views:

757

answers:

1

Hi all,

I am trying to impersonate a domain user account in a WPF application so the application can write to a folder on the network. The domain user has sufficient rights to write to this location. I'm using some code found on the net to perform the impersonation.

Basically, it calls the native LogonUser method which returns a security token, then create a new WindowsIdentity passing the token and finally calling the windowsIdentity.Impersonate() method. I get no exceptions executing above logic.

Calling WindowsIdentity.GetCurrent() -> returns impersonated identity.

Writing to the UNC path -> UnauthorizedAccess exception.

So, I inspect the Thread.CurrentPrincipal object before I try to write the file, this has a GenericPrincipal, and not a WindowsPrincipal with the impersonated WindowsIdentity.

So in the startup of the application I set the AppDomain.CurrentAppDomain.SetPrincipalPolicy to PrincipalPolicy.Impersonate.

I restart my application...

Before my call to impersonate, i can see my own credentials on Thread.CurrentPrincipal, the ones that i'm using to log onto my development machine and which is executing my WPF program.

I again try to run the impersonation logic, again I see the impersonated identity on WindowsIdentity.GetCurrent, all seems fine, no exceptions

However on Thread.GetCurrentPrincipal I still see my own credentials, and if I look at the AuthenticationType property, there is an UnauthorizedException (which is only visible in the debugger, it is not being thrown in the application !!). I let the code run.

Again, UnauthorizedAccess when trying to write my file on the UNC location.

Last thing I tried is to create a new WindowsPrincipal with WindowsIdentity.GetCurrent() and I explicitly set it on Thread.Current, but same result.

UnauthorizedAccess when a write to the UNC location.

I'm out of ideas :)

A: 

Does the machine with network share belong is in the domain? Did you try accessing network share using that domain account? For instance using "Run As...".

In LogonUser function try to use LOGON32_LOGON_NETWORK flag, when doing logon. Also to see if impersonation actually took place try to enable auditing of Logon/Logoff events from security policy (info link)

Vadmyst
Hi Vadmyst,Thanks for the suggestion!I've tried the LOGON32_LOGON_NETWORK flag and the LOGON32_LOGON_NETWORK_CLEARTEXT flag,Both resulting in the same behaviour, unauthorized access.The auditing on the server that i'm trying to access does show succesful logon/logoff events with the domain account that i'm using.If i map the network folder using the domain account credentials, i have full control over the folder, read/write ...