Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Win32 User Impersonation Curiosity

I have found some sample code on codeproject that allows for user impersonation.

This code works by importing the following unmanaged Win32 API functions:

[DllImport("advapi32.dll", SetLastError = true)]
private static extern int LogonUser(
    string lpszUserName,
    string lpszDomain,
    string lpszPassword,
    int dwLogonType,
    int dwLogonProvider,
    ref IntPtr phToken);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern int DuplicateToken(IntPtr hToken,int impersonationLevel,ref IntPtr hNewToken);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool RevertToSelf();

[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
private static extern bool CloseHandle(IntPtr handle);

These functions are used to impersonate the target user, then perform some operations, then revert the impersonation context. Impersonating the user is achieved like so:

if ( LogonUser(userName, domainName, password, LOGON32_LOGON_INTERACTIVE,LOGON32_PROVIDER_DEFAULT, ref token ) != 0 )
{
    if ( DuplicateToken( token, 2, ref tokenDuplicate ) != 0 )
    {
        tempWindowsIdentity = new WindowsIdentity( tokenDuplicate );
        impersonationContext = tempWindowsIdentity.Impersonate();
    }
}

I'm trying to understand why this code first gets the required token using LogonUser, then duplicates that token, before performing the impersonation on the duplicated token. Why not just impersonate using the token that you get from the LogonUser method.

Obviously the person that wrote this article understands this better than I do so it would appear that I am missing something. Could I please get an explanation of why the seemingly redundant token duplication step of this process is required?

like image 381
Sean Hunter Avatar asked May 15 '11 06:05

Sean Hunter


People also ask

What is Impersonationlevel impersonate?

Defines security impersonation levels. Security impersonation levels govern the degree to which a server process can act on behalf of a client process. Anonymous. The server process cannot obtain identification information about the client, and it cannot impersonate the client.

What is Windows impersonation?

Impersonation is the ability of a thread to execute using different security information than the process that owns the thread. Typically, a thread in a server application impersonates a client.

How do you change impersonation level?

To select an impersonation levelRight-click the COM+ application for which you are setting impersonation, and then click Properties. In the application properties dialog box, click the Security tab. In the Impersonation level box, select the appropriate level.

What is Active Directory impersonation?

Impersonation is the ability of a thread to execute in a security context different from that of the process owning the thread. The server thread uses an access token representing the client's credentials, and with this, it can access resources that the client can access.


1 Answers

As far as I know, token, passed to WindowsIdentity ctor should be an impersonation token. So, the author of that code using

DuplicateToken( token, 2, ref tokenDuplicate )

to create an impersonation token from primary token, returned by LogonUser(). That '2' magic number stands for SecurityImpersonation member of SECURITY_IMPERSONATION_LEVEL enum.

Links:

http://msdn.microsoft.com/en-us/library/aa378184%28v=vs.85%29.aspx

http://msdn.microsoft.com/en-us/library/aa379572%28v=vs.85%29.aspx

http://msdn.microsoft.com/en-us/library/aa446616%28v=vs.85%29.aspx

like image 159
torvin Avatar answered Oct 03 '22 11:10

torvin