| Groups | Blog | Home |
dotnet sdk : run as a user.
I am trying to run impersonating another user (I prompt for the domain admin
uname & pw to use that). But when I ask for the CurrentPrincipal, it's still me, not the domain user. IntPtr tokenHandle = new IntPtr(0); bool returnValue = LogonUser(userName, domainName, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ref tokenHandle); if (returnValue == false) throw new Exception("Windows logon Error: " + Marshal.GetLastWin32Error()); WindowsIdentity identity = new WindowsIdentity(tokenHandle); WindowsImpersonationContext impersonationContext = identity.Impersonate(); // xx is still me object xx = Thread.CurrentPrincipal; -- thanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm
Yes I have:
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); 3rd line of code in my main before any form is even instantiated. -- thanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm [quoted text, click to view] "Willy Denoyette [MVP]" wrote:
> "David Thielen" <thielen@nospam.nospam> wrote in message > news:6F5B5217-4006-4468-84B2-C89F85C0F5E3@microsoft.com... > >I am trying to run impersonating another user (I prompt for the domain admin > > uname & pw to use that). But when I ask for the CurrentPrincipal, it's still > > me, not the domain user. > > > > IntPtr tokenHandle = new IntPtr(0); > > bool returnValue = LogonUser(userName, domainName, > > password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, > > ref tokenHandle); > > if (returnValue == false) > > throw new Exception("Windows logon Error: " + Marshal.GetLastWin32Error()); > > WindowsIdentity identity = new WindowsIdentity(tokenHandle); > > WindowsImpersonationContext impersonationContext = identity.Impersonate(); > > > > // xx is still me > > object xx = Thread.CurrentPrincipal; > > > > -- > > thanks - dave > > david_at_windward_dot_net > > http://www.windwardreports.com > > > > Cubicle Wars - http://www.windwardreports.com/film.htm > > > > > > > Did you set the PrincipalPolicy for the AppDomain to WindowsPrincipal, before creating a new > WindowsIdentity? > > AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); > //Logon user here > > Willy. > > >
Here you go. Same issue - list the Name as me, not sa (I use sa instead of
administrator for our domain admin username). using System; using System.Runtime.InteropServices; using System.Security.Principal; using System.Threading; namespace TestImpersonate { class Program { [DllImport("advapi32.dll", SetLastError = true)] public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public extern static bool CloseHandle(IntPtr handle); const int LOGON32_PROVIDER_DEFAULT = 0; const int LOGON32_LOGON_NETWORK = 3; static void Main(string[] args) { string username = "sa"; string password = "*****"; AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); string domainName = Thread.CurrentPrincipal.Identity.Name; domainName = domainName.Substring(0, domainName.IndexOf('\\')); IntPtr tokenHandle = new IntPtr(0); bool returnValue = LogonUser(username, domainName, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ref tokenHandle); if (returnValue == false) throw new Exception("Windows logon Error: " + Marshal.GetLastWin32Error()); WindowsIdentity identity = new WindowsIdentity(tokenHandle); WindowsImpersonationContext impersonationContext = identity.Impersonate(); IPrincipal prin = Thread.CurrentPrincipal; Console.Out.WriteLine("user = " + prin.Identity.Name); impersonationContext.Undo(); impersonationContext.Dispose(); CloseHandle(tokenHandle); } } } -- thanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm
I just tried WindowsIdentity.GetCurrent().Name - it does give sa. Why the
difference? -- thanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm [quoted text, click to view] "David Thielen" wrote:
> Here you go. Same issue - list the Name as me, not sa (I use sa instead of > administrator for our domain admin username). > > using System; > using System.Runtime.InteropServices; > using System.Security.Principal; > using System.Threading; > > namespace TestImpersonate > { > class Program > { > [DllImport("advapi32.dll", SetLastError = true)] > public static extern bool LogonUser(String lpszUsername, String > lpszDomain, String lpszPassword, > int dwLogonType, int dwLogonProvider, ref IntPtr phToken); > [DllImport("kernel32.dll", CharSet = CharSet.Auto)] > public extern static bool CloseHandle(IntPtr handle); > > const int LOGON32_PROVIDER_DEFAULT = 0; > const int LOGON32_LOGON_NETWORK = 3; > > static void