«

I found a sample in C# code, hope this help:

http://groups.google.com/groups?hl=z...XoOGWDHA.1728%
40TK2MSFTNGP11.phx.gbl&rnum=6

Luke

Also, www.pinvoke.net has tons of pinvoke stuff on their wiki. It is a good
reference for this stuff (although I didn't find that one here).

Joe K.


"[MSFT]" <> wrote in message
news:...
> I found a sample in C# code, hope this help:
>
>
http://groups.google.com/groups?hl=z...XoOGWDHA.1728%
> 40TK2MSFTNGP11.phx.gbl&rnum=6
>
> Luke
>

So, the issue with using the Process class is that it won't create the
process using the token that is being impersonated on the thread, but will
use the process token instead. I believe that explains why it wasn't
working the way you were expecting.

I'm not sure what's wrong with your code without checking it out, but you
might consider jumping over to the interop group to get some help with that
(or perhaps try a Google groups search to see if it is already asked and
answered).

The good news is that your code to create the token that you were using for
impersonation will be useful to pass into this, so once you get this
working, you should be all set.

I hope it works out.

Joe K.

"Mark Duregon" <> wrote in message
news:40DB93B2-531D-44C8-A478-...
> Sorry Joe:
>
> I read your response and looked at the documentation for
CreateProcessWithTokenW which stated that Win2003 was required. I then saw
the response from [MSFT] with a link to Support Article that indicated that
the feature was introduced in Win2000. Since then I have been using the
code in the article and trying to convert it to C#. I gave up on that
because I could get it to compile but not run successfully (my result kept
coming back as 0). I have now tried to create a VB.NET library using the
code from that article. I think the code in that article was VB6 (I am not
entirely sure my VB is far too rusty), but I have managed to get that to
compile but I now get a runtime exception of a variable not being set to an
instance.
>
> To answer your question, I am using the Process class.
>
> Again my apologies to you Joe, I must have read the wrong piece of
documentation.
>
> Does anyone happen to now of an example of this in C#?
>
> Regards Mark.
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
> > Yes, but my question was how are you launching the vbscript processes?
I
> > understand the Win2K/1.0 part.
> >
> > Joe K.
> >
> > "Mark Duregon" <> wrote in message
> > news:47607F44-4AF2-4501-857F-...
> > > Thanks, but I did mention that I am using Windows 2000 and 1.0 of the
> > framework.
> > >
> > > "Joe Kaplan (MVP - ADSI)" wrote:
> > >
> > > > How are you calling the script files in this app? Are you using the
> > Process
> > > > class? In that case, you need to be aware that it will start the
new
> > > > process with the current process' token, not the impersonation
token.
> > Since
> > > > it would appear that you have a primary token, you could get around
this
> > by
> > > > calling CreateProcessWithTokenW instead.
> > > >
> > > > If that isn't how you are calling the scripts, then how are you
doing
> > it?
> > > >
> > > > Joe K.
> > > >
> > > > "Mark Duregon" <> wrote in message
> > > > news:5A1E8402-3951-4673-B370-...
> > > > > Hi,
> > > > >
> > > > > We have an application that requires appropriate users to run
command
> > > > files on an adhoc basis. We have implmented a library that uses the
> > > > following code:
> > > > >
> > > > > using System;
> > > > > using System.Runtime.InteropServices;
> > > > > using System.Security.Principal;
> > > > > using System.Security.Permissions;
> > > > >
> > > > > namespace SAMIS.Porteco.Utilities
> > > > > {
> > > > > public enum LogonType : int
> > > > > {
> > > > > LOGON32_LOGON_INTERACTIVE = 2,
> > > > > LOGON32_LOGON_NETWORK = 3,
> > > > > LOGON32_LOGON_BATCH = 4,
> > > > > LOGON32_LOGON_SERVICE = 5,
> > > > > LOGON32_LOGON_UNLOCK = 7,
> > > > > LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or
higher
> > > > > LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or
higher
> > > > > };
> > > > >
> > > > > public enum LogonProvider : int
> > > > > {
> > > > > LOGON32_PROVIDER_DEFAULT = 0,
> > > > > LOGON32_PROVIDER_WINNT35 = 1,
> > > > > LOGON32_PROVIDER_WINNT40 = 2,
> > > > > LOGON32_PROVIDER_WINNT50 = 3
> > > > > };
> > > > >
> > > > > class SecuUtil32
> > > > > {
> > > > > [DllImport("advapi32.dll", SetLastError=true)]
> > > > > public static extern bool LogonUser(String lpszUsername,
String
> > > > lpszDomain, String lpszPassword,
> > > > > int dwLogonType, int dwLogonProvider, ref IntPtr
TokenHandle);
> > > > >
