Can I impersonate a user on a different Active Directory domain in .NET?

views:

1075

answers:

+1 Q:

Can I impersonate a user on a different Active Directory domain in .NET?

I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?

Example Workflow:

User logs in to domain A.
User launches desktop application.
User specifies resource in domain B.
Application prompts user for domain B credentials.
Application impersonates user's domain B identity to access specified resource.
User manipulates domain B resource using application.

+1 A:

Check out this question, which covers the impersonation issues you need.

Dillie-O 2009-06-15 16:23:30

I've seen that question and the links it provides. They did not adequately answer my question. Most of the examples to be found depend upon the LogonUser method which, as I understand, will not authenticate against a remote computer.

John Ingle 2009-06-15 18:38:52

+1 A:

I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.

You need to call the LogonUser API to create an access token that represents the user's domain B credentials.

Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.

I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.

Martin 2009-06-15 16:26:48

Isn't it the other way around.. I mean, doesn't Domain B have to trust Domain A?

Miky Dinescu 2009-06-15 16:33:08

No, I don't think so. No trust relationship has to exist between domains A and B. But depending on which domain the machine belongs to, there may be some other trust necessity that we haven't mentioned.

Martin 2009-06-15 18:01:22

It is my understanding that LogonUser does not authenticate remote users. I have tried to use this method with WindowsImpersonationContext unsuccessfully.LogonUser: http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspxIf this is not the case, then I'm beginning to think my problems may lie elsewhere. It may be a trust issue between the two domains. I'll check into that.

John Ingle 2009-06-15 18:30:13

Unsure what's meant by "remote users". Certainly, LogonUser takes a domain parameter and can issue tokens based on successful authentication by the appropriate domain server.

Martin 2009-06-15 19:06:13

My apologies, I think I misunderstood the MSDN article that I linked to. It can't be used 'to log on to a remote computer'.So since it can be used to authenticate against a different domain, I'm beginning to suspect that my problem lies elsewhere. Thank you for the response.

John Ingle 2009-06-15 19:27:35

+1 A:

If your computer (the one doing the impersonation) is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then impersonation will fail. Anybody who says otherwise, I would love to see proof.

2009-09-02 16:10:09

Exactly. What you need to do is establish a trust between the two AD domains. This is not hard to do, but it does "open up" security between the two significantly, and is not a "neutral" decision to make. It has a lot of implications. Now I don't know if you NEED to have a trust relationship to impersonate, but I'd be very surprised if you didn't. But I know it works if you DO have a trust (it's something I had to code in the last two weeks).

Kevin 2009-09-02 16:14:20

ansaurus

tags:

views:

answers:

Can I impersonate a user on a different Active Directory domain in .NET?

related questions