ExamGuru IT/.Net Guru : Impersonating on ASPFriends.com 'aspngsec' list

.NETGURU

Impersonating

Messages

Related Types

This message was discovered on ASPFriends.com 'aspngsec' list.

TIM ELLISON

I remember a recent impersonation discussion utilizing calls to LogonUser()
in ADVAPI32.

Has anyone found this to work on their workstation but not on the web
server?

We're running into this now and can't figure it out. My workstation is
2000Pro (Native) and our web servers are 2000 adv server, active directory.

Thanks.

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

Reply to this message...

Goldfarb, Christopher

What error are you getting... Are you able to actually load advapi? If so,
is it returning an error code?
-----Original Message-----
From: TIM ELLISON [mailto:Click here to reveal e-mail address]
Sent: Wednesday, June 26, 2002 10:20 AM
To: aspngsec
Subject: [aspngsec] Impersonating

I remember a recent impersonation discussion utilizing calls to LogonUser()
in ADVAPI32.

Has anyone found this to work on their workstation but not on the web
server?

We're running into this now and can't figure it out. My workstation is
2000Pro (Native) and our web servers are 2000 adv server, active directory.

Thanks.

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

Reply to this message...

Little, Ambrose

Are you using the impersonation in a web app or in a windows app locally?
Security context will be different between the two, and we found this out
the hard way. :)

If both are running on web apps, you'll want to make sure that ASPNET (or
whatever user you've got ASP.NET running under) has the act as part of the
os privelege so it can delegate the security tokens properly.

HTH,

--Ambrose
-----Original Message-----
From: TIM ELLISON [mailto:Click here to reveal e-mail address]
Sent: Wednesday, June 26, 2002 12:20 PM
To: aspngsec
Subject: [aspngsec] Impersonating

I remember a recent impersonation discussion utilizing calls to LogonUser()
in ADVAPI32.

Has anyone found this to work on their workstation but not on the web
server?

We're running into this now and can't figure it out. My workstation is
2000Pro (Native) and our web servers are 2000 adv server, active directory.

Thanks.

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

******************************************************************************
The Company reserves the right to amend statements
made herein in the event of a mistake. Unless expressly
stated herein to the contrary, only agreements in writing signed
by an authorized officer of the Company may be enforced against it.
*******************************************************************************

Reply to this message...

Carlos Magalhaes

Hi Tim,

Yes I was part of that discussion I am currently using it and I have no
problems what EXACT problem are you having?

Carlos Magalhaes

-----Original Message-----
From: TIM ELLISON [mailto:Click here to reveal e-mail address]
Sent: Wednesday, June 26, 2002 7:20 PM
To: aspngsec
Subject: [aspngsec] Impersonating

I remember a recent impersonation discussion utilizing calls to LogonUser()
in ADVAPI32.

Has anyone found this to work on their workstation but not on the web
server?

We're running into this now and can't figure it out. My workstation is
2000Pro (Native) and our web servers are 2000 adv server, active directory.

Thanks.

Regards,

Tim Ellison

Senior Web Applications Developer,

Long and Foster Real Estate

703-359-1884

Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

-------------------------------------------------------------
This email and any files transmitted are
confidential and intended solely for the
use of the individual or entity to which
they are addressed, whose privacy
should be respected. Any views or
opinions are solely those of the author
and do not necessarily represent those
of the Trencor Group, or any of its
representatives, unless specifically
stated.

Email transmission cannot be guaranteed
to be secure, error free or without virus
contamination. The sender therefore
accepts no liability for any errors or
omissions in the contents of this message,
nor for any virus infection that might result
from opening this message. Trencor is not
responsible in the event of any third party
interception of this email.

If you have received this email in error please notify
Click here to reveal e-mail address For more information about
Trencor, visit www.trencor.net <http://www.trencor.net>

Reply to this message...

TIM ELLISON

1) LogonUser returns false (assuming I've loaded advapi)
2) Intptr token = 0 (after logonuser)

Return value is 127

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

-----Original Message-----
From: Goldfarb, Christopher [mailto:Click here to reveal e-mail address]
Sent: Wednesday, June 26, 2002 3:13 PM
To: aspngsec
Subject: [aspngsec] RE: Impersonating

What error are you getting... Are you able to actually load advapi? If so,
is it returning an error code?
-----Original Message-----
From: TIM ELLISON [mailto:Click here to reveal e-mail address]
Sent: Wednesday, June 26, 2002 10:20 AM
To: aspngsec
Subject: [aspngsec] Impersonating
I remember a recent impersonation discussion utilizing calls to LogonUser()
in ADVAPI32.

Has anyone found this to work on their workstation but not on the web
server?

We're running into this now and can't figure it out. My workstation is
2000Pro (Native) and our web servers are 2000 adv server, active directory.

Thanks.

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

Reply to this message...

TIM ELLISON

I'll check on "act as part of OS", but I believe these privs are set on
ASPNET.

It is a web application.

