4

I'm calling LogonUser with LOGON_TYPE_NEW_CREDENTIALS and LOGON32_PROVIDER_WINNT50 to get my thread to impersonate a user in the other domain. I'm able to connect to remote file shares and everything else just fine into the untrusted domain.

The problem I'm running into now is when I use GPMGMTLib to generate a GPO report I keep getting exception "HRESULT: 0x80072020" when it calls GenerateReport().

using GPMGMTLib;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;

namespace CrossDomainWork
{
    class Program
    {
        static void Main(string[] args)
        {
            ImpersonationContext context = new ImpersonationContext("ourdmzdomain.com", "dmzuser", "dmzpassword");
            context.Start();

            GPM gpm = new GPM();
            var constants = gpm.GetConstants();
            var domain = gpm.GetDomain("ourdmzdomain.com", "", constants.UseAnyDC);
            var gpo = domain.GetGPO("{31B2F340-016D-11D2-945F-00C04FB984F9}");
            object missing = Type.Missing;
            var result = gpo.GenerateReport(GPMReportType.repHTML, ref missing, out missing).Result;

            context.Stop();
        }
    }
}
RoboDev
  • 4,003
  • 11
  • 42
  • 51
  • That's ERROR_DS_OPERATIONS_ERROR, it is very generic and useless to troubleshoot the problem. Try to find back something more specific in the machine's Application log. – Hans Passant Apr 27 '16 at 18:03
  • The Application log in the event viewer is not giving me anything useful. If I run the app and have it pointed to a trusted domain I don't have the same issue and runs fine. – RoboDev Apr 27 '16 at 18:42

1 Answers1

1

I have no experience here, so this is just a guess.

Looking at the documentation for GenerateReport, the last two parameters are pvarGPMProgress (for reporting progress), and pvarGPMCancel (some kind of cancellation token).

You are passing the same object for both. I wonder if that's what's making it choke. You can try creating a second object.

Maybe it's also possible that it doesn't like getting Type.Missing as the value. You can try just setting them to null.

Also, does the group policy have any special permissions on it?

What namespace is that ImpersonationContext in that you're using? I can't find it. We do have an untrusted domain at work that I can test with, if I can get your code to compile.

Edit: If you have SetLastError = true in your DllImport statements, then you can use Marshal.GetLastWin32Error() to get some additional details. For example:

try {
    result = gpo.GenerateReport(GPMReportType.repHTML, ref missing, out missing).Result;
} catch {
    var win32 = new Win32Exception(Marshal.GetLastWin32Error());
    Console.Write(win32.Message);
}

For me, it tells me

An attempt was made to reference a token that does not exist

Which doesn't solve the puzzle, but it's another piece to the puzzle.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • ImpersonationContext is a wrapper class to call LogonUser in advapi32.dll that I built to get this working which works fine when connecting to network shares. When calling GenerateReport from within the same domain it works fine so I don't think passing in the Type.Missing has anything to do with it not working. The untrusted domain is another domain controller setup inside of our DMZ network. – RoboDev May 02 '16 at 13:24
  • Would you be able to post your ImpersonationContext class in your question? I can try to replicate what you're doing here in my environment and see if I get the same results. – Gabriel Luci May 02 '16 at 13:28
  • Nevermind. I used the implementation from [here](http://stackoverflow.com/questions/2808928/how-to-impersonate-a-user-in-managed-code), and I'm getting the same 0x80072020 error as you. I'll see if I can figure it out. – Gabriel Luci May 02 '16 at 13:41
  • I've added some updated details in my answer, but no solution yet. – Gabriel Luci May 02 '16 at 14:20
  • So I'm stumped. I can't make it go. Interestingly, the Group Policy Management MMC plugin does not allow you to access an untrusted domain at all. So maybe the library just doesn't support it. – Gabriel Luci May 02 '16 at 15:46