public static extern Boolean LogonUser(
String lpszUserName,
String lpszDomain,
String lpszPassword,
LogonType dwLogonType,
LogonProvider dwLogonProvider,
out SafeFileHandle phToken);
private static extern bool LogonUser(
string username,
string domain,
string password,
LogonType logonType,
LogonProvider logonProvider,
out SafeTokenHandle token);
/// <summary>
/// This ROP logs on to a private mailbox or public folder.
/// </summary>
/// <param name="logonType">This type specifies ongoing action on the private mailbox or public folder.</param>
/// <param name="logonResponse">The response of this ROP.</param>
/// <param name="userDN">This string specifies which mailbox to log on to.</param>
/// <param name="needVerify">Whether need to verify the response.</param>
/// <returns>The handle of logon object.</returns>
private uint RopLogon(LogonType logonType, out RopLogonResponse logonResponse, string userDN, bool needVerify)
{
this.rawDataValue = null;
this.responseValue = null;
this.responseSOHsValue = null;
userDN += "\0";
uint insideObjHandle = 0;
RopLogonRequest logonRequest = new RopLogonRequest()
{
RopId = (byte)RopId.RopLogon,
LogonId = LogonId,
OutputHandleIndex = (byte)HandleIndex.FirstIndex,
StoreState = (uint)StoreState.None,
// Set parameters for public folder logon type.
LogonFlags = logonType == LogonType.PublicFolder ? (byte)LogonFlags.PublicFolder : (byte)LogonFlags.Private,
OpenFlags = logonType == LogonType.PublicFolder ? (uint)(OpenFlags.UsePerMDBReplipMapping | OpenFlags.Public) : (uint)OpenFlags.UsePerMDBReplipMapping,
// Set EssdnSize to 0, which specifies the size of the ESSDN field.
EssdnSize = logonType == LogonType.PublicFolder ? (ushort)0 : (ushort)Encoding.ASCII.GetByteCount(userDN),
Essdn = logonType == LogonType.PublicFolder ? null : Encoding.ASCII.GetBytes(userDN),
};
this.responseSOHsValue = this.ProcessSingleRop(logonRequest, insideObjHandle, ref this.responseValue, ref this.rawDataValue, RopResponseType.SuccessResponse);
logonResponse = (RopLogonResponse)this.responseValue;
if (needVerify)
{
this.Site.Assert.AreEqual((uint)RopResponseType.SuccessResponse, logonResponse.ReturnValue, string.Format("Logon Failed! Error: 0x{0:X8}", logonResponse.ReturnValue));
}
return this.responseSOHsValue[0][logonResponse.OutputHandleIndex];
}
private Impersonation(string domain, string username, string password, LogonType logonType)
{
IntPtr handle;
var ok = NativeMethods.LogonUser(username, domain, password, (int)logonType, 0, out handle);
if (!ok)
{
var errorCode = Marshal.GetLastWin32Error();
throw new ApplicationException(string.Format("Could not impersonate the elevated user. LogonUser returned error code {0}.", errorCode));
}
var profileInfo = new ProfileInfo();
profileInfo.dwSize = Marshal.SizeOf(profileInfo);
profileInfo.lpUserName = username;
profileInfo.dwFlags = 1;
ok = NativeMethods.LoadUserProfile(handle, ref profileInfo);
if (ok == false)
{
var errorCode = Marshal.GetLastWin32Error();
throw new ApplicationException(string.Format("Could not load profile. Error code {0}.", errorCode));
}
NativeMethods.UnloadUserProfile(handle, profileInfo.hProfile);
_handle = new SafeTokenHandle(handle);
_context = WindowsIdentity.Impersonate(_handle.DangerousGetHandle());
}
internal static extern int LogonUser(
string lpszUsername,
string lpszDomain,
string lpszPassword,
LogonType dwLogonType,
ProviderType dwLogonProvider,
out IntPtr phToken);
public static extern bool LogonUser(
[MarshalAs(UnmanagedType.LPWStr)] string lpszUsername,
[MarshalAs(UnmanagedType.LPWStr)] string lpszDomain,
IntPtr lpszPassword,
LogonType dwLogonType,
LogonProvider dwLogonProvider,
out IntPtr phToken
);
/// <summary>
/// Perform Windows Logon returning an authentication token.
