Impersonate via a remote workgroup

Discussion in 'ASP .Net Security' started by Dominick Baier [DevelopMentor], Jul 5, 2006.

  1. try to use the NEW_CREDENTIAL logon type.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > i am trying to impersanate a remote user on a workgroup(NOT Domain)
    > account. This does not seem to work. Only works for domain or local
    > user. Anyone have any ideas.
    >
    > Thanks
    >
    > Dim tempWindowsIdentity As WindowsIdentity
    > Dim token As IntPtr = IntPtr.Zero
    > Dim tokenDuplicate As IntPtr = IntPtr.Zero
    > impersonateValidUser = False
    > If RevertToSelf() Then
    > If LogonUserA(userName, domain, password,
    > LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
    > If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    > tempWindowsIdentity = New
    > WindowsIdentity(tokenDuplicate)
    > impersonationContext =
    > tempWindowsIdentity.Impersonate()
    > If Not impersonationContext Is Nothing Then
    > impersonateValidUser = True
    > End If
    > End If
    > End If
    > End If
    > If Not tokenDuplicate.Equals(IntPtr.Zero) Then
    > CloseHandle(tokenDuplicate)
    > End If
    > If Not token.Equals(IntPtr.Zero) Then
    > CloseHandle(token)
    > End I
     
    Dominick Baier [DevelopMentor], Jul 5, 2006
    #1
    1. Advertising

  2. sorry. this only works if you are trying to access remote resources that
    "know" the account you are impersonating.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > i am trying to impersanate a remote user on a workgroup(NOT Domain)
    > account. This does not seem to work. Only works for domain or local
    > user. Anyone have any ideas.
    >
    > Thanks
    >
    > Dim tempWindowsIdentity As WindowsIdentity
    > Dim token As IntPtr = IntPtr.Zero
    > Dim tokenDuplicate As IntPtr = IntPtr.Zero
    > impersonateValidUser = False
    > If RevertToSelf() Then
    > If LogonUserA(userName, domain, password,
    > LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
    > If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    > tempWindowsIdentity = New
    > WindowsIdentity(tokenDuplicate)
    > impersonationContext =
    > tempWindowsIdentity.Impersonate()
    > If Not impersonationContext Is Nothing Then
    > impersonateValidUser = True
    > End If
    > End If
    > End If
    > End If
    > If Not tokenDuplicate.Equals(IntPtr.Zero) Then
    > CloseHandle(tokenDuplicate)
    > End If
    > If Not token.Equals(IntPtr.Zero) Then
    > CloseHandle(token)
    > End If
     
    Dominick Baier [DevelopMentor], Jul 5, 2006
    #2
    1. Advertising

  3. Dominick Baier [DevelopMentor]

    Dino Guest

    i am trying to impersanate a remote user on a workgroup(NOT Domain) account.
    This does not seem to work. Only works for domain or local user. Anyone have
    any ideas.

    Thanks

    Dim tempWindowsIdentity As WindowsIdentity
    Dim token As IntPtr = IntPtr.Zero
    Dim tokenDuplicate As IntPtr = IntPtr.Zero
    impersonateValidUser = False
    If RevertToSelf() Then
    If LogonUserA(userName, domain, password,
    LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
    If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
    impersonationContext = tempWindowsIdentity.Impersonate()
    If Not impersonationContext Is Nothing Then
    impersonateValidUser = True
    End If
    End If
    End If
    End If
    If Not tokenDuplicate.Equals(IntPtr.Zero) Then
    CloseHandle(tokenDuplicate)
    End If
    If Not token.Equals(IntPtr.Zero) Then
    CloseHandle(token)
    End If
     
    Dino, Jul 5, 2006
    #3
  4. Dominick Baier [DevelopMentor]

    melle Guest

    Hi Dominick,

    I've found multiple entries from that state that we should use
    NEW_CREDENTIAL in order to log on cross domain... I tried it, and
    LogonUser does not fail... that is true, but when I do
    ImpersonateLoggedOnUser it doesn't seem to impersonate at all.

    Can you tell us what the next step should be?

    I am trying to impersonate a user from another domain, that is a domain
    my computer is not a part of. All the credentials are ok. that is not a
    problem. It just doesn't accept them. (error 1326)

    Please advise,

    Melle


    Dominick wrote:
    > try to use the NEW_CREDENTIAL logon type.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > i am trying to impersanate a remote user on a workgroup(NOT Domain)
    > > account. This does not seem to work. Only works for domain or local
    > > user. Anyone have any ideas.
    > >
    > > Thanks
    > >
    > > Dim tempWindowsIdentity As WindowsIdentity
    > > Dim token As IntPtr = IntPtr.Zero
    > > Dim tokenDuplicate As IntPtr = IntPtr.Zero
    > > impersonateValidUser = False
    > > If RevertToSelf() Then
    > > If LogonUserA(userName, domain, password,
    > > LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
    > > If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    > > tempWindowsIdentity = New
    > > WindowsIdentity(tokenDuplicate)
    > > impersonationContext =
    > > tempWindowsIdentity.Impersonate()
    > > If Not impersonationContext Is Nothing Then
    > > impersonateValidUser = True
    > > End If
    > > End If
    > > End If
    > > End If
    > > If Not tokenDuplicate.Equals(IntPtr.Zero) Then
    > > CloseHandle(tokenDuplicate)
    > > End If
    > > If Not token.Equals(IntPtr.Zero) Then
    > > CloseHandle(token)
    > > End If
     
    melle, Aug 4, 2006
    #4
  5. Dominick Baier [DevelopMentor]

    melle Guest

    Hi Dominick,

    I've found multiple posts on google from you, that state that we should
    use
    NEW_CREDENTIAL in order to log on cross domain... I tried it, and
    LogonUser does not fail... that is true, but when I do
    ImpersonateLoggedOnUser it doesn't seem to impersonate at all.


