Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > impersonation works on local xp not on web server

Reply
Thread Tools

impersonation works on local xp not on web server

 
 
smyers@quilogy.com
Guest
Posts: n/a
 
      04-29-2004
The program I have written to change a password by impersonating an
admin has worked successfully on my local XP, but when transferred to
the Windows 2000 server the impersonation fails. I have tried
everything I can think of even to the extent of making sure the W2k
box has the SE_TCB_NAME privilege and installing a server
certification and the program is still not functioning properly on the
server. I believe that the LogonUser() function is taking in the
correct values with the exception that the token has no value...it
continually is showing an output of 0 when I debug on the server. Any
suggestions would be greatly appreciated. Here is some code:
using System;
using System.DirectoryServices;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Permissions;
using System.Security.Principal;
using System.Configuration;
using System.Diagnostics;


namespace BoardShareData
{
public class UserSecurity
{
public UserSecurity()
{

}

#region Impersonate Info
private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;

WindowsImpersonationContext impersonationContext;

[DllImport("advapi32.dll")]
private static extern bool LogonUser(
String lpszUsername,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken );

[DllImport("advapi32.dll")]
private static extern bool DuplicateToken(
IntPtr ExistingTokenHandle,
int ImpersonationLevel,
ref IntPtr DuplicateTokenHandle );

#endregion

#region Private Methods
/// <summary>
/// Sets up the impersonation
/// </summary>
/// <returns></returns>
private bool _impersonateValidUser()
{
string adminUser, adminPwd, domain;
// values come from web.config file
domain = Environment.MachineName.ToString();
adminUser = ConfigurationSettings.AppSettings["pwdAdminUser"].ToString();
adminPwd = ConfigurationSettings.AppSettings["pwdAdminPwd"].ToString();
#if (DEBUG)
// debug environment
adminUser = ConfigurationSettings.AppSettings["pwdAdminUser-debug"].ToString();
adminPwd = ConfigurationSettings.AppSettings["pwdAdminPwd-debug"].ToString();
#endif

WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;

// check to make sure user has rights to change the password
if(LogonUser(adminUser, domain, adminPwd, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref token) != false)
{
if(DuplicateToken(token, 2, ref tokenDuplicate) != false)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
if (impersonationContext != null)
return true;
else
return false;
}
else
return false;
}
else
return false;
}

/// <summary>
/// Undoes the impersonation
/// </summary>
private void _undoImpersonation()
{
impersonationContext.Undo();
}
#endregion

#region Public Methods
// change password for a given user
public void ChangePassword(string userName, string userPwd)
{
if (this._impersonateValidUser())
{
// valid admin user, impersonation is working
// impersonation set up, change the password
string adStr = "WinNT://" + Environment.MachineName.ToString();

DirectoryEntry ad = new DirectoryEntry(adStr);
DirectoryEntry user;
// find user and set password
try
{
user = ad.Children.Find(userName, "User");
user.Invoke("SetPassword", new object[] {userPwd});
user.CommitChanges();
// done with impersonation
this._undoImpersonation();
}
catch (Exception exp)
{
// error encountered, undo impersonation
this._undoImpersonation();
throw exp;
}
}
else
{
// impersonation did not work, some type of error handling here to
let user know what happened
Console.Write("You are not a valid user");
}
}

#endregion
}
}
 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      04-29-2004
Are you trying to change passwords against AD? If so, there is a much
easier way to do this using LDAP that doesn't require impersonation. I can
help with the AD if that applies.

If you must impersonate, you should use the canonical example provided by
Microsoft here:
http://msdn.microsoft.com/library/de...asp?frame=true