/// </summary>
/// <param name="username">Full username as DOMAIN\USERNAME, .\USERNAME or [email protected].</param>
/// <param name="password">Password to logon with.</param>
/// <param name="logonType">Type of logon to use.</param>
/// <returns>An authentication token.</returns>
public static IntPtr LogonUser(string username, string password, LogonType logonType)
{
IntPtr token = IntPtr.Zero;
if (!LogonUser(username, null, password, logonType, LogonProvider.LOGON32_PROVIDER_DEFAULT, ref token))
Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());
return token;
}
/// <summary>
/// Initialises a new instance of <see cref="Impersonation" />.
/// </summary>
/// <param name="domain">The domain of the target user.</param>
/// <param name="username">The target user to impersonate.</param>
/// <param name="password">The target password of the user to impersonate.</param>
/// <param name="level">The security level of this impersonation.</param>
public Impersonation(string domain, string username, string password, ImpersonationLevel level)
{
_domain = domain;
_username = username;
_password = password;
_level = level;
_logonProvider = LogonProvider.WinNT50;
_logonType = LogonType.NewCredentials;
Logon();
}
private Impersonation(string domain, string username, string password, LogonType logonType)
{
IntPtr handle;
var ok = NativeMethods.LogonUser(username, domain, password, (int)logonType, 0, out handle);
if (!ok)
{
var errorCode = Marshal.GetLastWin32Error();
throw new ApplicationException(string.Format("Could not impersonate the elevated user. LogonUser returned error code {0}.", errorCode));
}
_handle = new SafeTokenHandle(handle);
_context = WindowsIdentity.Impersonate(_handle.DangerousGetHandle());
}
/// <summary>
/// Initialises a new instance of <see cref="Impersonation" />.
/// </summary>
/// <param name="domain">The domain of the target user.</param>
/// <param name="username">The target user to impersonate.</param>
/// <param name="password">The target password of the user to impersonate.</param>
/// <param name="level">The security level of this impersonation.</param>
/// <param name="logontype">The logontype.</param>
/// <param name="logonProvider">The logon provider.</param>
public Impersonation(string domain,
string username,
string password,
ImpersonationLevel level,
LogonType logontype,
LogonProvider logonProvider)
{
_domain = domain;
_username = username;
_password = password;
_level = level;
_logonProvider = logonProvider;
_logonType = logontype;
Logon();
}
private Impersonation(string domain, string username, SecureString password, LogonType logonType)
{
IntPtr token;
IntPtr passPtr = Marshal.SecureStringToGlobalAllocUnicode(password);
bool success;
try
{
success = NativeMethods.LogonUser(username, domain, passPtr, (int)logonType, 0, out token);
}
finally
{
Marshal.ZeroFreeGlobalAllocUnicode(passPtr);
}
CompleteImpersonation(success, token, out _handle, out _context);
}
/// <summary>
/// Impersonate a specific user context
/// </summary>
public ImpersonationHelper(
string userName,
string domainName,
string password,
LogonType logonType = LogonType.LOGON32_LOGON_NEW_CREDENTIALS,
LogonProvider logonProvider = LogonProvider.LOGON32_PROVIDER_WINNT50)
{
if (string.IsNullOrEmpty(userName))
{
throw new ArgumentNullException("userName");
}
if (string.IsNullOrEmpty(domainName))
{
domainName = ".";
}
IntPtr token = IntPtr.Zero;
int errorCode = 0;
if (LogonUser(userName, domainName, password, (int)logonType, (int)logonProvider, ref token))
{
if (!ImpersonateLoggedOnUser(token))
{
errorCode = Marshal.GetLastWin32Error();
}
CloseHandle(token);
}
else
{
errorCode = Marshal.GetLastWin32Error();
}
if (errorCode != 0)
{
throw new ImersonationFailureException(string.Format("Impersonation failed with Win32 error code 0x{0:X}", errorCode));
}
}
/// <summary>
/// Begins impersonation with the given credentials, Logon type and Logon provider.
/// </summary>
public Impersonation(string domainName, string userName, string password, LogonType logonType = LogonType.Interactive, LogonProvider logonProvider = LogonProvider.Default)
{
Impersonate(domainName, userName, password, logonType, logonProvider);
}
/// <summary>
/// Logon a user with the specified credentials.
