8

I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?

Example Workflow:

  1. User logs in to domain A.
  2. User launches desktop application.
  3. User specifies resource in domain B.
  4. Application prompts user for domain B credentials.
  5. Application impersonates user's domain B identity to access specified resource.
  6. User manipulates domain B resource using application.
John Ingle
  • 1,490
  • 2
  • 11
  • 12

2 Answers2

11

If your computer (the one doing the impersonation) is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then impersonation will fail. Anybody who says otherwise, I would love to see proof.

  • Exactly. What you need to do is establish a trust between the two AD domains. This is not hard to do, but it does "open up" security between the two significantly, and is not a "neutral" decision to make. It has a lot of implications. Now I don't know if you NEED to have a trust relationship to impersonate, but I'd be very surprised if you didn't. But I know it works if you DO have a trust (it's something I had to code in the last two weeks). – Kevin Anderson Sep 02 '09 at 16:14
2

I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.

You need to call the LogonUser API to create an access token that represents the user's domain B credentials.

Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.

I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.

Martin
  • 5,392
  • 30
  • 39
  • Isn't it the other way around.. I mean, doesn't Domain B have to trust Domain A? – Mike Dinescu Jun 15 '09 at 16:33
  • No, I don't think so. No trust relationship has to exist between domains A and B. But depending on which domain the machine belongs to, there may be some other trust necessity that we haven't mentioned. – Martin Jun 15 '09 at 18:01
  • It is my understanding that LogonUser does not authenticate remote users. I have tried to use this method with WindowsImpersonationContext unsuccessfully. LogonUser: http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspx If this is not the case, then I'm beginning to think my problems may lie elsewhere. It may be a trust issue between the two domains. I'll check into that. – John Ingle Jun 15 '09 at 18:30
  • Unsure what's meant by "remote users". Certainly, LogonUser takes a domain parameter and can issue tokens based on successful authentication by the appropriate domain server. – Martin Jun 15 '09 at 19:06
  • My apologies, I think I misunderstood the MSDN article that I linked to. It can't be used 'to log on to a remote computer'. So since it can be used to authenticate against a different domain, I'm beginning to suspect that my problem lies elsewhere. Thank you for the response. – John Ingle Jun 15 '09 at 19:27