Windows Impersonation from C#

Asked 18/2, 2009 at 3:24 Answered 22/2, 2009 at 9:36

How can a C# program running as LocalSystem impersonate the login identity of another user temporarily? Roughly speaking I have a Windows Service that I'd like to run as LocalSystem but at times impersonate user XYZ (when connecting to a db using windows integrated security).

Most important of all: Is there a way to do this without knowing the other user's password?

Note: if a password is mandatory is there a recommended strategy for storing a password securely (c# and/or vbscript).

Latoyialatreece answered 18/2, 2009 at 3:24 Comment(1)

For the Impersonation code see the following two Code Project articles: http://www.codeproject.com/KB/cs/cpimpersonation1.aspx http://www.codeproject.com/KB/cs/zetaimpersonator.aspx and the Microsoft KB article they are based upon: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158 – Marjana 18/2, 2009 at 3:36

It's possible, although it requires you to do a lot of code. See NtCreateToken and CreateToken. You need SeCreateTokenPrivilege, although that won't be a problem since you're running under NT AUTHORITY\SYSTEM. You can then use the created token to impersonate inside a thread.

Headband answered 22/2, 2009 at 9:36 Comment(3)

Thanks. Not much in the way of code samples out there for it though :) – Latoyialatreece 22/2, 2009 at 18:26

Note that it's not recommended to run services under LocalSystem, and sysadmins rightly frown on this practice. – Brevet 9/4, 2009 at 14:12

On stackoverflow, I prefer to do/answer what is asked. – Headband 9/4, 2009 at 23:14

Short answer: you can't without the user password or the user calling your service through COM.

To impersonate another user in your process, you have to call ImpersonateLoggedOnUser. ImpersonateLoggedOnUser requires a token handle. There are several ways you can obtain token handle:

by logging on as the user with LogonUser. This however requires you to know the user password.
by duplicating an existing token with CreateRestrictedToken, DuplicateToken, or DuplicateTokenEx.
by opening the token from another process or thread, that already is loggen on as the user, with OpenProcessToken or OpenThreadToken

Biskra answered 18/2, 2009 at 3:38 Comment(0)

For the password storing part, you may want to have a look at this question asked recently.

This was my answer:

You could/should use the DPAPI, the Data Protection API that provides storage encryption.
It's there just for this type of problem.

Encryption of the storage is based on either:

the user account, so only the logged-in user can access the data. This makes the data transferable to another PC with the exact same user credentials.
the machine, making the data only accessible on that particular machine setup and not transferable to another PC.

There is a dnrTV show with Karl Franklin showing exactly what's needed to implement this, and other encryption functions.
The source code from the show is also available on the page.

There are, of course, lots of other articles on that subject.

Pteryla answered 18/2, 2009 at 3:33 Comment(0)

Recommended topics

Hot tags