/// </summary>
/// <param name="credentials">Credentials for logon. See <see cref="NetworkCredential"/>.</param>
/// <param name="logontype">See <see cref="LogonType"/>.</param>
/// <returns>The <see cref="WindowsIdentity"/> of the logged on account.</returns>
/// <permission cref="SecurityPermission">Demand for <see cref="SecurityPermissionFlag.ControlPrincipal"/> permission flag.</permission>
/// <exception cref="ArgumentException">Unable to logon</exception>
public static WindowsIdentity LogonUser(NetworkCredential credentials, LogonType logontype)
{
// Parameter validation
if (credentials == null)
{
throw new ArgumentException("credentials");
}
// Demand permissions
new SecurityPermission(SecurityPermissionFlag.ControlPrincipal).Demand();
// Assert permissions
_assertedPermissions.Assert();
// initialize tokens
IntPtr pExistingTokenHandle = IntPtr.Zero;
IntPtr pDuplicateTokenHandle = IntPtr.Zero;
string domain = credentials.Domain;
if (domain == null || domain.Length == 0)
{
domain = Environment.MachineName;
}
bool returnValue = false;
try
{
returnValue = Win32Native.LogonUser(credentials.UserName,
domain,
credentials.Password,
(int)logontype,
Win32Native.LOGON32_PROVIDER_DEFAULT,
ref pExistingTokenHandle);
if (returnValue && pExistingTokenHandle != IntPtr.Zero)
{
returnValue = Win32Native.DuplicateToken(pExistingTokenHandle, (int)Win32Native.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, ref pDuplicateTokenHandle);
// did DuplicateToken fail?
if (returnValue)
{
// create new identity using new primary token
return(new WindowsIdentity(pDuplicateTokenHandle, "NTLM", WindowsAccountType.Normal, true));
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
catch (Win32Exception wex)
{
//Add detailed description
throw new ArgumentException(Resource.ResourceManager[Resource.MessageKey.LogonUserException,
domain,
credentials.UserName,
logontype.ToString(),
Environment.NewLine,
wex.Message,
Environment.MachineName,
WindowsIdentity.GetCurrent().Name]);
}
finally
{
// close handles
if (pExistingTokenHandle != IntPtr.Zero)
{
Win32Native.CloseHandle(pExistingTokenHandle);
}
if (pDuplicateTokenHandle != IntPtr.Zero)
{
Win32Native.CloseHandle(pDuplicateTokenHandle);
}
// Revert permission (Not strictly necessary but a good practice indeed.)
System.Security.CodeAccessPermission.RevertAssert();
}
}
/// <summary>
/// Checks if <paramref name="type"/> and <paramref name="provider"/> work together and corrects not working combinations.
/// </summary>
/// <param name="type"><see cref="LogonType"/> to check</param>
/// <param name="provider"><see cref="LogonProvider"/> to check</param>
private void CheckTypeAndProvider(ref LogonType type, ref LogonProvider provider)
{
// LogonType.NewCredentials is only supported by LogonProvider.WinNt50
if (type == LogonType.NewCredentials && provider != LogonProvider.WinNt50)
{
provider = LogonProvider.WinNt50;
_debugLogger.Warn("LogonHelper: LogonType.NewCredentials is only supported by LogonProvider.WinNt50; corrected as follows:");
_debugLogger.Warn(" LogonType: '{0}'", type);
_debugLogger.Warn(" LogonProvider: '{0}'", provider);
}
}
public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, LogonType dwLogonType, LogonProvider dwLogonProvider, out SafeTokenHandle phToken);
private Impersonation(string username, string domain, string password, LogonType logonType, BuiltinUser builtinUser)
{
switch (builtinUser)
{
case BuiltinUser.None:
if (string.IsNullOrEmpty(username))
{
return;
}
break;
case BuiltinUser.LocalService:
username = "******";
break;
case BuiltinUser.NetworkService:
username = "******";
break;
}
IntPtr userToken = IntPtr.Zero;
IntPtr userTokenDuplication = IntPtr.Zero;
// Logon with user and get token.
bool loggedOn = NativeMethod.LogonUser(username, domain, password, logonType, LogonProvider.Default, out userToken);
if (loggedOn)
{
try
{
// Create a duplication of the usertoken, this is a solution
// for the known bug that is published under KB article Q319615.
if (NativeMethod.DuplicateToken(userToken, 2, ref userTokenDuplication))
{
// Create windows identity from the token and impersonate the user.