Main(string[] args) > { > string username = "sa"; > string password = "*****"; > > AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); > string domainName = Thread.CurrentPrincipal.Identity.Name; > domainName = domainName.Substring(0, domainName.IndexOf('\\')); > > IntPtr tokenHandle = new IntPtr(0); > bool returnValue = LogonUser(username, domainName, password, > LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, > ref tokenHandle); > if (returnValue == false) > throw new Exception("Windows logon Error: " + > Marshal.GetLastWin32Error()); > > WindowsIdentity identity = new WindowsIdentity(tokenHandle); > WindowsImpersonationContext impersonationContext = identity.Impersonate(); > > IPrincipal prin = Thread.CurrentPrincipal; > Console.Out.WriteLine("user = " + prin.Identity.Name); > > impersonationContext.Undo(); > impersonationContext.Dispose(); > CloseHandle(tokenHandle); > > } > } > } > > > -- > thanks - dave > david_at_windward_dot_net > http://www.windwardreports.com > > Cubicle Wars - http://www.windwardreports.com/film.htm
[quoted text, click to view]
"David Thielen" <thielen@nospam.nospam> wrote in message news:6F5B5217-4006-4468-84B2-C89F85C0F5E3@microsoft.com... >I am trying to run impersonating another user (I prompt for the domain admin > uname & pw to use that). But when I ask for the CurrentPrincipal, it's still > me, not the domain user. > > IntPtr tokenHandle = new IntPtr(0); > bool returnValue = LogonUser(userName, domainName, > password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, > ref tokenHandle); > if (returnValue == false) > throw new Exception("Windows logon Error: " + Marshal.GetLastWin32Error()); > WindowsIdentity identity = new WindowsIdentity(tokenHandle); > WindowsImpersonationContext impersonationContext = identity.Impersonate(); > > // xx is still me > object xx = Thread.CurrentPrincipal; > > -- > thanks - dave > david_at_windward_dot_net > http://www.windwardreports.com > > Cubicle Wars - http://www.windwardreports.com/film.htm > > Did you set the PrincipalPolicy for the AppDomain to WindowsPrincipal, before creating a new WindowsIdentity? AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); //Logon user here Willy.
Hi Dave,
Neither Impersonate nor Undo changes the Principal object associated with the current call context. Rather, impersonation and reverting change the token associated with the current operating system process: #Impersonating and Reverting http://msdn2.microsoft.com/en-gb/library/aa720152(VS.71).aspx The identity object encapsulates information about the user or entity being validated. The principal object represents the security context under which code is running. #Principal and Identity Objects http://msdn2.microsoft.com/en-gb/library/aa720421(VS.71).aspx You may find following article useful to understand the concepts: #WhatIsAToken http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAToken.ht ml Regards, Walter Wang (wawang@online.microsoft.com, remove 'online.') Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
To associate the impersonated WindowsIdentity to Thread.CurrentPrincipal:
Thread.CurrentPrincipal = new WindowsPrincipal(identity); Regards, Walter Wang (wawang@online.microsoft.com, remove 'online.') Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Hi Dave,
Your code works correctly on my side, after impersonation, Thread.CurrentPrincipal.Identity.Name correctly shows the impersonated user's name. Is it possible to create a small reproducible project and send it to me? Thanks. My test environment is: Visual Studio 2005, Windows XP SP2. Sincerely, Walter Wang (wawang@online.microsoft.com, remove 'online.') Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. If you are using Outlook Express, please make sure you clear the check box "Tools/Options/Read: Get 300 headers at a time" to see your reply promptly. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
I guess that makes sense - thanks
-- thanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm [quoted text, click to view] "Walter Wang [MSFT]" wrote:
