 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / .NET SDK / November 2006run as a user.
I am trying to run impersonating another user (I prompt for the domain admin uname & pw to use that). But when I ask for the CurrentPrincipal, it's still me, not the domain user. IntPtr tokenHandle = new IntPtr(0); bool returnValue = LogonUser(userName, domainName, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ref tokenHandle); if (returnValue == false) throw new Exception("Windows logon Error: " + Marshal.GetLastWin32Error()); WindowsIdentity identity = new WindowsIdentity(tokenHandle); WindowsImpersonationContext impersonationContext = identity.Impersonate(); // xx is still me object xx = Thread.CurrentPrincipal;  Signaturethanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm >I am trying to run impersonating another user (I prompt for the domain admin > uname & pw to use that). But when I ask for the CurrentPrincipal, it's still [quoted text clipped - 11 lines] > // xx is still me > object xx = Thread.CurrentPrincipal; Did you set the PrincipalPolicy for the AppDomain to WindowsPrincipal, before creating a new WindowsIdentity? AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); //Logon user here Willy. Yes I have: AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); 3rd line of code in my main before any form is even instantiated. Signaturethanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm > >I am trying to run impersonating another user (I prompt for the domain admin > > uname & pw to use that). But when I ask for the CurrentPrincipal, it's still [quoted text clipped - 19 lines] > > Willy. Hi Dave, Your code works correctly on my side, after impersonation, Thread.CurrentPrincipal.Identity.Name correctly shows the impersonated user's name. Is it possible to create a small reproducible project and send it to me? Thanks. My test environment is: Visual Studio 2005, Windows XP SP2. Sincerely, Walter Wang (wawang@online.microsoft.com, remove 'online.') Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. If you are using Outlook Express, please make sure you clear the check box "Tools/Options/Read: Get 300 headers at a time" to see your reply promptly. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Here you go. Same issue - list the Name as me, not sa (I use sa instead of administrator for our domain admin username). using System; using System.Runtime.InteropServices; using System.Security.Principal; using System.Threading; namespace TestImpersonate { class Program { [DllImport("advapi32.dll", SetLastError = true)] public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public extern static bool CloseHandle(IntPtr handle); const int LOGON32_PROVIDER_DEFAULT = 0; const int LOGON32_LOGON_NETWORK = 3; static void Main(string[] args) { string username = "sa"; string password = "*****"; AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); string domainName = Thread.CurrentPrincipal.Identity.Name; domainName = domainName.Substring(0, domainName.IndexOf('\\')); IntPtr tokenHandle = new IntPtr(0); bool returnValue = LogonUser(username, domainName, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ref tokenHandle); if (returnValue == false) throw new Exception("Windows logon Error: " + Marshal.GetLastWin32Error()); WindowsIdentity identity = new WindowsIdentity(tokenHandle); WindowsImpersonationContext impersonationContext = identity.Impersonate(); IPrincipal prin = Thread.CurrentPrincipal; Console.Out.WriteLine("user = " + prin.Identity.Name); impersonationContext.Undo(); impersonationContext.Dispose(); CloseHandle(tokenHandle); } } } Signaturethanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm I just tried WindowsIdentity.GetCurrent().Name - it does give sa. Why the difference? Signaturethanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm > Here you go. Same issue - list the Name as me, not sa (I use sa instead of > administrator for our domain admin username). [quoted text clipped - 48 lines] > } > } Hi Dave, Neither Impersonate nor Undo changes the Principal object associated with the current call context. Rather, impersonation and reverting change the token associated with the current operating system process: #Impersonating and Reverting http://msdn2.microsoft.com/en-gb/library/aa720152(VS.71).aspx The identity object encapsulates information about the user or entity being validated. The principal object represents the security context under which code is running. #Principal and Identity Objects http://msdn2.microsoft.com/en-gb/library/aa720421(VS.71).aspx You may find following article useful to understand the concepts: #WhatIsAToken http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAToken.ht ml Regards, Walter Wang (wawang@online.microsoft.com, remove 'online.') Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. To associate the impersonated WindowsIdentity to Thread.CurrentPrincipal: Thread.CurrentPrincipal = new WindowsPrincipal(identity); Regards, Walter Wang (wawang@online.microsoft.com, remove 'online.') Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Hi; Ok, I added Thread.CurrentPrincipal = new WindowsPrincipal(identity); but I still get an error when calling this code (2nd line): DirectoryEntry dom = new DirectoryEntry(); DirectoryEntry group = dom.Children.Add("CN=" + activeDirGroups[ind], "group"); The above code works fine if I am running as the Domain Admin and don't have to do the impersonate thing. But when I try to do it while impersonating, I get an error. Any ideas? Signaturethanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm > To associate the impersonated WindowsIdentity to Thread.CurrentPrincipal: > [quoted text clipped - 10 lines] > > This posting is provided "AS IS" with no warranties, and confers no rights. > Hi; > [quoted text clipped - 7 lines] > to do the impersonate thing. But when I try to do it while impersonating, I > get an error. LOGON32_LOGON_NETWORK cannot be used to acces the network, please read the LogonUser function description in the SDK doc's. There is no need to impersonate either, all you have to do is use a DirectoryEntry constructor overload that takes the credentials of the user with appropriate privileges to access the AD. Willy. That solved it - thank you. (It also makes sense that impersonation can't go over the network now that you mention it.) One last question. I do the following. Is this best? Or is there a way to pass in the LDAP url for the Active Directory on the domain on: DirectoryEntry dom = new DirectoryEntry(); dom.Username = "sa"; dom.Password = "*****"; DirectoryEntry group = dom.Children.Add("CN=My New Group", "group"); group.Properties["samAccountName"].Value = "My New Group"; group.Properties["description"].Value = "all about me"; group.CommitChanges(); Signaturethanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm > > Hi; > > [quoted text clipped - 14 lines] > > Willy. I guess that makes sense - thanks Signaturethanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm > Hi Dave, > [quoted text clipped - 28 lines] > > This posting is provided "AS IS" with no warranties, and confers no rights. >I just tried WindowsIdentity.GetCurrent().Name - it does give sa. Why the > difference? There isn't any difference, both should return the same principal name, unless Impersonate had failed. Willy. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.