Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Web Services (http://www.velocityreviews.com/forums/f64-asp-net-web-services.html)
-   -   Impersonation and switching back to ASPNET user priviledges (http://www.velocityreviews.com/forums/t787148-impersonation-and-switching-back-to-aspnet-user-priviledges.html)

nano2k 06-27-2007 08:06 AM

Impersonation and switching back to ASPNET user priviledges
 
Hi

In my webservice, for certain requests, I need to start another
process on the server side.
To start My process, I need to have administrative rights, so i'm
using the impersonation mechanism using a predefined fixed user
account on server machine.
All works fine, no problem, but after the process starts, I need to
"revert" to ASPNET or NETWORK SERVICES user account priviledges. This
part is what I'm missing.

To impersonate, i'm using this code:

public static bool impersonateValidUser(String userName, String
domain, String password) {
WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;

if(WinAPI.RevertToSelf()) {
if(WinAPI.LogonUserA(userName, domain, password,
WinAPI.LOGON32_LOGON_INTERACTIVE,
WinAPI.LOGON32_PROVIDER_DEFAULT, ref token) != 0) {
if(WinAPI.DuplicateToken(token, 2, ref tokenDuplicate) != 0) {
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
if (impersonationContext != null) {
WinAPI.CloseHandle(token);
WinAPI.CloseHandle(tokenDuplicate);
return true;
}
}
}
}
if(token!= IntPtr.Zero)
WinAPI.CloseHandle(token);
if(tokenDuplicate!=IntPtr.Zero)
WinAPI.CloseHandle(tokenDuplicate);
return false;
}

I tried using the above method like this:

//save current user account:
string name = Environment.UserName;
string domain = Environment.UserDomainName;

bool b = impersonateValidUser("admin_user", "domain", "pass");
//b gets the value of true, so impersonation succeeded
//now, start the process
.....
//succeeded
//trying to revert to previous user account (ASPNET or NETWORK
SERVICES for server systems):
b = impersonateValidUser(name, domain, string.Empty);
//b is false - it seems that the ASPNET has a default password (?)

Any ideas? Thanks.


nano2k 06-27-2007 08:11 AM

Re: Impersonation and switching back to ASPNET user priviledges
 
I think I found my answer.
Calling WinAPI.RevertToSelf() after finishing all operations that
required impersonation seems to work.



nano2k a scris:
> Hi
>
> In my webservice, for certain requests, I need to start another
> process on the server side.
> To start My process, I need to have administrative rights, so i'm
> using the impersonation mechanism using a predefined fixed user
> account on server machine.
> All works fine, no problem, but after the process starts, I need to
> "revert" to ASPNET or NETWORK SERVICES user account priviledges. This
> part is what I'm missing.
>
> To impersonate, i'm using this code:
>
> public static bool impersonateValidUser(String userName, String
> domain, String password) {
> WindowsIdentity tempWindowsIdentity;
> IntPtr token = IntPtr.Zero;
> IntPtr tokenDuplicate = IntPtr.Zero;
>
> if(WinAPI.RevertToSelf()) {
> if(WinAPI.LogonUserA(userName, domain, password,
> WinAPI.LOGON32_LOGON_INTERACTIVE,
> WinAPI.LOGON32_PROVIDER_DEFAULT, ref token) != 0) {
> if(WinAPI.DuplicateToken(token, 2, ref tokenDuplicate) != 0) {
> tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
> impersonationContext = tempWindowsIdentity.Impersonate();
> if (impersonationContext != null) {
> WinAPI.CloseHandle(token);
> WinAPI.CloseHandle(tokenDuplicate);
> return true;
> }
> }
> }
> }
> if(token!= IntPtr.Zero)
> WinAPI.CloseHandle(token);
> if(tokenDuplicate!=IntPtr.Zero)
> WinAPI.CloseHandle(tokenDuplicate);
> return false;
> }
>
> I tried using the above method like this:
>
> //save current user account:
> string name = Environment.UserName;
> string domain = Environment.UserDomainName;
>
> bool b = impersonateValidUser("admin_user", "domain", "pass");
> //b gets the value of true, so impersonation succeeded
> //now, start the process
> ....
> //succeeded
> //trying to revert to previous user account (ASPNET or NETWORK
> SERVICES for server systems):
> b = impersonateValidUser(name, domain, string.Empty);
> //b is false - it seems that the ASPNET has a default password (?)
>
> Any ideas? Thanks.




All times are GMT. The time now is 06:37 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.