    Can you tell us what the next step should be?


    I am trying to impersonate a user from another domain, that is a domain

    my computer is not a part of. All the credentials are ok. that is not a

    problem. It just doesn't accept them. (error 1326)


    Please advise,


    Melle



    Dominick wrote:
    > try to use the NEW_CREDENTIAL logon type.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > i am trying to impersanate a remote user on a workgroup(NOT Domain)
    > > account. This does not seem to work. Only works for domain or local
    > > user. Anyone have any ideas.
    > >
    > > Thanks
    > >
    > > Dim tempWindowsIdentity As WindowsIdentity
    > > Dim token As IntPtr = IntPtr.Zero
    > > Dim tokenDuplicate As IntPtr = IntPtr.Zero
    > > impersonateValidUser = False
    > > If RevertToSelf() Then
    > > If LogonUserA(userName, domain, password,
    > > LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
    > > If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    > > tempWindowsIdentity = New
    > > WindowsIdentity(tokenDuplicate)
    > > impersonationContext =
    > > tempWindowsIdentity.Impersonate()
    > > If Not impersonationContext Is Nothing Then
    > > impersonateValidUser = True
    > > End If
    > > End If
    > > End If
    > > End If
    > > If Not tokenDuplicate.Equals(IntPtr.Zero) Then
    > > CloseHandle(tokenDuplicate)
    > > End If
    > > If Not token.Equals(IntPtr.Zero) Then
    > > CloseHandle(token)
    > > End If
     
    melle, Aug 4, 2006
    #5
  6. Hi,

    use the token from LogonUser to

    call WindowsIdentity.Impersonate(token);
    then do the resource access


    dominick

    > Hi Dominick,
    >
    > I've found multiple posts on google from you, that state that we
    > should
    > use
    > NEW_CREDENTIAL in order to log on cross domain... I tried it, and
    > LogonUser does not fail... that is true, but when I do
    > ImpersonateLoggedOnUser it doesn't seem to impersonate at all.
    > Can you tell us what the next step should be?
    >
    > I am trying to impersonate a user from another domain, that is a
    > domain
    >
    > my computer is not a part of. All the credentials are ok. that is not
    > a
    >
    > problem. It just doesn't accept them. (error 1326)
    >
    > Please advise,
    >
    > Melle
    >
    > Dominick wrote:
    >
    >> try to use the NEW_CREDENTIAL logon type.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> i am trying to impersanate a remote user on a workgroup(NOT Domain)
    >>> account. This does not seem to work. Only works for domain or local
    >>> user. Anyone have any ideas.
    >>>
    >>> Thanks
    >>>
    >>> Dim tempWindowsIdentity As WindowsIdentity
    >>> Dim token As IntPtr = IntPtr.Zero
    >>> Dim tokenDuplicate As IntPtr = IntPtr.Zero
    >>> impersonateValidUser = False
    >>> If RevertToSelf() Then
    >>> If LogonUserA(userName, domain, password,
    >>> LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token) <> 0
    >>> Then
    >>> If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    >>> tempWindowsIdentity = New
    >>> WindowsIdentity(tokenDuplicate)
    >>> impersonationContext =
    >>> tempWindowsIdentity.Impersonate()
    >>> If Not impersonationContext Is Nothing Then
    >>> impersonateValidUser = True
    >>> End If
    >>> End If
    >>> End If
    >>> End If
    >>> If Not tokenDuplicate.Equals(IntPtr.Zero) Then
    >>> CloseHandle(tokenDuplicate)
    >>> End If
    >>> If Not token.Equals(IntPtr.Zero) Then
    >>> CloseHandle(token)
    >>> End I
     
    Dominick Baier, Aug 4, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Uk9TMzg=?=

    Workgroup Information File Error

    =?Utf-8?B?Uk9TMzg=?=, Aug 19, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    3,157
    Mary Chipman
    Aug 20, 2004
  2. ruca

    Authentication with WorkGroup

    ruca, Feb 21, 2007, in forum: ASP .Net
    Replies:
    2
    Views:
    377
    Chaves
    Mar 6, 2007
  3. Walter Zydhek

    Determining machine workgroup or domain

    Walter Zydhek, Oct 31, 2003, in forum: ASP .Net Security
    Replies:
    1
    Views:
    174
    Teemu Keiski
    Nov 3, 2003
  4. Bill Belliveau

    DirectoryEntry Impersonate or WindowsIdentity Impersonate?

    Bill Belliveau, Jan 28, 2004, in forum: ASP .Net Security
    Replies:
    3
    Views:
    413
    Joe Kaplan \(MVP - ADSI\)
    Jan 31, 2004
  5. Robert E. Flaherty

    Single Sign On Within a Workgroup

    Robert E. Flaherty, Apr 5, 2006, in forum: ASP .Net Security
    Replies:
    0
    Views:
    187
    Robert E. Flaherty
    Apr 5, 2006
Loading...

Share This Page