Also, the return code is from GetLastError() call when LogonUser returns
false. The header for advapi says this is:

//
// MessageId: ERROR_PROC_NOT_FOUND
//
// MessageText:
//
// The specified procedure could not be found.
//
#define ERROR_PROC_NOT_FOUND 127L
(from WinError.h)

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

-----Original Message-----
From: Little, Ambrose [mailto:Click here to reveal e-mail address]
Sent: Wednesday, June 26, 2002 3:17 PM
To: aspngsec
Subject: [aspngsec] RE: Impersonating

Are you using the impersonation in a web app or in a windows app locally?
Security context will be different between the two, and we found this out
the hard way. :)

If both are running on web apps, you'll want to make sure that ASPNET (or
whatever user you've got ASP.NET running under) has the act as part of the
os privelege so it can delegate the security tokens properly.

HTH,

--Ambrose
-----Original Message-----
From: TIM ELLISON [mailto:Click here to reveal e-mail address]
Sent: Wednesday, June 26, 2002 12:20 PM
To: aspngsec
Subject: [aspngsec] Impersonating
I remember a recent impersonation discussion utilizing calls to LogonUser()
in ADVAPI32.

Has anyone found this to work on their workstation but not on the web
server?

We're running into this now and can't figure it out. My workstation is
2000Pro (Native) and our web servers are 2000 adv server, active directory.

Thanks.

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

****************************************************************************
**
The Company reserves the right to amend statements
made herein in the event of a mistake. Unless expressly
stated herein to the contrary, only agreements in writing signed
by an authorized officer of the Company may be enforced against it.
****************************************************************************
***
| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

Reply to this message...

Little, Ambrose

Could you please share your code, particularly your function import
declarations, but the use of them might help as well.
-----Original Message-----
From: TIM ELLISON [mailto:Click here to reveal e-mail address]
Sent: Thursday, June 27, 2002 6:04 AM
To: aspngsec
Subject: [aspngsec] RE: Impersonating

I'll check on "act as part of OS", but I believe these privs are set on
ASPNET.

It is a web application.

Also, the return code is from GetLastError() call when LogonUser returns
false. The header for advapi says this is:

//
// MessageId: ERROR_PROC_NOT_FOUND
//
// MessageText:
//
// The specified procedure could not be found.
//
#define ERROR_PROC_NOT_FOUND 127L
(from WinError.h)

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

-----Original Message-----
From: Little, Ambrose [mailto:Click here to reveal e-mail address]
Sent: Wednesday, June 26, 2002 3:17 PM
To: aspngsec
Subject: [aspngsec] RE: Impersonating

Are you using the impersonation in a web app or in a windows app locally?
Security context will be different between the two, and we found this out
the hard way. :)

If both are running on web apps, you'll want to make sure that ASPNET (or
whatever user you've got ASP.NET running under) has the act as part of the
os privelege so it can delegate the security tokens properly.

HTH,

--Ambrose
-----Original Message-----
From: TIM ELLISON [mailto:Click here to reveal e-mail address]
Sent: Wednesday, June 26, 2002 12:20 PM
To: aspngsec
Subject: [aspngsec] Impersonating
I remember a recent impersonation discussion utilizing calls to LogonUser()
in ADVAPI32.

Has anyone found this to work on their workstation but not on the web
server?

We're running into this now and can't figure it out. My workstation is
2000Pro (Native) and our web servers are 2000 adv server, active directory.

Thanks.

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

****************************************************************************
**
The Company reserves the right to amend statements
made herein in the event of a mistake. Unless expressly
stated herein to the contrary, only agreements in writing signed
by an authorized officer of the Company may be enforced against it.
****************************************************************************
***
| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

******************************************************************************
The Company reserves the right to amend statements
made herein in the event of a mistake. Unless expressly
stated herein to the contrary, only agreements in writing signed
by an authorized officer of the Company may be enforced against it.
*******************************************************************************

Reply to this message...

TIM ELLISON

Ambrose,

Here is the code I'm using. This works just fine on Win2K Pro workstation.

namespace Util
{
/// <summary>
/// Summary description for Impersonator.
/// </summary>
//[SecurityPermissionAttribute(SecurityAction.RequestMinimum,
UnmanagedCode=true)]
public class LogImpersonator
{

// The Windows NT user token.
// class level scope
int token1;
WindowsIdentity mWI1;
WindowsImpersonationContext mWIC;

[DllImport("advapi32.dll")]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);

[DllImport("Kernel32.dll")]
public static extern int GetLastError();

public LogImpersonator()
{

}

public string ImpUser
{
get
{
WindowsIdentity mw = WindowsIdentity.GetCurrent();
return mw.Name;
}
}

public void Impersonate(string UserName, string Password, string
ComputerName)
{

// Get the user token for the specified user, machine, and
password using the unmanaged LogonUser method.
bool loggedOn = LogonUser(
// User name.
UserName,

// Computer name.
ComputerName,

// Password.
Password,

// Logon type = LOGON32_LOGON_NETWORK_CLEARTEXT.
3,

// Logon provider = LOGON32_PROVIDER_DEFAULT.
0,

// The user token for the specified user is returned here.
out token1);

// Call GetLastError to try to determine why logon failed if it
did not succeed.
int ret = GetLastError();

if (ret != 0)
{
throw new System.ApplicationException("Cannot
impersonate");
}

mWI1 = WindowsIdentity.GetCurrent();

IntPtr token2 = new IntPtr(token1);

WindowsIdentity mWI2 = new WindowsIdentity(token2);

// Impersonate the user.
mWIC = mWI2.Impersonate();
}
}
}

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

-----Original Message-----
From: Little, Ambrose [mailto:Click here to reveal e-mail address]
Sent: Thursday, June 27, 2002 11:21 AM
To: aspngsec
Subject: [aspngsec] RE: Impersonating

Could you please share your code, particularly your function import
declarations, but the use of them might help as well.

