.NET Framework - Impersonate specific user in code with Windows 2008

Asked By avade

09-Jul-08 06:25 PM

ASP.Net 2.

We are migrating to Windows 2008 64 bit Server with IIS 7 from Windows 2003
32 Bit with IIS 6. A few library classes we wrote uses impersonation in code
like explained in this article:

http://support.microsoft.com/?id=306158#4

This doesn't work in Windows 2008 Server, we receive the following exception:

Security Exception
Description: The application attempted to perform an operation not allowed
by the security policy.  To grant this application the required permission
please contact your system administrator or change the application's trust
level in the configuration file.

Exception Details: System.Security.SecurityException: Access is denied.

Source Error:

An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can
be identified using the exception stack trace below.

[SecurityException: Access is denied.]
System.Security.Principal.WindowsImpersonationContext.Undo() +2787836
System.Security.Principal.WindowsImpersonationContext.Dispose(Boolean
disposing) +36
System.Security.Principal.WindowsImpersonationContext.Dispose() +9
System.Security.Principal.WindowsIdentity.GetName() +227
System.Security.Principal.WindowsIdentity.get_Name() +31
MyProject.MyLibrary.Library.Security.Impersonate.get_CurrentIdentity() in
MyPath\Security\ImpersonateUser.cs:204
MyProject.MyLibrary.Library.Security.Impersonate.get_Impersonating() in
MyPath\Security\ImpersonateUser.cs:214
MyProject.MyLibrary.Library.Security.Impersonate.UndoImpersonation() in
MyPath\Security\ImpersonateUser.cs:262
MyProject.MyLibrary.Library.Event.Registration.MyFunction(String
directoryName, String accountNumber) in
MyPath\Event\Registration\WebPublisher.cs:41
EventEdit.MyFunction() +72
EventEdit.btnMyFunction_Click(Object sender, EventArgs e) +10
System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +90
System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String
eventArgument) +76

System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +177
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +7350
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint,
Boolean includeStagesAfterAsyncPoint) +213
System.Web.UI.Page.ProcessRequest() +86
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
System.Web.UI.Page.ProcessRequest(HttpContext context) +49
ASP.event_edit_aspx.ProcessRequest(HttpContext context) +4

System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +358
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +64

I did double check the policy and it is running on full trust. Full
(Internal).

If you look at the linked article, the impersonation code is calling
advapi32 and kernel32, I am guessing that is why it is failing. So my
question is, is there a code example / article out there for how to do this
on Windows 2008? Or is there an alternate method of impersonating a specific
account in code.

This is the exact code that I am using and is failing (i've removed all the
other functionality to isolate the problem).

Impersonate impersonate = new
Impersonate(LogonProvider.LOGON32_PROVIDER_WINNT50);

try {
impersonate.ImpersonateUser(myusername, mydomain, mypassword);



}
finally {
impersonate.UndoImpersonation();
}

Thx.

09-Jul-08 06:41 PM

I forgot, this is the exact code that handles the impersonation. I can't find
the original article which had this....

using System;
using System.Web;
using System.Security.Principal;
using System.Security.Permissions;
using System.Runtime.InteropServices;
using System.ComponentModel;
using System.Threading;

namespace EnterpriseUtilities
{
/// <summary>
/// used for connecting to other Logon Providers
/// </summary>
public enum LogonProvider
{
LOGON32_PROVIDER_DEFAULT		= 0,
LOGON32_PROVIDER_WINNT40		= 2,
LOGON32_PROVIDER_WINNT50		= 3
}

/// <summary>
/// Used to change the level of impersonation on remote systems
/// </summary>
public enum ImpersonationLevel
{
SecurityAnonymous = 0,
SecurityIdentification,
SecurityImpersonation,
SecurityDelegation
}

public enum LogonTypes
{
//logon types
LOGON32_LOGON_INTERACTIVE		= 2,
LOGON32_LOGON_NETWORK			= 3,
LOGON32_LOGON_BATCH			= 4,

// Windows2000
LOGON32_LOGON_NETWORK_CLEARPASSWORD	= 8,
LOGON32_LOGON_NEW_CREDENTIALS		= 9
}

/// <summary>
/// Impersonate a specific user in the domain.
/// Note that the user account on the calling process must have
/// the SE_TCB_NAME priviledge when running on W2k.
/// This can be given using Local Policy MMC and adding account to
/// "Act as Part of the Operationg System".  For ASP.NET applications the
calling
/// user context is usually ASPNET user.
/// </summary>
public class Impersonate
{
#region Dll Imports
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public extern static bool DuplicateToken(IntPtr hToken, int
impersonationLevel, ref IntPtr hNewToken);

