C
Corey
I am trying to impersonate 3 "roles" based upon forms authentication, a SQL
Server lookup, and a LogonUser call on a Win2003 1.1 box. The goal of the
impersonation is to allow ACL restrictions to pdf and word documents and
some other company specific logic. If I vary the impersonation in the
web.config to one of these:
<identity impersonate="true" userName="company1" password="pass1">
<identity impersonate="true" userName="company2" password="pass2">
<identity impersonate="true" userName="company3" password="pass3">
Everything works as expected - Company1 cannot see Company2's documents.
When I try to do this in code (below), everything works as expected on the
login page - LogonUser is ok and WindowsIdentity.GetCurrent().Name returns
the correct user. After RedirectFromLoginPage, calling
WindowsIdentity.GetCurrent().Name returns Administrator or Network Service
(depending on web.config settings) - LOSING the impersonation. I never call
impersonationContext.Undo() on the login page.
Q: Is it possible to impersonate via code for all application requests, or
is the impersonation lost on page unload / redirect?
Thanks for any insight,
Corey
CODE-->
web.config set to:
<identity impersonate="true">
Login cs:
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
public const int SecurityImpersonation = 2;
WindowsImpersonationContext impersonationContext;
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
<snip>
private bool impersonateValidUser(String userName, String domain, String
password)
{
WindowsIdentity tempWindowsIdentity;
IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);
tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;
if(RevertToSelf())
{
// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domain, password,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);
//testing only
int intError=Marshal.GetLastWin32Error();
Win32Exception ex=new Win32Exception(intError);
string strError=ex.ToString();
if(returnValue)
{
string strTest= WindowsIdentity.GetCurrent().Name; // Original
Identity OK
bool retVal = DuplicateToken(tokenHandle, SecurityImpersonation, ref
dupeTokenHandle);
if (retVal)
{
tempWindowsIdentity = new WindowsIdentity(dupeTokenHandle);
impersonationContext = tempWindowsIdentity.Impersonate();
string strTest2= WindowsIdentity.GetCurrent().Name; // New
Identity - works as expected
if (impersonationContext != null)
{
CloseHandle(tokenHandle);
CloseHandle(dupeTokenHandle);
return true;
}
}
}
}
if(tokenHandle!= IntPtr.Zero)
CloseHandle(tokenHandle);
if(dupeTokenHandle!=IntPtr.Zero)
CloseHandle(dupeTokenHandle);
return false;
}
Server lookup, and a LogonUser call on a Win2003 1.1 box. The goal of the
impersonation is to allow ACL restrictions to pdf and word documents and
some other company specific logic. If I vary the impersonation in the
web.config to one of these:
<identity impersonate="true" userName="company1" password="pass1">
<identity impersonate="true" userName="company2" password="pass2">
<identity impersonate="true" userName="company3" password="pass3">
Everything works as expected - Company1 cannot see Company2's documents.
When I try to do this in code (below), everything works as expected on the
login page - LogonUser is ok and WindowsIdentity.GetCurrent().Name returns
the correct user. After RedirectFromLoginPage, calling
WindowsIdentity.GetCurrent().Name returns Administrator or Network Service
(depending on web.config settings) - LOSING the impersonation. I never call
impersonationContext.Undo() on the login page.
Q: Is it possible to impersonate via code for all application requests, or
is the impersonation lost on page unload / redirect?
Thanks for any insight,
Corey
CODE-->
web.config set to:
<identity impersonate="true">
Login cs:
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
public const int SecurityImpersonation = 2;
WindowsImpersonationContext impersonationContext;
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
<snip>
private bool impersonateValidUser(String userName, String domain, String
password)
{
WindowsIdentity tempWindowsIdentity;
IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);
tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;
if(RevertToSelf())
{
// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domain, password,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);
//testing only
int intError=Marshal.GetLastWin32Error();
Win32Exception ex=new Win32Exception(intError);
string strError=ex.ToString();
if(returnValue)
{
string strTest= WindowsIdentity.GetCurrent().Name; // Original
Identity OK
bool retVal = DuplicateToken(tokenHandle, SecurityImpersonation, ref
dupeTokenHandle);
if (retVal)
{
tempWindowsIdentity = new WindowsIdentity(dupeTokenHandle);
impersonationContext = tempWindowsIdentity.Impersonate();
string strTest2= WindowsIdentity.GetCurrent().Name; // New
Identity - works as expected
if (impersonationContext != null)
{
CloseHandle(tokenHandle);
CloseHandle(dupeTokenHandle);
return true;
}
}
}
}
if(tokenHandle!= IntPtr.Zero)
CloseHandle(tokenHandle);
if(dupeTokenHandle!=IntPtr.Zero)
CloseHandle(dupeTokenHandle);
return false;
}