> Hi Dave, > > Neither Impersonate nor Undo changes the Principal object associated with > the current call context. Rather, impersonation and reverting change the > token associated with the current operating system process: > > #Impersonating and Reverting > http://msdn2.microsoft.com/en-gb/library/aa720152(VS.71).aspx > > > The identity object encapsulates information about the user or entity being > validated. The principal object represents the security context under which > code is running. > > #Principal and Identity Objects > http://msdn2.microsoft.com/en-gb/library/aa720421(VS.71).aspx > > You may find following article useful to understand the concepts: > > #WhatIsAToken > http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAToken.ht > ml > > > > Regards, > Walter Wang (wawang@online.microsoft.com, remove 'online.') > Microsoft Online Community Support > > ================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ================================================== > > This posting is provided "AS IS" with no warranties, and confers no rights. >
Hi;
Ok, I added Thread.CurrentPrincipal = new WindowsPrincipal(identity); but I still get an error when calling this code (2nd line): DirectoryEntry dom = new DirectoryEntry(); DirectoryEntry group = dom.Children.Add("CN=" + activeDirGroups[ind], "group"); The above code works fine if I am running as the Domain Admin and don't have to do the impersonate thing. But when I try to do it while impersonating, I get an error. Any ideas? -- thanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm [quoted text, click to view] "Walter Wang [MSFT]" wrote:
> To associate the impersonated WindowsIdentity to Thread.CurrentPrincipal: > > Thread.CurrentPrincipal = new WindowsPrincipal(identity); > > > > Regards, > Walter Wang (wawang@online.microsoft.com, remove 'online.') > Microsoft Online Community Support > > ================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ================================================== > > This posting is provided "AS IS" with no warranties, and confers no rights. >
That solved it - thank you. (It also makes sense that impersonation can't go
over the network now that you mention it.) One last question. I do the following. Is this best? Or is there a way to pass in the LDAP url for the Active Directory on the domain on: DirectoryEntry dom = new DirectoryEntry(); dom.Username = "sa"; dom.Password = "*****"; DirectoryEntry group = dom.Children.Add("CN=My New Group", "group"); group.Properties["samAccountName"].Value = "My New Group"; group.Properties["description"].Value = "all about me"; group.CommitChanges(); -- thanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm [quoted text, click to view] "Willy Denoyette [MVP]" wrote:
> "David Thielen" <thielen@nospam.nospam> wrote in message > news:70688DD2-8753-43AC-8CC4-80CA7057DE49@microsoft.com... > > Hi; > > > > Ok, I added Thread.CurrentPrincipal = new WindowsPrincipal(identity); but I > > still get an error when calling this code (2nd line): > > DirectoryEntry dom = new DirectoryEntry(); > > DirectoryEntry group = dom.Children.Add("CN=" + activeDirGroups[ind], > > "group"); > > > > The above code works fine if I am running as the Domain Admin and don't have > > to do the impersonate thing. But when I try to do it while impersonating, I > > get an error. > > > > > LOGON32_LOGON_NETWORK cannot be used to acces the network, please read the LogonUser > function description in the SDK doc's. There is no need to impersonate either, all you have > to do is use a DirectoryEntry constructor overload that takes the credentials of the user > with appropriate privileges to access the AD. > > Willy. > >
[quoted text, click to view]
"David Thielen" <thielen@nospam.nospam> wrote in message news:0953120E-54F6-473C-950C-102658857F85@microsoft.com... >I just tried WindowsIdentity.GetCurrent().Name - it does give sa. Why the > difference? > There isn't any difference, both should return the same principal name, unless Impersonate had failed. Willy.
[quoted text, click to view]
"David Thielen" <thielen@nospam.nospam> wrote in message news:70688DD2-8753-43AC-8CC4-80CA7057DE49@microsoft.com... > Hi; > > Ok, I added Thread.CurrentPrincipal = new WindowsPrincipal(identity); but I > still get an error when calling this code (2nd line): > DirectoryEntry dom = new DirectoryEntry(); > DirectoryEntry group = dom.Children.Add("CN=" + activeDirGroups[ind], > "group"); > > The above code works fine if I am running as the Domain Admin and don't have > to do the impersonate thing. But when I try to do it while impersonating, I > get an error. > LOGON32_LOGON_NETWORK cannot be used to acces the network, please read the LogonUser function description in the SDK doc's. There is no need to impersonate either, all you have to do is use a DirectoryEntry constructor overload that takes the credentials of the user with appropriate privileges to access the AD. Willy.
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |