Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Getting the Current username when impersonated

Tags:

c#

.net

I am using something like the following method to impersonate a user in my code:

How do you do Impersonation in .NET?

In another class, I need to find out the current user (like "mydomain\moose"), but I won't have any idea if I'm currently impersonating another user or not.

How do I get the username, if I'm impersonating someone?

System.Environment.UserName and System.Security.Principal.WindowsIdentity.GetCurrent().Name both return the original user, not the currently impersonated user.

More Details:

I am doing this impersonation so that I can access some files in a netowrk share the user usually does not have access to.

If I use a logon type of LOGON32_LOGON_INTERACTIVE, I do see the new user, but I cannot access the network share. If I use a logon type of LOGON32_LOGON_NEW_CREDENTIALS (a value of 9), i can access the network share but I don't see the new user in Environment.UserName.

like image 224
Moose Avatar asked Sep 30 '11 16:09

Moose


2 Answers

First, I'd like to point out what the property WindowsIdentity.GetCurrent().Name will return if you use LOGON32_LOGON_NEW_CREDENTIALS or LOGON32_LOGON_INTERACTIVE as logon type for the LogonUser (inside the impersonation class) function:

  1. Using LOGON32_LOGON_INTERACTIVE

    // Assuming this code runs under USER_B
    
    using (var imp = new Impersonation("treyresearch", "USER_A", "SecurePwd", LOGON32_LOGON_INTERACTIVE ))
    {
      // Now, we run under USER_A
      Console.Out.WriteLine(WindowsIdentity.GetCurrent().Name); // Will return USER_A
    }
    
  2. Using LOGON32_LOGON_NEW_CREDENTIALS

    // Assuming this codes runs under USER_B
    
    using (var imp = new Impersonation("treyresearch", "USER_A", "SecurePwd", LOGON32_LOGON_NEW_CREDENTIALS ))
    {
      Console.Out.WriteLine(WindowsIdentity.GetCurrent().Name); // Will return USER_B
    }
    

This is the behaviour as you have described in your question and is consistent with the description on MSDN for the LogonUser function. For LOGON32_LOGON_NEW_CREDENTIALS the created user token is just a clone of the current user token. This means that the created user session has the same identifier as the calling thread. The passed credentials to the LogonUser function are only used for outbound network connections.

Second, let me point out two situation where the described difference between LOGON32_LOGON_INTERACTIVE and LOGON32_LOGON_NEW_CREDENTIALS becomes clear:

  • Two domain joined computers: computer_A, computer_B
  • Two users: user_A (local admin on computer_A), user_B (only standard user rights on B)
  • One networkshare on computer_B (mynetworkshare, user_B does have permission to access share).
  • One local folder on computer_A (only user_A has permission to write to this folder).

You run your program on computer_A (under the account of user_A). You impersonate user_B (using LOGON32_LOGON_INTERACTIVE). Then you connect to the network share on computer_B and try to copy a file to the local folder (only user_A has the permission to write to this folder). Then, you get an access denied error message, because the file operation is done with the permissions of user_B who does not have permission on the local folder.

Same situation as above. But now, we use LOGON32_LOGON_NEW_CREDENTIALS to impersonate user_B. We connect to the network drive and copy a file from the network drive to the local folder. In this case the operation succeeds because the file operation is done with the permissions of user_A.

like image 70
Hans Avatar answered Sep 20 '22 18:09

Hans


According to example at http://msdn.microsoft.com/en-us/library/chf6fbt4.aspx the current identity changes during impersonation. Are you sure your code is inside the impersonated code block?

like image 27
Muhammad Hasan Khan Avatar answered Sep 20 '22 18:09

Muhammad Hasan Khan