Professional Web Applications Themes

Change impersonated user during runtime - ASP.NET General

Hi all! I have asp.net web application that uses static impersonation. Is it possible to change the impersonated user during runtime? Within some parts of my application I would like to impersonate another user in order to access certain ressources and then switch back to the originally impersonated user. How can I do this? Thanks Markus...

  1. #1

    Default Change impersonated user during runtime

    Hi all!

    I have asp.net web application that uses static impersonation. Is it
    possible to change the impersonated user during runtime? Within some parts
    of my application I would like to impersonate another user in order to
    access certain ressources and then switch back to the originally
    impersonated user. How can I do this?

    Thanks

    Markus


    Markus Guest

  2. #2

    Default Re: Change impersonated user during runtime

    Can you explain where did LogonUser (see below ) come from

    I looked in the List of APIs and could not find it??

    [DllImport("advapi32.dll", SetLastError=true)]

    public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,

    int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);

    Thank you



    "S. Justin Gengo" <com> wrote in message news:%phx.gbl... 
    >
    >[/ref]
    MS Guest

  3. #3

    Default Re: Change impersonated user during runtime

    Hi!

    Thanks for the hints. What type of security hole might be created?


    markus


    "Ken Cox [Microsoft MVP]" <ca> schrieb im
    Newsbeitrag news:phx.gbl... 

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/
    frlrfsystemsecurityprincipalwindowsidentityclassim personatetopic.asp 
    Worm? 


    Markus Guest

  4. #4

    Default Re: Change impersonated user during runtime

    Hi Markus,

    I don't know what the security risk is, I just know that the code sample
    includes this warning:

    ' This sample can be run only on Windows XP. The default Windows 2000 security
    policy
    ' prevents this sample from executing properly, and changing the policy to
    allow
    ' proper execution presents a security risk.

    Perhaps an Windows 2000 admin could help here?

    Ken

    --
    Microsoft MVPs have a question for *you*: Are you patched against the Worm?
    http://www.microsoft.com/security/security_bulletins/ms03-026.asp



    "Markus Stehle" <de> wrote in message
    news:phx.gbl...
    Hi!

    Thanks for the hints. What type of security hole might be created?


    markus


    "Ken Cox [Microsoft MVP]" <ca> schrieb im
    Newsbeitrag news:phx.gbl... 

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/
    frlrfsystemsecurityprincipalwindowsidentityclassim personatetopic.asp 
    Worm? 



    Ken Guest

  5. #5

    Default Re: Change impersonated user during runtime

    MSNews,

    If you refer to the .Net framework doentation as the article suggests, you'll find that this is a reference to a sample code function within a class provided in that doentation:

    [Visual Basic]
    ' This sample demonstrates the use of the WindowsIdentity class to impersonate a user.
    ' IMPORTANT NOTES:
    ' This sample can be run only on Windows XP. The default Windows 2000 security policy
    ' prevents this sample from executing properly, and changing the policy to allow
    ' proper execution presents a security risk.
    ' This sample requests the user to enter a password on the console screen.
    ' Because the console window does not support methods allowing the password to be masked,
    ' it will be visible to anyone viewing the screen.

    Imports System
    Imports System.Runtime.InteropServices
    Imports System.Security.Principal
    Imports System.Security.Permissions
    Imports Microsoft.VisualBasic
    <Assembly: SecurityPermissionAttribute(SecurityAction.Request Minimum, UnmanagedCode:=True), _
    Assembly: PermissionSetAttribute(SecurityAction.RequestMinim um, Name:="FullTrust")>
    Module Module1

    Public Class ImpersonationDemo

    Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As [String], _
    ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
    ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _
    ByRef phToken As IntPtr) As Boolean

    <DllImport("kernel32.dll")> _
    Public Shared Function FormatMessage(ByVal dwFlags As Integer, ByRef lpSource As IntPtr, _
    ByVal dwMessageId As Integer, ByVal dwLanguageId As Integer, ByRef lpBuffer As [String], _
    ByVal nSize As Integer, ByRef Arguments As IntPtr) As Integer

    End Function

    Public Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Boolean


    Public Declare Auto Function DuplicateToken Lib "advapi32.dll" (ByVal ExistingTokenHandle As IntPtr, _
    ByVal SECURITY_IMPERSONATION_LEVEL As Integer, _
    ByRef DuplicateTokenHandle As IntPtr) As Boolean

    'GetErrorMessage formats and returns an error message
    'corresponding to the input errorCode.
    Public Shared Function GetErrorMessage(ByVal errorCode As Integer) As String
    Dim FORMAT_MESSAGE_ALLOCATE_BUFFER As Integer = &H100
    Dim FORMAT_MESSAGE_IGNORE_INSERTS As Integer = &H200
    Dim FORMAT_MESSAGE_FROM_SYSTEM As Integer = &H1000

    Dim messageSize As Integer = 255
    Dim lpMsgBuf As String
    Dim dwFlags As Integer = FORMAT_MESSAGE_ALLOCATE_BUFFER Or FORMAT_MESSAGE_FROM_SYSTEM Or FORMAT_MESSAGE_IGNORE_INSERTS

    Dim ptrlpSource As IntPtr = IntPtr.Zero
    Dim prtArguments As IntPtr = IntPtr.Zero

    Dim retVal As Integer = FormatMessage(dwFlags, ptrlpSource, errorCode, 0, lpMsgBuf, _
    messageSize, prtArguments)
    If 0 = retVal Then
    Throw New Exception("Failed to format message for error code " + errorCode.ToString() + ". ")
    End If

