I have been working on a project in C# (.net4). Project pretty much allows people to upload files from their local machine to a network share.
Network share is secured. It is only accessible by user called “proxy” which is created in active directory.
I did some research and I found this class which I used for impersonation.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;
using System.Security.Principal;
namespace Datacom.CorporateSys.Utilities
{
public class ImpersonateUser
{
[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);
WindowsImpersonationContext impersonationContext;
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
private string p;
private string p_2;
private string p_3;
private String UserName
{
set;
get;
}
private String Domain
{
set;
get;
}
private String Password
{
set;
get;
}
/// <summary>
/// Impersonates the user.
/// </summary>
/// <param name="userName">Name of the user.</param>
/// <param name="domain">The domain.</param>
/// <param name="password">The password.</param>
public ImpersonateUser(string userName, string domain, string password)
{
UserName = userName;
Domain = domain;
Password = password;
}
/// <summary>
/// Impersonates the valid user.
/// </summary>
/// <returns></returns>
public bool impersonateValidUser()
{
WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
if (RevertToSelf())
{
if (LogonUserA(UserName, Domain, Password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
if (impersonationContext != null)
{
CloseHandle(token);
CloseHandle(tokenDuplicate);
return true;
}
}
}
}
if (token != IntPtr.Zero)
CloseHandle(token);
if (tokenDuplicate != IntPtr.Zero)
CloseHandle(tokenDuplicate);
return false;
}
/// <summary>
/// Undoes the impersonation.
/// </summary>
public void undoImpersonation()
{
impersonationContext.Undo();
}
}
}
Note: From memory I think I found this as an example on msdn.
This is how I try to move a file from local path to network
if (imp.impersonateValidUser())
{
System.IO.File.Copy(local_file, server_file, true);
imp.undoImpersonation();
}
else
{
throw new Exception("Unable to impersonate for uploading file.");
}
And it works! I never have issues with impersonation – exception never gets thrown. It works fine and uploads files to the server. However, when I started testing a bit more I found that if proxy user is not logged in to the server (normally I open RDS login and quit – without logging out).
I get different exception – network path not found exception and it only occurs when I have just restarted the server and “proxy” is not logged in.
My first thought was that there is something wrong with impersonation class, however it impersonates fine when it does work (ie. files have ownership of proxy user). Then I thought that maybe “proxy” needs to be logged in so OS can use its permissions to actually access \server\uploads
I’m extremely lost now, not sure how to solve it.
Please note: I have no control over the server. Server is win2k8 with desktop experience installed (otherwise i cant access any network locations).
Thanks!
Grant the proxy account access right “Log on as a batch Job” and use
`LOGON32_LOGON_BATCHinstead of interactive logon.