views:

131

answers:

2

I'm running on a Windows 2000 Pro SP4 box (off domain) and trying to impersonate a local user on a Windows XP box (on domain). I'm using code very similar to the WindowsImpersonationContextFacade in the question posted here: http://stackoverflow.com/questions/879704/how-can-i-temporarily-impersonate-a-user-to-open-a-file. I am using impersonation to remotely start and stop windows services as well as access network shares (for some automated integration tests).

To get this working, i had to use LOGON32_PROVIDER_DEFAULT and LOGON32_LOGON_NEW_CREDENTIALS when calling LogonUser. Everything worked beautifully ( Windows XP on domain to Windows XP on domain, Windows XP on domain to Windows Server 2003 off domain, and even Windows XP on domain to Windows 2000 off domain). The one issue was running on Windows 2000 Pro SP4 off the domain and trying to impersonate a local user on a Windows XP box running on the domain.

To get the Windows 2000 piece working, i had to use LOGON32_PROVIDER_WINNT50 and LOGON32_LOGON_NEW_CREDENTIALS when calling LogonUser. This seemed to get me 95% of the way there, i could now impersonate the local user on the XP box and start/stop services as well as access a network share using the impersonated credentials. I'm running in to one problem though, calling Undo impersonation and closing the token handle seems to leave the connection to the remote box open. After about 10 or so impersonation calls, further impersonation attempts will fail with an error saying something about too many connections are currently open. If i look at the Computer Management -> System Tools -> Shared Folders -> Sessions on my remote Windows XP box, i can see about 10 sessions open to the Windows 2000 box. I can manually close these (i think they may eventually close themselves, but not very quickly) and then impersonation begins working again few more times. This open session issue doesn't seem to be a problem in any of my other test scenarios, just when running locally on a Windows 2000 box.

Any ideas?

Edit 1: After some more testing and trying out many different things, this seems to be an issue with open sessions not being reused. On Windows 2000 only, every call to LogonUser to get a token and then using that token to impersonate seems to result in a new session being created. I'm guessing Windows XP & Windows Server 2003 are reusing open sessions since i don't seem to be having any issues with them. If I call LogonUser once, then cache the token, I seem to be able to make as many calls to impersonate as I need using the cached token without running in to the "too many connections" issue. This seems like an ugly work around though since i can't call CloseHandle() on my token every time i perform impersonation. Anybody have any thoughts or ideas, or am i stuck with this ugly hack? Thanks

A: 

"start/stop services as well as access a network share". Depending on your code, this can lead to such issues.

Calling Undo only releases impersonation involved resources, but not all resources your application uses.

Lex Li
If this isn't an impersonation issue, what could be causing this and any idea how to fix it? I'm having trouble with multiple calls to Directory.GetFiles() (among other things). Why would this leave a connection to the remote box open (only on Win2000 to winXP) and how do i go about forcing these connections closed from the Win2000 box?
Tallek
You should read more about .NET file handling and make sure all necessary resources are released. "using" and "Close" can help, but that heavily depends on your code.
Lex Li
+1  A: 

In case anyone is ever interested, i never did find a good solution to this problem. The work-around that i went with was to cache the token returned from LogonUser, and then reuse that token with every impersonation call. This made things work great, but its not something i'd ever want to do in production code.

Tallek