Impersonation and switching back to ASPNET user priviledges

Discussion in 'ASP .Net Web Services' started by nano2k, Jun 27, 2007.

  1. nano2k

    nano2k Guest

    Hi

    In my webservice, for certain requests, I need to start another
    process on the server side.
    To start My process, I need to have administrative rights, so i'm
    using the impersonation mechanism using a predefined fixed user
    account on server machine.
    All works fine, no problem, but after the process starts, I need to
    "revert" to ASPNET or NETWORK SERVICES user account priviledges. This
    part is what I'm missing.

    To impersonate, i'm using this code:

    public static bool impersonateValidUser(String userName, String
    domain, String password) {
    WindowsIdentity tempWindowsIdentity;
    IntPtr token = IntPtr.Zero;
    IntPtr tokenDuplicate = IntPtr.Zero;

    if(WinAPI.RevertToSelf()) {
    if(WinAPI.LogonUserA(userName, domain, password,
    WinAPI.LOGON32_LOGON_INTERACTIVE,
    WinAPI.LOGON32_PROVIDER_DEFAULT, ref token) != 0) {
    if(WinAPI.DuplicateToken(token, 2, ref tokenDuplicate) != 0) {
    tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
    impersonationContext = tempWindowsIdentity.Impersonate();
    if (impersonationContext != null) {
    WinAPI.CloseHandle(token);
    WinAPI.CloseHandle(tokenDuplicate);
    return true;
    }
    }
    }
    }
    if(token!= IntPtr.Zero)
    WinAPI.CloseHandle(token);
    if(tokenDuplicate!=IntPtr.Zero)
    WinAPI.CloseHandle(tokenDuplicate);
    return false;
    }

    I tried using the above method like this:

    //save current user account:
    string name = Environment.UserName;
    string domain = Environment.UserDomainName;

    bool b = impersonateValidUser("admin_user", "domain", "pass");
    //b gets the value of true, so impersonation succeeded
    //now, start the process
    .....
    //succeeded
    //trying to revert to previous user account (ASPNET or NETWORK
    SERVICES for server systems):
    b = impersonateValidUser(name, domain, string.Empty);
    //b is false - it seems that the ASPNET has a default password (?)

    Any ideas? Thanks.
    nano2k, Jun 27, 2007
    #1
    1. Advertising

  2. nano2k

    nano2k Guest

    I think I found my answer.
    Calling WinAPI.RevertToSelf() after finishing all operations that
    required impersonation seems to work.



    nano2k a scris:
    > Hi
    >
    > In my webservice, for certain requests, I need to start another
    > process on the server side.
    > To start My process, I need to have administrative rights, so i'm
    > using the impersonation mechanism using a predefined fixed user
    > account on server machine.
    > All works fine, no problem, but after the process starts, I need to
    > "revert" to ASPNET or NETWORK SERVICES user account priviledges. This
    > part is what I'm missing.
    >
    > To impersonate, i'm using this code:
    >
    > public static bool impersonateValidUser(String userName, String
    > domain, String password) {
    > WindowsIdentity tempWindowsIdentity;
    > IntPtr token = IntPtr.Zero;
    > IntPtr tokenDuplicate = IntPtr.Zero;
    >
    > if(WinAPI.RevertToSelf()) {
    > if(WinAPI.LogonUserA(userName, domain, password,
    > WinAPI.LOGON32_LOGON_INTERACTIVE,
    > WinAPI.LOGON32_PROVIDER_DEFAULT, ref token) != 0) {
    > if(WinAPI.DuplicateToken(token, 2, ref tokenDuplicate) != 0) {
    > tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
    > impersonationContext = tempWindowsIdentity.Impersonate();
    > if (impersonationContext != null) {
    > WinAPI.CloseHandle(token);
    > WinAPI.CloseHandle(tokenDuplicate);
    > return true;
    > }
    > }
    > }
    > }
    > if(token!= IntPtr.Zero)
    > WinAPI.CloseHandle(token);
    > if(tokenDuplicate!=IntPtr.Zero)
    > WinAPI.CloseHandle(tokenDuplicate);
    > return false;
    > }
    >
    > I tried using the above method like this:
    >
    > //save current user account:
    > string name = Environment.UserName;
    > string domain = Environment.UserDomainName;
    >
    > bool b = impersonateValidUser("admin_user", "domain", "pass");
    > //b gets the value of true, so impersonation succeeded
    > //now, start the process
    > ....
    > //succeeded
    > //trying to revert to previous user account (ASPNET or NETWORK
    > SERVICES for server systems):
    > b = impersonateValidUser(name, domain, string.Empty);
    > //b is false - it seems that the ASPNET has a default password (?)
    >
    > Any ideas? Thanks.
    nano2k, Jun 27, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mary Chipman

    Re: Impersonation in ASPNET and LogonUser

    Mary Chipman, Sep 3, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    452
    Mary Chipman
    Sep 3, 2003
  2. M. Simioni
    Replies:
    1
    Views:
    472
    M. Simioni
    Apr 17, 2005
  3. Replies:
    1
    Views:
    349
    Brock Allen
    May 4, 2005
  4. =?Utf-8?B?S2VubnkgTS4=?=

    switching between HTML and ASPNET

    =?Utf-8?B?S2VubnkgTS4=?=, Apr 28, 2006, in forum: ASP .Net
    Replies:
    7
    Views:
    415
    Mark Rae
    Apr 29, 2006
  5. mpnordland
    Replies:
    24
    Views:
    879
Loading...

Share This Page