Click here to Skip to main content
15,867,986 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
Can we impersonate a non-administartor. Please help me in this regard.
I used the code

C#
public class Utility
{

[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
     String lpszDomain,
     String lpszPassword,
     int dwLogonType,
     int dwLogonProvider,
     ref IntPtr phToken);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
     int impersonationLevel,
     ref IntPtr hNewToken);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();

[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);

public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;

static WindowsImpersonationContext impersonationContext;//impersonation starts here

public static bool impersonateValidUser(String username, String domain, String password)
{
    WindowsIdentity tempWindowsIdentity;
    IntPtr token = IntPtr.Zero;
    IntPtr tokenDuplicate = IntPtr.Zero;

    if (RevertToSelf())
    {
        if (LogonUserA(username, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
        {
            if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
            {
                tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                impersonationContext = tempWindowsIdentity.Impersonate();
                if (impersonationContext != null)
                {
                    CloseHandle(token);
                    CloseHandle(tokenDuplicate);
                    return true;
                }
            }
        }
    }

    if (token != IntPtr.Zero)
        CloseHandle(token);

    if (tokenDuplicate != IntPtr.Zero)
        CloseHandle(tokenDuplicate);

    return false;
}

public static void undoImpersonation()
{
    impersonationContext.Undo();
} //impersonation ends here.

}


But this can only be used for the user with the admin rights in the domain. Well is there any way I can actually do it for non-admins..Please let me know if there is any solution to this regard.
Posted
Updated 14-Jan-11 7:23am
v3
Comments
Steve Maier 14-Jan-11 13:15pm    
just added the pre tag.
Eddy Vluggen 14-Jan-11 18:48pm    
I'd try replacing the domain-name with the local pc's name, the computer-administrator as the user, and his local password. If that works, try a normal user.
k.gautamraj 15-Jan-11 0:26am    
i tried that it isnt working.the point is that we are trying to build a customer oriented web service. so in order to create security to the data as in our case as we dont have a dedicated server we are trying to impersonate the non-admins to.The point to be mentioned is that all the customers using my website are not entertained admin rights. so is there any solution??

1 solution

No, normal User accounts cannot impersonate other users. I believe the accounts that can impersonate other users are Local Service, Network Service, and anyone in the Administrators group.
 
Share this answer
 
Comments
k.gautamraj 15-Jan-11 0:22am    
i know that. But the thing is i need normal users to be impersonated because in the web service i dont have all the users popping in to be having the administrator rights. is there any solution for this?
Dave Kreskowiak 15-Jan-11 10:24am    
OK, your question is confusing. First, you're asking if normal users can impersonate other users. That answer is no.

Now, you're asking if a web service can impersonate other users. Since the web service is running as the IIS account, yes, it can impersonate other users.

It's not a matter of the account that is BEING IMPERSONATED having to be an admin. The account this is DOING THE IMPERSONATION must be an admin, OR the account that the web service is running under (usually IIS_something) must have the "Impersonate a client after authentication" right.

You can check this under Start -> Control Panels -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment. Just look for the "Impersonate a client after authentication" in the right-hand pane and double-click it to see the list of accounts that have this right. If you don't see the account your web service is running under (NOT THE USER YOUR TRYING TO IMPERSONATE!!) your service cannot impersonate anyone. You'll have to add the account to this list.
k.gautamraj 17-Jan-11 9:35am    
dave thats the point. now the scenario is as such that both the one whos getting impersonated and the one who is impersonating are not admins,i repeat the one who is impersonating is not an admin. Then is it possible to do it in this case???
Dave Kreskowiak 17-Jan-11 9:44am    
I already said, no, it's not. There's very good reason for it to. If the user doing the impersonation is not an admin, he may try and success at tricking an admin into giving up creds to impersonate him/her, but they won't work since a normal user cannot impersonate anyone.
k.gautamraj 19-Jan-11 14:46pm    
Well dave the point is we are developing an web application.The one who would be using it is an asp.net user.And my web service wont allow an asp.net user to create a directory there as he isnt an admin. But my applicaiton requires an asp.net user only...is there any solution??

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900