dotnet security: Hello all,
Here is my problem. I have a windows service (C#) that is
supposed to move files from/to the local drive to/from a
UNC share (\\domainserver\share). The service is running on
a Win3k server not connected to a domain, as a local user.
The service impersonates a local user (on domainserver)
that has full permissions to that share. Any File.Move,
File.Copy operations are successfull. Any
Directory.GetFiles fail with "Logon failure: unknown user
name or bad password", stack trace is Exception stack
trace: at System.IO.__Error.WinIOError(Int32 errorCode,
String str) at
System.IO.Directory.InternalGetFileDirectoryNames(String
fullPath, String userPath, Boolean file) at
System.IO.Directory.InternalGetFiles(String path, String
userPath, String searchPattern) at
System.IO.Directory.GetFiles(String path, String
searchPattern). The call succeeds if I run the service
under a local account with the same user name/pwd or if the
server is connected to the domain and the service runs as
any domain account.
The impersonation code is similar with the samples from
MSDN (sorry about the formatting):
public static void ImpersonateUser(string domainName,
string userName, string password)
{
IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);
try
{
// Get the user token for the specified user, domain,
and password using the
// unmanaged LogonUser method.

const int SecurityImpersonation = 2;

tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;

// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domainName,
password,
(int)LogonType.LOGON32_LOGON_NEW_CREDENTIALS, (int)
LogonProvider.LOGON32_PROVIDER_DEFAULT, ref tokenHandle);

if (false == returnValue)
{
int ret = Marshal.GetLastWin32Error();
throw new System.ComponentModel.Win32Exception(ret,
GetErrorMessage(ret));
}

//Duplicate the token
bool retVal = DuplicateToken(tokenHandle,
SecurityImpersonation, ref dupeTokenHandle);

if (false == retVal)
{
CloseHandle(tokenHandle);
throw new ApplicationException("Exception thrown in
trying to duplicate token.");
}

// The token that is passed to the following
constructor must
// be a primary token in order to use it for impersonation.
WindowsIdentity newId = new
WindowsIdentity(dupeTokenHandle);
WindowsImpersonationContext impersonatedUser =
newId.Impersonate();

try
{
do stuff;
}
catch {}

// Stop impersonating the user.
impersonatedUser.Undo();

// Free the tokens.
if (tokenHandle != IntPtr.Zero)
CloseHandle(tokenHandle);
if (dupeTokenHandle != IntPtr.Zero)
CloseHandle(dupeTokenHandle);
}
catch(Exception ex)
{
throw ex;
}
}
}

Thanks a lot for any help or ideas,

I'm a bit unsure what you mean by your sentence "The service impersonates a
local user (on domainserver)
that has full permissions to that share".

You can either impersonate a local user (on the server where the code is
running) or a domain account. Not a "local" user on another server - the
scenario where this might appear to be the case is with mirrored accounts
where the local username+password are the same.

I can't explain why file move/copy works but not GetFiles - I would expect
all or nothing.

Thoughts/comments/ideas:
- Any impersonation of windows users has to take place inside the domain
- Maybe WebDAV provides a solution?

hope this helps.
Richard.