2

I need to impersonate myself as a domain user in a ASP.NET application running on VMWare machine. Since the VMWare machine is not itself in the domain, ASP.NET is unable to resolve the user token (specified in web.config). Is there a way to do that?

Thanks in advance, Petr

petr k.
  • 8,040
  • 7
  • 41
  • 52

2 Answers2

1

I use this class I wrote all the time and it works like a charm!

using System;
using System.Security.Principal;

/// <summary>
/// Changes the security context the application runs under.
/// </summary>
public class ImpersonateHelper : IDisposable
{
    [System.Runtime.InteropServices.DllImport("Kernel32")]
    private extern static Boolean CloseHandle(IntPtr handle);

    private IntPtr _token = IntPtr.Zero;
    private WindowsImpersonationContext _impersonatedUser = null;

    public IntPtr Token
    {
        get { return _token; }
        set { _token = value; }
    }

    public ImpersonateHelper(IntPtr token)
    {
        _token = token;
    }

    /// <summary>
    /// Switch the user to that set by the Token property
    /// </summary>
    public void Impersonate()
    {
        if (_token == IntPtr.Zero)
            _token = WindowsIdentity.GetCurrent().Token;

        _impersonatedUser = WindowsIdentity.Impersonate(_token);
    }

    /// <summary>
    /// Revert to the identity (user) before Impersonate() was called
    /// </summary>
    public void Undo()
    {
        if (_impersonatedUser != null)
            _impersonatedUser.Undo();
    }

    #region IDisposable Members
    private bool _isDisposed;

    public void Dispose()
    {
        Dispose(true);
        GC.SuppressFinalize(this);
    }

    protected virtual void Dispose(bool disposing)
    {
        if (!_isDisposed)
        {
            if (disposing)
            {
                if (_impersonatedUser != null)
                    _impersonatedUser.Dispose();

            }
            CloseHandle(_token);
            _token = IntPtr.Zero;
        }
        _isDisposed = true;
    }

    ~ImpersonateHelper()
    {
        Dispose(false);
    }
    #endregion
}

Then you call it from the client class as:

//Run task as the impersonated user and not as NETWORKSERVICE or ASPNET (in IIS5)
try{
   impersonate.Impersonate();
   //Do work that needs to run as domain user here...
}
finally
{
            //Revert impersonation to NETWORKSERVICE or ASPNET
            if (impersonate != null)
            {
                impersonate.Undo();
                impersonate.Dispose();
            }
}

Good Luck!

Ricardo Villamil
  • 5,031
  • 2
  • 30
  • 26
-4

This may be the dumb obvious answer, but you could add your VMWare machine to the domain.

Martin Brown
  • 24,692
  • 14
  • 77
  • 122
  • I don't have domain admin rights, but my boss does. All I do is point out to him that I can't do any more work until the problem is resolved. As a result, my virtual machines get added fairly quickly. – Martin Brown Jan 05 '09 at 09:42
  • 1
    Isn't that a low security and high cost solution to the problem? – Daniel Lobo Dec 21 '16 at 18:46
  • @DanielLobo Cost is next to $0. It is a security restriction not one that requires hardware or software licences and frankly it will hardly take any man hours to implement either. The high cost is in the security restriction that does not let people do what they need to do. It's like Walmart trying to stop shoplifting by not letting any customers in their shops. While adding the VM to a domain may not be the most secure setup, surely it is way more secure than writing a dodgy hack to get around the security restriction. – Martin Brown Dec 22 '16 at 09:51