    Return lpMsgBuf
    End Function 'GetErrorMessage
    ' Test harness.
    ' If you incorporate this code into a DLL, be sure to demand FullTrust.
    <PermissionSetAttribute(SecurityAction.Demand, Name:="FullTrust")> _
    Public Overloads Shared Sub Main(ByVal args() As String)

    Dim tokenHandle As New IntPtr(0)
    Dim dupeTokenHandle As New IntPtr(0)
    Try


    Dim UserName, MachineName As String

    ' Get the user token for the specified user, machine, and password using the
    ' unmanaged LogonUser method.
    Console.Write("Enter the name of a machine on which to log on: ")
    MachineName = Console.ReadLine()

    Console.Write("Enter the login of a user on {0} that you wish to impersonate: ", MachineName)
    UserName = Console.ReadLine()

    Console.Write("Enter the password for {0}: ", UserName)

    Const LOGON32_PROVIDER_DEFAULT As Integer = 0
    'This parameter causes LogonUser to create a primary token.
    Const LOGON32_LOGON_INTERACTIVE As Integer = 2
    Const SecurityImpersonation As Integer = 2

    tokenHandle = IntPtr.Zero
    dupeTokenHandle = IntPtr.Zero

    ' Call LogonUser to obtain a handle to an access token.
    Dim returnValue As Boolean = LogonUser(UserName, MachineName, Console.ReadLine(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, tokenHandle)

    Console.WriteLine("LogonUser called.")

    If False = returnValue Then
    Dim ret As Integer = Marshal.GetLastWin32Error()
    Console.WriteLine("LogonUser failed with error code : {0}", ret)
    Console.WriteLine(ControlChars.Cr + "Error: [{0}] {1}" + ControlChars.Cr, ret, GetErrorMessage(ret))

    Return
    End If

    Dim success As String
    If returnValue Then success = "Yes" Else success = "No"
    Console.WriteLine(("Did LogonUser succeed? " + success))
    Console.WriteLine(("Value of Windows NT token: " + tokenHandle.ToString()))

    ' Check the identity.
    Console.WriteLine(("Before impersonation: " + WindowsIdentity.GetCurrent().Name))

    Dim retVal As Boolean = DuplicateToken(tokenHandle, SecurityImpersonation, dupeTokenHandle)
    If False = retVal Then
    CloseHandle(tokenHandle)
    Console.WriteLine("Exception thrown in trying to duplicate token.")
    Return
    End If

    ' TThe token that is passed to the following constructor must
    ' be a primary token in order to use it for impersonation.
    Dim newId As New WindowsIdentity(dupeTokenHandle)
    Dim impersonatedUser As WindowsImpersonationContext = newId.Impersonate()

    ' Check the identity.
    Console.WriteLine(("After impersonation: " + WindowsIdentity.GetCurrent().Name))

    ' Stop impersonating the user.
    impersonatedUser.Undo()

    ' Check the identity.
    Console.WriteLine(("After Undo: " + WindowsIdentity.GetCurrent().Name))

    ' Free the tokens.
    If Not System.IntPtr.op_Equality(tokenHandle, IntPtr.Zero) Then
    CloseHandle(tokenHandle)
    End If
    If Not System.IntPtr.op_Equality(dupeTokenHandle, IntPtr.Zero) Then
    CloseHandle(dupeTokenHandle)
    End If
    Catch ex As Exception
    Console.WriteLine(("Exception occurred. " + ex.Message))
    End Try
    End Sub 'Main
    End Class 'Class1


    Sincerely,

    --
    S. Justin Gengo, MCP
    Web Developer

    Free code library at:
    www.aboutfortunate.com

    "Out of chaos comes order."
    Nietzche


    "MS News (MS ILM)" <com> wrote in message news:phx.gbl...
    Can you explain where did LogonUser (see below ) come from

    I looked in the List of APIs and could not find it??

    [DllImport("advapi32.dll", SetLastError=true)]

    public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,

    int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);

    Thank you



    "S. Justin Gengo" <com> wrote in message news:%phx.gbl... 
    >
    >[/ref]
    S. Guest

  6. #6

    Default Re: Change impersonated user during runtime

    Hi Markus,

    Thanks for the info. Now we all know!

    Ken


    --
    Microsoft MVPs have a question for *you*: Are you patched against the Worm?
    http://www.microsoft.com/security/security_bulletins/ms03-026.asp



    "Markus Stehle" <de> wrote in message
    news:phx.gbl...
    Hi Ken!

    As far as I know, LogonUser API requires SE_TCB_NAME privilege enabled for
    the process when running on a non-XP operating system. For XP (and higher),
    the API does not require this privlege to be set, the API itself takes care
    for it.

    So to make the sample work on a non-XP machine, one must set SE_TCB_NAME
    which would lead to a security hole.


    Markus



    Ken Guest

Similar Threads

  1. runtime formating change
    By Tina in forum ASP.NET Data Grid Control
    Replies: 2
    Last Post: January 3rd, 04:13 AM
  2. How to change the URL of a web reference at runtime?
    By ISGADMIN in forum ASP.NET Web Services
    Replies: 2
    Last Post: November 2nd, 05:15 PM
  3. change fps in runtime??
    By jens mander in forum Macromedia Flash
    Replies: 2
    Last Post: January 5th, 02:20 PM
  4. Replies: 7
    Last Post: September 4th, 10:27 PM
  5. how to change an image url at runtime
    By Mark Kamoski in forum ASP.NET General
    Replies: 0
    Last Post: July 20th, 04:44 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139