What is impersonation?
In ASP.Net important security feature is the ability to control the identity under which code is executed.
Note Impersonation can significantly affect performance and scaling.
How can we change the permissions at runtime without setting up Impersonation or using a high privilige account for my ASP.NET user account?
namespace ASPnet_Impersonation
{
public partial class _Default : System.Web.UI.Page
{
const int LOGON32_LOGON_NETWORK = 3;
const int LOGON32_PROVIDER_DEFAULT = 0;
[DllImport("advapi32.dll", SetLastError = true)]
public static extern int LogonUser(
string lpszUsername,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
out IntPtr phToken
);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern int ImpersonateLoggedOnUser(
IntPtr hToken
);
[DllImport("advapi32.dll", SetLastError = true)]
static extern int RevertToSelf();
[DllImport("kernel32.dll", SetLastError = true)]
static extern int CloseHandle(IntPtr hObject);
protected void Page_Load(object sender, EventArgs e)
{
try
{
Response.Write("Before set the impersonation [ Thread running Account ] : " + Environment.UserName + "
");
IntPtr lnToken;
int TResult = LogonUser("rajasingh", ".", "Welcome123", LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, out lnToken);
if (TResult > 0)
{
ImpersonateLoggedOnUser(lnToken);
Response.Write("After set the impersonation [ Thread running Account ] : " + Environment.UserName + "
");
// To write your user privilege task here
RevertToSelf();
Response.Write("After reset the impersonation [ Thread running Account ] : " + Environment.UserName + "
");
CloseHandle(lnToken);
}
else
{
Response.Write("Not logged on: " + Environment.UserName);
}
return;
}
catch (Exception Ex)
{
Response.Write(Ex.Message);
}
}
}
}
Output
Before set the impersonation [ Thread running Account ] : NETWORK SERVICE
After set the impersonation [ Thread running Account ] : rajasingh
After reset the impersonation [ Thread running Account ] : NETWORK SERVICE
API Details
[DllImport("advapi32.dll", SetLastError = true)]
public static extern int LogonUser(
string lpszUsername,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
out IntPtr phToken
);
The LogonUser function attempts to log a user on to the local computer. The local computer is the computer from which LogonUser was called. You specify the user with a user name and domain and authenticate the user with a plaintext password. If the function succeeds, you receive a handle to a token that represents the logged-on user. You can then use this token handle to impersonate the specified user or, in most cases, to create a process that runs in the context of the specified user.
[DllImport("advapi32.dll", SetLastError = true)]
public static extern int ImpersonateLoggedOnUser(
IntPtr hToken
);
The ImpersonateLoggedOnUser function lets the calling thread impersonate the security context of a logged-on user. The user is represented by a token handle.
[DllImport("advapi32.dll", SetLastError = true)]
static extern int RevertToSelf();
The RevertToSelf function terminates the impersonation of a client application.
Note : A process should call the RevertToSelf function after finishing any impersonation. If RevertToSelf fails, your application continues to run in the context of the client, which is not appropriate. You should shut down the process if RevertToSelf fails.
[DllImport("kernel32.dll", SetLastError = true)]
static extern int CloseHandle(IntPtr hObject);
Closes an open object handle.
No comments:
Post a Comment