       Inherits SafeHandleZeroOrMinusOneIsInvalid         lt DllImport  kernel32 dll   gt           lt ReliabilityContract Consistency WillNotCorruptState  Cer Success  gt           lt SuppressUnmanagedCodeSecurity   gt          Private Shared Function CloseHandle handle As IntPtr  As  lt MarshalAs UnmanagedType Bool  gt  Boolean       End Function        Public Sub New           MyBase New True        End Sub        Protected Overrides Function ReleaseHandle   As Boolean         Return CloseHandle handle        End Function     End Class    End Class   You need to Use with a Using statement to contain some code to run impersonated

User · Answer

View more detail from my previous answer  I have created an nuget package Nuget  Code on Github  sample   you can use                string login                  string domain                  string password                   using  UserImpersonation user   new UserImpersonation login  domain  password                               if  user ImpersonateValidUser                                        File WriteAllText  test txt    your text                       Console WriteLine  File writed                                    else                                     Console WriteLine  User not connected                                    Vieuw the full code     using System  using System Runtime InteropServices  using System Security Principal         lt summary gt      Object to change the user authticated      lt  summary gt  public class UserImpersonation   IDisposable            lt summary gt          Logon method  check athetification  from advapi32 dll          lt  summary gt           lt param name  lpszUserName  gt  lt  param gt           lt param name  lpszDomain  gt  lt  param gt           lt param name  lpszPassword  gt  lt  param gt           lt param name  dwLogonType  gt  lt  param gt           lt param name  dwLogonProvider  gt  lt  param gt           lt param name  phToken  gt  lt  param gt           lt returns gt  lt  returns gt       DllImport  advapi32 dll        private static extern bool LogonUser String lpszUserName          String lpszDomain          String lpszPassword          int dwLogonType          int dwLogonProvider          ref IntPtr phToken             lt summary gt          Close          lt  summary gt           lt param name  handle  gt  lt  param gt           lt returns gt  lt  returns gt       DllImport  kernel32 dll   CharSet   CharSet Auto       public static extern bool CloseHandle IntPtr handle        private WindowsImpersonationContext  windowsImpersonationContext      private IntPtr  tokenHandle      private string  userName      private string  domain      private string  passWord       const int LOGON32 PROVIDER DEFAULT   0      const int LOGON32 LOGON INTERACTIVE   2            lt summary gt          Initialize a UserImpersonation          lt  summary gt           lt param name  userName  gt  lt  param gt           lt param name  domain  gt  lt  param gt           lt param name  passWord  gt  lt  param gt      public UserImpersonation string userName  string domain  string passWord                 userName   userName           domain   domain           passWord   passWord                  lt summary gt          Valiate the user inforamtion          lt  summary gt           lt returns gt  lt  returns gt      public bool ImpersonateValidUser                 bool returnValue   LogonUser  userName   domain   passWord                  LOGON32 LOGON INTERACTIVE  LOGON32 PROVIDER DEFAULT                  ref  tokenHandle            if  false    returnValue                        return false                     WindowsIdentity newId   new WindowsIdentity  tokenHandle            windowsImpersonationContext   newId Impersonate            return true              region IDisposable Members           lt summary gt          Dispose the UserImpersonation connection          lt  summary gt      public void Dispose                 if   windowsImpersonationContext    null               windowsImpersonationContext Undo            if   tokenHandle    IntPtr Zero              CloseHandle  tokenHandle               endregion

User · Answer

This is probably what you want   using System Security Principal  using WindowsIdentity GetCurrent   Impersonate             your code goes here     But I really need more details to  help you out  You could do impersonation with a config file  if you re trying to do this on a website   or through method decorators  attributes  if it s a WCF service  or through    you get the idea   Also  if we re talking about impersonating a client that called a particular service  or web app   you need to configure the client correctly so that it passes the appropriate tokens   Finally  if what you really want do is Delegation  you also need to setup AD correctly so that users and machines are trusted for delegation   Edit  Take a look here to see how to impersonate a different user  and for further documentation