> > > > > [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
> > > > > public extern static bool CloseHandle(IntPtr handle);
> > > > >
> > > > > [DllImport("advapi32.dll", CharSet=CharSet.Auto,
> > SetLastError=true)]
> > > > > public extern static bool DuplicateToken(IntPtr
> > ExistingTokenHandle,
> > > > > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr
> > DuplicateTokenHandle);
> > > > > }
> > > > >
> > > > > /// <summary>
> > > > > /// Summary description for NetworkSecurity.
> > > > > /// </summary>
> > > > > public class NetworkSecurity
> > > > > {
> > > > > private NetworkSecurity() {}
> > > > >
> > > > > public static WindowsImpersonationContext
ImpersonateUser(string
> > > > domain, string login, string password,
> > > > > LogonType logonType, LogonProvider logonProvider)
> > > > > {
> > > > > IntPtr tokenHandle = new IntPtr(0);
> > > > > IntPtr dupeTokenHandle = new IntPtr(0);
> > > > > try
> > > > > {
> > > > > const int SecurityImpersonation = 2;
> > > > >
> > > > > tokenHandle = IntPtr.Zero;
> > > > > dupeTokenHandle = IntPtr.Zero;
> > > > >
> > > > > //
> > > > > // Call LogonUser to obtain a handle to an access token.
> > > > > //
> > > > > bool returnValue = SecuUtil32.LogonUser(login, domain,
> > password,
> > > > (int)logonType,
> > > > > (int)logonProvider, ref tokenHandle);
> > > > >
> > > > > if (false == returnValue)
> > > > > {
> > > > > int ret = Marshal.GetLastWin32Error();
> > > > > string strErr = String.Format("LogonUser failed with
error
> > code
> > > > : {0}", ret);
> > > > > throw new ApplicationException(strErr, null);
> > > > > }
> > > > >
> > > > > bool retVal = SecuUtil32.DuplicateToken(tokenHandle,
> > > > SecurityImpersonation, ref dupeTokenHandle);
> > > > >
> > > > > if (false == retVal)
> > > > > {
> > > > > SecuUtil32.CloseHandle(tokenHandle);
> > > > > throw new ApplicationException("Failed to duplicate
token",
> > > > null);
> > > > > }
> > > > >
> > > > > //
> > > > > // The token that is passed to the following constructor
must
> > > > > // be a primary token in order to use it for
impersonation.
> > > > > //
> > > > > WindowsIdentity newId = new
WindowsIdentity(dupeTokenHandle);
> > > > > WindowsImpersonationContext impersonatedUser =
> > > > newId.Impersonate();
> > > > >
> > > > > return impersonatedUser;
> > > > > }
> > > > > catch (Exception ex)
> > > > > {
> > > > > throw new ApplicationException(ex.Message, ex);
> > > > > }
> > > > >
> > > > > return null;
> > > > > }
> > > > > }
> > > > > }
> > > > >
> > > > > The problem we are having is that while network resources are not
> > > > restricted entirely because the batch files are able to run sql
scripts
> > > > against the Oracle database, FTP etc. but the user cannot access a
> > network
> > > > share either by unc path or trying to map a drive as part of the
script.
> > > > This problem only occurs when trying to run the script in this
fashion
> > as it
> > > > works when run manually through a command prompt whic is expected,
an
> > also
> > > > on a scheduled basis by the Windows Scheduler.
> > > > >
> > > > > Is their a permission I need to request/grant on the assembly and
if
> > so
> > > > which assembly (the library/web or both). I have tried granting
full
> > trust
> > > > to the assemblies without success.
> > > > >
> > > > > Alternatively is their a way to run a defined task from the
scheduler.
> > I
> > > > read the documentation (all 2 lines of it) for the scheduler and did
not
> > get
> > > > the impression that it is possible.
> > > > >
> > > > > Regards,
> > > > > Mark.
> > > > >
> > > > > P.S. I cannot give you an exception or error messages that occur
when
> > I
> > > > try to run the task from the web application, because as soon as I
try
> > to
> > > > access a network resource using the page I have created it simply
> > > > hangs/timesout but works perfectly when dealing with only local file
> > > > resources. FYI all command files are on the local machine but need
to
> > > > access network shares to ctp then delete files.
> > > > >
> > > > > Platform: Windows 2000 Server w/ 1.0 Framework
> > > >
> > > >
> > > >
> >
> >
> >

Hello Mark,

I was reviewing the issue thread. Do you have completed the code
successfully? Luke and Joe has provided much userful resource on it. If you
have any more concerns, please feel free to post here and we will follow up.

Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
Register to Access MSDN Managed Newsgroups!
-http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.as
p&SD=msdn

This posting is provided "AS IS" with no warranties, and confers no rights.