Reply to this message...

Little, Ambrose

I've not had much luck (any really) using the WI.Impersonate function. I
ended up just making direct calls to the API for impersonation.
See
http://code.clanlittle.org/ShowCode.aspx?name=BOKF.Security.ImpersonationCS
<http://code.clanlittle.org/ShowCode.aspx?name=BOKF.Security.ImpersonationCS
> for an example.
My guess would be that'll solve your problem. Let me know if it doesn't.

--Ambrose
-----Original Message-----
From: TIM ELLISON [mailto:Click here to reveal e-mail address]
Sent: Thursday, June 27, 2002 10:46 AM
To: aspngsec
Subject: [aspngsec] RE: Impersonating

Ambrose,

Here is the code I'm using. This works just fine on Win2K Pro workstation.

namespace Util
{
/// <summary>
/// Summary description for Impersonator.
/// </summary>
//[SecurityPermissionAttribute(SecurityAction.RequestMinimum,
UnmanagedCode=true)]
public class LogImpersonator
{

// The Windows NT user token.
// class level scope
int token1;
WindowsIdentity mWI1;
WindowsImpersonationContext mWIC;

[DllImport("advapi32.dll")]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);

[DllImport("Kernel32.dll")]
public static extern int GetLastError();

public LogImpersonator()
{

}

public string ImpUser
{
get
{
WindowsIdentity mw = WindowsIdentity.GetCurrent();
return mw.Name;
}
}

public void Impersonate(string UserName, string Password, string
ComputerName)
{

// Get the user token for the specified user, machine, and
password using the unmanaged LogonUser method.
bool loggedOn = LogonUser(
// User name.
UserName,

// Computer name.
ComputerName,

// Password.
Password,

// Logon type = LOGON32_LOGON_NETWORK_CLEARTEXT.
3,

// Logon provider = LOGON32_PROVIDER_DEFAULT.
0,

// The user token for the specified user is returned here.
out token1);

// Call GetLastError to try to determine why logon failed if it
did not succeed.
int ret = GetLastError();

if (ret != 0)
{
throw new System.ApplicationException("Cannot
impersonate");
}

mWI1 = WindowsIdentity.GetCurrent();

IntPtr token2 = new IntPtr(token1);

WindowsIdentity mWI2 = new WindowsIdentity(token2);

// Impersonate the user.
mWIC = mWI2.Impersonate();
}
}
}

Regards,

Tim Ellison
Senior Web Applications Developer,
Long and Foster Real Estate
703-359-1884
Click here to reveal e-mail address <mailto:Click here to reveal e-mail address>

-----Original Message-----
From: Little, Ambrose [mailto:Click here to reveal e-mail address]
Sent: Thursday, June 27, 2002 11:21 AM
To: aspngsec
Subject: [aspngsec] RE: Impersonating

Could you please share your code, particularly your function import
declarations, but the use of them might help as well.
| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

******************************************************************************
The Company reserves the right to amend statements
made herein in the event of a mistake. Unless expressly
stated herein to the contrary, only agreements in writing signed
by an authorized officer of the Company may be enforced against it.
*******************************************************************************

Reply to this message...

	System.ApplicationException
	System.IntPtr
	System.Security.Permissions.SecurityAction
	System.Security.Permissions.SecurityPermissionAttribute
	System.Security.Principal.WindowsIdentity
	System.Security.Principal.WindowsImpersonationContext

ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification

Need Dot Net Interview Questions?
Ask ExamGuru, Inc. for advice and help on Passing .Net Interviews

.Net Projects
Best-of-breed application framework for .NET projects, developed by ExamGuru, Inc. and ExamGuru IT

Free .net Help
Commission ExamGuru, Inc. and his team for your next bespoke software project

FogBUGZ
The only bug tracking system carefully crafted with one goal in mind: helping teams create great software.

Awesome Tools
If you don't know about these, you're missing out... IT Certification Questions
IT Interview Questions
Free Oracle 10g Training
MCSE Boortcamp
Cisco Study Guides
Cheap Study Guides
Exact Questions
Dot Net Interview Questions
Oracle OCP
Cheap Travel
Designer Perfumes - Wholesale Prices
Free Programming Tutorials

	Copyright © ExamGuru, Inc. 2001-2006
	Contact Us - Terms of Use - Privacy Policy - www.dot-net-guru.com - www.examguru.net - www.oraclesource.net - www.itinterviews.net - www.examguru.net/ITCertification