User · Answer

I m aware that I m quite late for the party  but I consider that the library from Phillip Allan-Harding  it s the best one for this case and similar ones   You only need a small piece of code like this one   private const string LOGIN    mamy   private const string DOMAIN    mongo   private const string PASSWORD    HelloMongo2017    private void DBConnection         using  Impersonator user   new Impersonator LOGIN  DOMAIN  PASSWORD  LogonType LOGON32 LOGON NEW CREDENTIALS  LogonProvider LOGON32 PROVIDER WINNT50                   And add his class    NET  C   Impersonation with Network Credentials  My example can be used if you require the impersonated logon to have network credentials  but it has more options

User · Answer

Here is some good overview of  NET impersonation concepts    Michiel van Otegem  WindowsImpersonationContext made easy WindowsIdentity Impersonate Method  check out the code samples    Basically you will be leveraging these classes that are out of the box in the  NET framework    WindowsImpersonationContext  WindowsIdentity   The code can often get lengthy though and that is why you see many examples like the one you reference that try to simplify the process

User · Answer

Impersonation  in the  NET space generally means running code under a specific user account   It is a somewhat separate concept than getting access to that user account via a username and password  although these two ideas pair together frequently   I will describe them both  and then explain how to use my SimpleImpersonation library  which uses them internally   Impersonation  The APIs for impersonation are provided in  NET via the System Security Principal namespace    Newer code   NET 4 6    NET Core  etc   should generally use WindowsIdentity RunImpersonated  which accepts a handle to the token of the user account  and then either an Action or Func lt T gt  for the code to execute   WindowsIdentity RunImpersonated tokenHandle       gt           do whatever you want as this user        or  var result   WindowsIdentity RunImpersonated tokenHandle       gt           do whatever you want as this user      return result       Older code used the WindowsIdentity Impersonate method to retrieve a WindowsImpersonationContext object   This object implements IDisposable  so generally should be called from a using block   using  WindowsImpersonationContext context   WindowsIdentity Impersonate tokenHandle            do whatever you want as this user      While this API still exists in  NET Framework  it should generally be avoided  and is not available in  NET Core or  NET Standard    Accessing the User Account  The API for using a username and password to gain access to a user account in Windows is LogonUser - which is a Win32 native API   There is not currently a built-in  NET API for calling it  so one must resort to P Invoke    DllImport  advapi32 dll   SetLastError   true  CharSet   CharSet Unicode   internal static extern bool LogonUser String lpszUsername  String lpszDomain  String lpszPassword  int dwLogonType  int dwLogonProvider  out IntPtr phToken     This is the basic call definition  however there is a lot more to consider to actually using it in production    Obtaining a handle with the  safe  access pattern  Closing the native handles appropriately Code access security  CAS  trust levels  in  NET Framework only  Passing SecureString when you can collect one safely via user keystrokes    The amount of code to write to illustrate all of this is beyond what should be in a StackOverflow answer  IMHO   A Combined and Easier Approach  Instead of writing all of this yourself  consider using my SimpleImpersonation library  which combines impersonation and user access into a single API   It works well in both modern and older code bases  with the same simple API   var credentials   new UserCredentials domain  username  password   Impersonation RunAsUser credentials  logonType       gt           do whatever you want as this user         or  var credentials   new UserCredentials domain  username  password   var result   Impersonation RunAsUser credentials  logonType       gt           do whatever you want as this user      return something        Note that it is very similar to the WindowsIdentity RunImpersonated API  but doesn t require you know anything about token handles   This is the API as of version 3 0 0   See the project readme for more details   Also note that a previous version of the library used an API with the IDisposable pattern  similar to WindowsIdentity Impersonate   The newer version is much safer  and both are still used internally

[c#] How do you do Impersonation in .NET?

Examples related to c#

Examples related to .net

Examples related to impersonation