HTH,

Joe K.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> The program I have written to change a password by impersonating an
> admin has worked successfully on my local XP, but when transferred to
> the Windows 2000 server the impersonation fails. I have tried
> everything I can think of even to the extent of making sure the W2k
> box has the SE_TCB_NAME privilege and installing a server
> certification and the program is still not functioning properly on the
> server. I believe that the LogonUser() function is taking in the
> correct values with the exception that the token has no value...it
> continually is showing an output of 0 when I debug on the server. Any
> suggestions would be greatly appreciated. Here is some code:
> using System;
> using System.DirectoryServices;
> using System.Runtime.InteropServices;
> using System.Security;
> using System.Security.Permissions;
> using System.Security.Principal;
> using System.Configuration;
> using System.Diagnostics;
>
>
> namespace BoardShareData
> {
> public class UserSecurity
> {
> public UserSecurity()
> {
>
> }
>
> #region Impersonate Info
> private const int LOGON32_LOGON_INTERACTIVE = 2;
> private const int LOGON32_PROVIDER_DEFAULT = 0;
>
> WindowsImpersonationContext impersonationContext;
>
> [DllImport("advapi32.dll")]
> private static extern bool LogonUser(
> String lpszUsername,
> String lpszDomain,
> String lpszPassword,
> int dwLogonType,
> int dwLogonProvider,
> ref IntPtr phToken );
>
> [DllImport("advapi32.dll")]
> private static extern bool DuplicateToken(
> IntPtr ExistingTokenHandle,
> int ImpersonationLevel,
> ref IntPtr DuplicateTokenHandle );
>
> #endregion
>
> #region Private Methods
> /// <summary>
> /// Sets up the impersonation
> /// </summary>
> /// <returns></returns>
> private bool _impersonateValidUser()
> {
> string adminUser, adminPwd, domain;
> // values come from web.config file
> domain = Environment.MachineName.ToString();
> adminUser = ConfigurationSettings.AppSettings["pwdAdminUser"].ToString();
> adminPwd = ConfigurationSettings.AppSettings["pwdAdminPwd"].ToString();
> #if (DEBUG)
> // debug environment
> adminUser =

ConfigurationSettings.AppSettings["pwdAdminUser-debug"].ToString();
> adminPwd =

ConfigurationSettings.AppSettings["pwdAdminPwd-debug"].ToString();
> #endif
>
> WindowsIdentity tempWindowsIdentity;
> IntPtr token = IntPtr.Zero;
> IntPtr tokenDuplicate = IntPtr.Zero;
>
> // check to make sure user has rights to change the password
> if(LogonUser(adminUser, domain, adminPwd, LOGON32_LOGON_INTERACTIVE,
> LOGON32_PROVIDER_DEFAULT, ref token) != false)
> {
> if(DuplicateToken(token, 2, ref tokenDuplicate) != false)
> {
> tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
> impersonationContext = tempWindowsIdentity.Impersonate();
> if (impersonationContext != null)
> return true;
> else
> return false;
> }
> else
> return false;
> }
> else
> return false;
> }
>
> /// <summary>
> /// Undoes the impersonation
> /// </summary>
> private void _undoImpersonation()
> {
> impersonationContext.Undo();
> }
> #endregion
>
> #region Public Methods
> // change password for a given user
> public void ChangePassword(string userName, string userPwd)
> {
> if (this._impersonateValidUser())
> {
> // valid admin user, impersonation is working
> // impersonation set up, change the password
> string adStr = "WinNT://" + Environment.MachineName.ToString();
>
> DirectoryEntry ad = new DirectoryEntry(adStr);
> DirectoryEntry user;
> // find user and set password
> try
> {
> user = ad.Children.Find(userName, "User");
> user.Invoke("SetPassword", new object[] {userPwd});
> user.CommitChanges();
> // done with impersonation
> this._undoImpersonation();
> }
> catch (Exception exp)
> {
> // error encountered, undo impersonation
> this._undoImpersonation();
> throw exp;
> }
> }
> else
> {
> // impersonation did not work, some type of error handling here to
> let user know what happened
> Console.Write("You are not a valid user");
> }
> }
>
> #endregion
> }
> }



 
Reply With Quote
 
 
 
 
smyers@quilogy.com
Guest
Posts: n/a
 
      04-30-2004
I am trying to change passwords against AD. Any help would be appreciated.
Thanks in advance!
Sam