[DllImport("kernel32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public static extern bool CloseHandle(IntPtr handle);

[DllImport("advapi32.dll", SetLastError=true)]
public static extern int ImpersonateLoggedOnUser(IntPtr hToken);

[DllImport("advapi32.dll", SetLastError=true)]
static extern int RevertToSelf();
#endregion

#region MEMBER VARIABLES
private IntPtr token = IntPtr.Zero;
private IntPtr dupToken = IntPtr.Zero;
private LogonProvider _logonProvider;
private ImpersonationLevel _impersonationLevel;
private string _originalUser = Thread.CurrentPrincipal.Identity.Name;
private LogonTypes _logonType;
private bool impersonated = false;
#endregion

#region CONTRUCTORS
public Impersonate(LogonProvider logonProvider, ImpersonationLevel level,
LogonTypes logonType)
{
this._logonProvider = logonProvider;
this._impersonationLevel = level;
this._logonType = logonType;
}

public Impersonate(LogonProvider logonProvider, ImpersonationLevel level)

public Impersonate(LogonProvider logonProvider) : this (logonProvider,
ImpersonationLevel.SecurityImpersonation, LogonTypes.LOGON32_LOGON_NETWORK) {}

public Impersonate() : this(LogonProvider.LOGON32_PROVIDER_DEFAULT,
ImpersonationLevel.SecurityImpersonation, LogonTypes.LOGON32_LOGON_NETWORK) {}

#endregion

#region PUBLIC PROPERTIES

public ImpersonationLevel Level
{
get { return this._impersonationLevel; }
set { this._impersonationLevel = value; }
}

public LogonTypes LogonType
{
get { return this._logonType; }
set { this._logonType = value; }
}

public string CurrentIdentity
{
get
{
return Thread.CurrentPrincipal.Identity.Name;
}
}

/// <summary>
/// Property returns whether or not an impersonation is occurring
/// </summary>
public bool Impersonating
{
get
{
return this.CurrentIdentity != this._originalUser;
}
}

#endregion

#region PUBLIC METHODS
/// <summary>
/// Impersonates a specific user in the domain.  This changes the process
/// identity to the impersonated user's security context.
/// </summary>
/// Domain name
/// Login ID
/// Password
public void ImpersonateUser(string domain, string username, string password)
{
ImpersonateUser(domain, username, password, false);
}
/// <summary>
/// Impersonates a specific user in the domain.  This changes the process
/// identity to the impersonated user's security context.
/// </summary>
/// Domain name
/// Login ID
/// Password
/// Do not process impersonisation.
public void ImpersonateUser(string domain, string username, string
password, bool justLogon)
{
if (Impersonating) throw new System.Security.SecurityException("You are
already impersonating " + CurrentIdentity);

impersonated = LogonUser(username,
domain,
password,
(int)_logonType,
(int)_logonProvider,
ref token);

//check the error
if(!impersonated) throw new Win32Exception(Marshal.GetLastWin32Error());

if (!justLogon) ImpersonateLoggedOnUser(token);
}

/// <summary>
/// Reverts back to the original process identity.
/// </summary>
public void UndoImpersonation()
{
if (impersonated) RevertToSelf();
if (token != IntPtr.Zero) CloseHandle(token);
if (dupToken != IntPtr.Zero) CloseHandle(dupToken);
}
#endregion
}
}

09-Jul-08 07:11 PM

One more update as I keep debugging. I am impersonating domain account for
the website, which seems to make a difference because if I add my the user to
the local admin group, I get no errors.

In web.config I impersonate like this:


So now it seems like a security policy problem with this user. I found this
somewhat related post.

http://forums.asp.net/p/905562/1001414.aspx

Any help is appreciated. Thx.

10-Jul-08 04:24 AM

If I remember you have to allow impersonation for this user. Try
http://support.microsoft.com/kb/821546/en-us

--
Patrice

10-Jul-08 01:12 PM

Patrice,

The IIS_USRS is already part of "Impersonate a Client After Authentication",
I did add the domain user as well just in case.

I added the domain user to "Create Global Objects", but still get the same
error.

I issued gpupdate /force after making these changes.

Is there a way to debug/log what user is requesting / failing the specific
permission?

Thx.