WindowsIdentity identity = new WindowsIdentity(userTokenDuplication);
_impersonationContext = identity.Impersonate();
}
//else
//{
// // Token duplication failed!
// // Use the default ctor overload
// // that will use Mashal.GetLastWin32Error();
// // to create the exceptions details.
// throw new Win32Exception();
//}
}
finally
{
// Close usertoken handle duplication when created.
if (!userTokenDuplication.Equals(IntPtr.Zero))
{
// Closes the handle of the user.
NativeMethod.CloseHandle(userTokenDuplication);
userTokenDuplication = IntPtr.Zero;
}
// Close usertoken handle when created.
if (!userToken.Equals(IntPtr.Zero))
{
// Closes the handle of the user.
NativeMethod.CloseHandle(userToken);
userToken = IntPtr.Zero;
}
}
}
//else
//{
// // Logon failed!
// // Use the default ctor overload that
// // will use Mashal.GetLastWin32Error();
// // to create the exceptions details.
// throw new Win32Exception();
//}
}
/// <summary>
/// Initialize the test environment.
/// </summary>
/// <param name="site">TestSite is used to initialization.</param>
/// <param name="logonType">This type specifies ongoing action on the mailbox or public folder.</param>
private void InitHandle(ITestSite site, LogonType logonType)
{
this.Initialize(site);
bool isConnected = this.RpcConnect(logonType);
this.Site.Assert.IsTrue(isConnected, "Rpc connect method should be executed successfully.");
// Log on to the specific folder.
RopLogonResponse logonRes;
this.cprptLogonHandle = this.logonHandle = this.RopLogon(logonType, out logonRes, Common.GetConfigurationPropertyValue("UserEssdn", site), true);
this.folderIds = logonRes.FolderIds;
}
private static extern bool LogonUser(string username, string domain, [In] IntPtr password, LogonType logonType, LogonProvider logonProvider, out IntPtr token);
public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, LogonType dwLogonType, LogonProvider dwLogonProvider, ref IntPtr phToken);
public static void Main(Dictionary <string, string> pArgs)
{
args = pArgs;
EnablePrivilege("SeAssignPrimaryTokenPrivilege");
EnablePrivilege("SeBackupPrivilege");
EnablePrivilege("SeRestorePrivilege");
try
{
bool bad = false;
if (!args.ContainsKey("-w"))
{
if (!args.ContainsKey("-c") && !args.ContainsKey("-f"))
{
bad = true;
}
if (args.ContainsKey("-c") && args.ContainsKey("-f"))
{
bad = true;
}
if (!args.ContainsKey("-u") && !args.ContainsKey("-P"))
{
bad = true;
}
if (args.ContainsKey("-u") && args.ContainsKey("-P"))
{
bad = true;
}
}
if (args.ContainsKey("-v") || args.ContainsKey("-h"))
{
bad = true;
}
if (bad)
{
PrintUsage();
Exit();
}
}
catch
{
PrintUsage();
Exit();
}
if (args.ContainsKey("-w"))
{
try
{
SetDesktopWinStaAccess();
}
catch (Exception ex)
{
Console.WriteLine("Warning: Could not set desktop and window station access: " + ex.Message);
}
}
TokenHandle token = null;
string domain = null;
string username = "";
if (args.ContainsKey("-u"))
{
string user = args["-u"];
if (user.Contains("\\"))
{
domain = user.Split('\\')[0];
username = user.Split('\\')[1];
}
else if (user.Contains("@"))
{
username = user.Split('@')[0];
domain = user.Split('@')[1];
}
else
{
username = user;
}
LogonType type = LogonType.Interactive;
if (args.ContainsKey("-t"))
{
try
{
type = (LogonType)Enum.Parse(typeof(LogonType), args["-t"], true);
}
catch
{
Console.WriteLine("Error: Invalid logon type.");
Exit(-1);
}
}
try
{
token = TokenHandle.Logon(
username,
domain,
args.ContainsKey("-p") ? args["-p"] : "",
type,
LogonProvider.Default
);
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not logon as user: "******"-P"))
{
pid = int.Parse(args["-P"]);
}
}
catch
{
Console.WriteLine("Error: Invalid PID.");
}
try
{
using (var phandle = new ProcessHandle(pid, OSVersion.MinProcessQueryInfoAccess))
{
try
{
token = phandle.GetToken(TokenAccess.All);
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not open process token: " + ex.Message);
Exit(Marshal.GetLastWin32Error());
}
}
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not open process: " + ex.Message);
Exit(Marshal.GetLastWin32Error());
}
// Need to duplicate the token if we're going to set the session ID.