"Joe Kaplan \(MVP - ADSI\)" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> Are you trying to change passwords against AD? If so, there is a much
> easier way to do this using LDAP that doesn't require impersonation. I can
> help with the AD if that applies.
>
> If you must impersonate, you should use the canonical example provided by
> Microsoft here:
> http://msdn.microsoft.com/library/de...asp?frame=true
>
> HTH,
>
> Joe K.
>
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) m...
> > The program I have written to change a password by impersonating an
> > admin has worked successfully on my local XP, but when transferred to
> > the Windows 2000 server the impersonation fails. I have tried
> > everything I can think of even to the extent of making sure the W2k
> > box has the SE_TCB_NAME privilege and installing a server
> > certification and the program is still not functioning properly on the
> > server. I believe that the LogonUser() function is taking in the
> > correct values with the exception that the token has no value...it
> > continually is showing an output of 0 when I debug on the server. Any
> > suggestions would be greatly appreciated. Here is some code:
> > using System;
> > using System.DirectoryServices;
> > using System.Runtime.InteropServices;
> > using System.Security;
> > using System.Security.Permissions;
> > using System.Security.Principal;
> > using System.Configuration;
> > using System.Diagnostics;
> >
> >
> > namespace BoardShareData
> > {
> > public class UserSecurity
> > {
> > public UserSecurity()
> > {
> >
> > }
> >
> > #region Impersonate Info
> > private const int LOGON32_LOGON_INTERACTIVE = 2;
> > private const int LOGON32_PROVIDER_DEFAULT = 0;
> >
> > WindowsImpersonationContext impersonationContext;
> >
> > [DllImport("advapi32.dll")]
> > private static extern bool LogonUser(
> > String lpszUsername,
> > String lpszDomain,
> > String lpszPassword,
> > int dwLogonType,
> > int dwLogonProvider,
> > ref IntPtr phToken );
> >
> > [DllImport("advapi32.dll")]
> > private static extern bool DuplicateToken(
> > IntPtr ExistingTokenHandle,
> > int ImpersonationLevel,
> > ref IntPtr DuplicateTokenHandle );
> >
> > #endregion
> >
> > #region Private Methods
> > /// <summary>
> > /// Sets up the impersonation
> > /// </summary>
> > /// <returns></returns>
> > private bool _impersonateValidUser()
> > {
> > string adminUser, adminPwd, domain;
> > // values come from web.config file
> > domain = Environment.MachineName.ToString();
> > adminUser = ConfigurationSettings.AppSettings["pwdAdminUser"].ToString();
> > adminPwd = ConfigurationSettings.AppSettings["pwdAdminPwd"].ToString();
> > #if (DEBUG)
> > // debug environment
> > adminUser =

> ConfigurationSettings.AppSettings["pwdAdminUser-debug"].ToString();
> > adminPwd =

> ConfigurationSettings.AppSettings["pwdAdminPwd-debug"].ToString();
> > #endif
> >
> > WindowsIdentity tempWindowsIdentity;
> > IntPtr token = IntPtr.Zero;
> > IntPtr tokenDuplicate = IntPtr.Zero;
> >
> > // check to make sure user has rights to change the password
> > if(LogonUser(adminUser, domain, adminPwd, LOGON32_LOGON_INTERACTIVE,
> > LOGON32_PROVIDER_DEFAULT, ref token) != false)
> > {
> > if(DuplicateToken(token, 2, ref tokenDuplicate) != false)
> > {
> > tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
> > impersonationContext = tempWindowsIdentity.Impersonate();
> > if (impersonationContext != null)
> > return true;
> > else
> > return false;
> > }
> > else
> > return false;
> > }
> > else
> > return false;
> > }
> >
> > /// <summary>
> > /// Undoes the impersonation
> > /// </summary>
> > private void _undoImpersonation()
> > {
> > impersonationContext.Undo();
> > }
> > #endregion
> >
> > #region Public Methods
> > // change password for a given user
> > public void ChangePassword(string userName, string userPwd)
> > {
> > if (this._impersonateValidUser())
> > {
> > // valid admin user, impersonation is working
> > // impersonation set up, change the password
> > string adStr = "WinNT://" + Environment.MachineName.ToString();
> >
> > DirectoryEntry ad = new DirectoryEntry(adStr);
> > DirectoryEntry user;
> > // find user and set password
> > try
> > {
> > user = ad.Children.Find(userName, "User");
> > user.Invoke("SetPassword", new object[] {userPwd});
> > user.CommitChanges();
> > // done with impersonation
> > this._undoImpersonation();
> > }
> > catch (Exception exp)
> > {
> > // error encountered, undo impersonation
> > this._undoImpersonation();
> > throw exp;
> > }
> > }
> > else
> > {
> > // impersonation did not work, some type of error handling here to
> > let user know what happened
> > Console.Write("You are not a valid user");
> > }
> > }
> >
> > #endregion
> > }
> > }

