views:

268

answers:

2

I have a custom membership/roles provider, due to the nature of the project it will require Admins to login as users while assisting them with querys.

Now, Its easy to re-log the admin in with the selected membership account, however this meens that the Admin will effectivly be logged out. I'm looking for a way to allow Admins to impersonate users yet very easily switch back to there own account at any time.

Any suggestions?

A: 

This should be the sort of thing you want.

You can call the ImpersonateValidUser method with the username and password of the domain account you want. And then reverse it on the logout.

You should be able to bend this to work with your custom membership provider.

// Constants for impersonation
private WindowsImpersonationContext impersonationContext;
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;

/// <summary>
/// Changes the account we are running under. 
/// </summary>
/// <param name="username">Username of a local admin account</param>
/// <param name="domain">Domain of the username</param>
/// <param name="password">Password of a local admin account</param>
/// <returns></returns>
private bool ImpersonateValidUser(String username, String domain, String password)
{
    WindowsIdentity tempWindowsIdentity;
    IntPtr token = IntPtr.Zero;
    IntPtr tokenDuplicate = IntPtr.Zero;

    if (RevertToSelf())
    {
        if (LogonUserA(username, domain, password, LOGON32_LOGON_INTERACTIVE,
            LOGON32_PROVIDER_DEFAULT, ref token) != 0)
        {
            if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
            {
                tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                impersonationContext = tempWindowsIdentity.Impersonate();
                if (impersonationContext != null)
                {
                    CloseHandle(token);
                    CloseHandle(tokenDuplicate);
                    return true;
                }
            }
        }
    }
    if (token != IntPtr.Zero)
        CloseHandle(token);
    if (tokenDuplicate != IntPtr.Zero)
        CloseHandle(tokenDuplicate);
    return false;
}

/// <summary>
/// Cancel the impersonation and revent the thread to the
/// default account. Typically DOMAIN\NETWORK_SERVICE or similar.
/// </summary>
private void UndoImpersonation()
{
    impersonationContext.Undo();
}
Matt Joslin
Looks like that has a lot to do with AD Accounts - http://support.microsoft.com/kb/306158 : I dont think it helps me.
Pino
+3  A: 

http://www.codeproject.com/KB/aspnet/FormsUserImpersonation.aspx

Seems to work

Pino