Dynamically Impersonate a remote user - c# and asp.net
I want to impersonate a remote user dynamically for executing some part of code. I searchd a lot in net and got some codes to impersonate. The code to impersonate is shown below
namespace Tools
{
#region Using directives.
// ----------------------------------------------------------------------
using System;
using System.Security.Principal;
using System.Runtime.InteropServices;
using System.ComponentModel;
// ----------------------------------------------------------------------
#endregion
/////////////////////////////////////////////////////////////////////////
/// <summary>
/// Impersonation of a user. Allows to execute code under another
/// user context.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <remarks>
/// This class is based on the information in the Microsoft knowledge base
/// article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
///
/// Encapsulate an instance into a using-directive like e.g.:
///
/// ...
/// using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
/// {
/// ...
/// [code that executes under the new context]
/// ...
/// }
/// ...
///
/// Please contact the author Uwe Keim (mailto:uwe.keim@zeta-software.de)
/// for questions regarding this class.
/// </remarks>
public class Impersonator :
IDisposable
{
#region Public methods.
// ------------------------------------------------------------------
/// <summary>
/// Constructor. Starts the impersonation with the given credentials.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
public Impersonator(
string userName,
string domainName,
string password )
{
ImpersonateValidUser( userName, domainName, password );
}
// ------------------------------------------------------------------
#endregion
#region IDisposable member.
// ------------------------------------------------------------------
public void Dispose()
{
UndoImpersonation();
}
// ------------------------------------------------------------------
#endregion
#region P/Invoke.
// ------------------------------------------------------------------
[DllImport("advapi32.dll", SetLastError=true)]
private static extern int LogonUser(
string lpszUserName,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
private static extern int DuplicateToken(
IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
private static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet=CharSet.Auto)]
private static extern bool CloseHandle(
IntPtr handle);
private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;
// ------------------------------------------------------------------
#endregion
#region Private member.
// ------------------------------------------------------------------
/// <summary>
/// Does the actual impersonation.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
private void ImpersonateValidUser(
string userName,
string domain,
string password )
{
WindowsIdentity tempWindowsIdentity = null;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
try
{
if ( RevertToSelf() )
{
if ( LogonUser(
userName,
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref token ) != 0 )
{
if ( DuplicateToken( token, 2, ref tokenDuplicate ) != 0 )
{
tempWindowsIdentity = new WindowsIdentity( tokenDuplicate );
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new Win32Exception( Marshal.GetLastWin32Error() );
}
}
else
{
throw new Win32Exception( Marshal.GetLastWin32Error() );
}
}
else
{
throw new Win32Exception( Marshal.GetLastWin32Error() );
}
}
finally
{
if ( token!= IntPtr.Zero )
{
CloseHandle( token );
}
if ( tokenDuplicate!=IntPtr.Zero )
{
CloseHandle( tokenDuplicate );
}
}
}
/// <summary>
/// Reve开发者_运维知识库rts the impersonation.
/// </summary>
private void UndoImpersonation()
{
if ( impersonationContext!=null )
{
impersonationContext.Undo();
}
}
private WindowsImpersonationContext impersonationContext = null;
// ------------------------------------------------------------------
#endregion
}
/////////////////////////////////////////////////////////////////////////
}
and the code which calls the above functions is shown below
using System;
using System.IO;
using Tools;
namespace ImpersonatorDemo
{
/// <summary>
/// Main class for the demo application.
/// Call this application with a low privileg account to test.
/// </summary>
class Program
{
/// <summary>
/// The main entry point.
/// </summary>
[STAThread]
static void Main( string[] args )
{
// Impersonate, automatically release the impersonation. format is new Impersonator( "username", "domain", "password" )
using ( new Impersonator( "TestUser", "MachineA", "admin" ) )
{
string name = Environment.UserDomainName;
string s = Environment.UserName;
// The following code is executed under the impersonated user.
string[] files = Directory.GetFiles( "c:\\" );
}
}
}
}
It works fine if i try to impersonate user on the local machine. But if i tried to imporsenate a user on the remote machine it always throws an error .which is shown below
Logon failure: unknown user name or bad password
in the remote machine there is a user named Testuser and password is admin and machine name is MachineA ( is thi is domain name??) and the ip address is 192.168.0.33 . the workgroup is myWorkGroup .I tried to impersonate users on many mremote machine . But it always shows the same error i wrote above if i am tryied to impersonate a remote user. and i am sure my local machine is connected to the network
As I understand your problem, the ImpersonateDemo code above runs on your server (ServerA).
ServerA tries to get a list of files on a remote machine (MachineA).
If your code on ServerA requests the files in the C:\ directory you are always going to get the files on your server's C drive.
That is why when you impersonate a local user (on ServerA) it works - because the user is on the machine that the drive is on. When you impersonate with the remote user (from MachineA) you are still trying to get the contents of ServerA's C drive, but that user doesn't exist on ServerA.
You need to request files based on the IP address (or machine name) of the remote machine. If the TestUser has permission to read MachineA's C drive, then try this:
string[] files = Directory.GetFiles( @"\\192.168.0.33\C$" );
string[] files = Directory.GetFiles( @"\\MachineA\C$" );
This looks like it is a manifestation of the double hop problem:
Link
Impersonate is not as simple as it looks like. While the code to impersonate is pretty simple, finding the arguments may be not. It depends on the way you need to authenticate your user -> a workgroup differs from a domain differs from a machine, etc...
For your workgroup it matters if the user is know on both machines or not. As a simple technical approach you should try leaving the domain/machine name blank.
Also check Ricks post, the double hop stuff is quite annoying when woring with impersonation :(
精彩评论