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      05-02-2004
Sorry for the delay. Below is a .NET ChangePassword routine I put together
for someone else. It basically attempts to find the user in AD by their
username using their old password to authenticate to AD. If it succeeds, it
tries the ChangePassword function.

One thing to watch out for is that ChangePassword only wants to work on a
128 secure SSL connection to the DC. Make sure you have your DC configured
with a valid certificate and you bind to it with the DNS name that the cert
is issued to.

HTH,

Joe K.

Private Sub ChangePassword(ByVal username As String, ByVal oldPassword
As String, ByVal newPassword As String)

Dim dcDNS As String = "yourdc.com" 'use this if you want to supply a
server name
Dim rootDN As String
Dim rootDSE As DirectoryEntry
Dim searchRoot As DirectoryEntry
Dim userEntry As DirectoryEntry
Dim searcher As DirectorySearcher
Dim results As SearchResultCollection
Dim result As SearchResult

Try
'note the authenicationtypes here
'you need to either use SecureSocketsLayer for ChangePasswor
rootDSE = New DirectoryEntry(String.Format("LDAP://{0}/rootDSE",
dcDNS), username, oldPassword, AuthenticationTypes.Secure Or
AuthenticationTypes.SecureSocketsLayer Or AuthenticationTypes.ServerBind)
rootDN =
DirectCast(rootDSE.Properties("defaultNamingContex t").Value, String)
searchRoot = New DirectoryEntry(String.Format("LDAP://{0}/{1}",
dcDNS, rootDN), username, oldPassword, AuthenticationTypes.Secure Or
AuthenticationTypes.SecureSocketsLayer Or AuthenticationTypes.ServerBind)
searcher = New DirectorySearcher(searchRoot)
searcher.Filter = String.Format("sAMAccountName={0}", username)
searcher.SearchScope = SearchScope.Subtree
searcher.CacheResults = False

'I use FindAll here because FindOne leaks memory if it does not
find anything
'in .NET 1.0 and 1.1
results = searcher.FindAll()
For Each result In results
'only use this method on .NET 1.1 or higher
'otherwise, get the adsPath value and build a new
DirectoryEntry with the supplied credentials
userEntry = result.GetDirectoryEntry()
Exit For 'this is redundant because sAMAccountName is unique
in the domain, but it is done for clarity
Next

If userEntry Is Nothing Then
Throw New InvalidOperationException("User not found in this
domain.")
End If

userEntry.Invoke("ChangePassword", New Object() {oldPassword,
newPassword})
userEntry.CommitChanges()

Catch ex As System.Reflection.TargetInvocationException
Throw ex.InnerException

Finally 'these prevent other memory leaks
If Not userEntry Is Nothing Then userEntry.Dispose()
If Not results Is Nothing Then results.Dispose()
If Not searcher Is Nothing Then searcher.Dispose()
If Not searchRoot Is Nothing Then searchRoot.Dispose()
If Not rootDSE Is Nothing Then rootDSE.Dispose()
End Try
End Sub


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> I am trying to change passwords against AD. Any help would be appreciated.
> Thanks in advance!
> Sam
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
When I turn on my PC, it works, works, works. Problem! Fogar Computer Information 1 01-17-2006 12:57 AM
Impersonation Issues. ASP.NET Webform works only on Local Machine =?Utf-8?B?Um9ja3k=?= ASP .Net 1 12-21-2005 02:02 AM
GridView Delete works on local but not server hougie40@hotmail.com ASP .Net 0 12-15-2005 10:47 PM
Browser link to local file works when local, not work when servedfrom http lurker HTML 1 04-05-2005 05:10 AM
After rebooting my PC works, works, works! Antivirus problem? Adriano Computer Information 1 12-15-2003 05:30 AM



Advertisments