if (args.ContainsKey("-s"))
{
try
{
TokenHandle dupToken;
dupToken = token.Duplicate(
TokenAccess.All,
SecurityImpersonationLevel.SecurityImpersonation,
TokenType.Primary
);
token.Dispose();
token = dupToken;
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not duplicate own token: " + ex.Message);
Exit(Marshal.GetLastWin32Error());
}
}
}
if (args.ContainsKey("-s"))
{
int sessionId = int.Parse(args["-s"]);
try
{
token.SetSessionId(sessionId);
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not set token session ID: " + ex.Message);
}
}
if (args.ContainsKey("-c") || args.ContainsKey("-f"))
{
if (!args.ContainsKey("-e"))
{
EnvironmentBlock environment;
StartupInfo startupInfo = new StartupInfo();
ProcessHandle processHandle;
ThreadHandle threadHandle;
ClientId clientId;
environment = new EnvironmentBlock(token);
startupInfo.Desktop = "WinSta0\\Default";
try
{
processHandle = ProcessHandle.CreateWin32(
token,
args.ContainsKey("-f") ? args["-f"] : null,
args.ContainsKey("-c") ? args["-c"] : null,
false,
ProcessCreationFlags.CreateUnicodeEnvironment,
environment,
args.ContainsKey("-d") ? args["-d"] : null,
startupInfo,
out clientId,
out threadHandle
);
processHandle.Dispose();
threadHandle.Dispose();
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not create process: " + ex.Message);
Exit(Marshal.GetLastWin32Error());
}
finally
{
environment.Destroy();
}
}
}
token.Dispose();
Exit();
}
/// <summary>
/// Impersonates the account.
/// </summary>
/// <param name="userName">Name of the user.</param>
/// <param name="password">The password.</param>
/// <param name="logonType">Type of the logon.</param>
/// <returns></returns>
public static WindowsImpersonationContext ImpersonateAccount(string userName, string password, LogonType logonType)
{
return(ImpersonateAccount(userName, ".", password, logonType, LogonProvider.LOGON32_PROVIDER_DEFAULT));
}
/// <summary>
/// Determines whether this instance [can account logon] the specified LPSZ username.
/// </summary>
/// <param name="lpszUsername">The LPSZ username.</param>
/// <param name="lpszDomain">The LPSZ domain.</param>
/// <param name="lpszPassword">The LPSZ password.</param>
/// <param name="lType">Type of the l.</param>
/// <param name="lProvider">The l provider.</param>
/// <param name="lastError">The last error.</param>
/// <returns></returns>
public static bool CanAccountLogon(string lpszUsername, string lpszDomain, string lpszPassword, LogonType lType, LogonProvider lProvider, out int lastError)
{
var hToken = IntPtr.Zero;
try
{
var rValue = LogonUser(lpszUsername, lpszDomain, lpszPassword, lType, lProvider, out hToken);
if (!rValue)
{
lastError = Marshal.GetLastWin32Error();
}
else
{
lastError = 0;
}
return(rValue);
}
finally
{
if (hToken != IntPtr.Zero)
{
Kernel.CloseHandle(hToken);
hToken = IntPtr.Zero;
}
}
}
/// <summary>
/// Impersonates the account.
/// </summary>
/// <param name="userName">Name of the user.</param>
/// <param name="domain">The domain.</param>
/// <param name="password">The password.</param>
/// <param name="logonType">Type of the logon.</param>
/// <param name="logonProvider">The logon provider.</param>
/// <returns></returns>
/// <exception cref="System.Security.SecurityException"></exception>
public static WindowsImpersonationContext ImpersonateAccount(string userName, string domain, string password, LogonType logonType, LogonProvider logonProvider)
{
WindowsIdentity tempWindowsIdentity;
var token = IntPtr.Zero;
var tokenDuplicate = IntPtr.Zero;
if (RevertToSelf())
{
if (LogonUser(userName, domain, password, logonType, logonProvider, out token))
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
var impersonationContext = tempWindowsIdentity.Impersonate();
if (impersonationContext != null)
{
var lpProfile = new Userenv.PROFILEINFO();
lpProfile.dwSize = Marshal.SizeOf(lpProfile);
lpProfile.lpUserName = userName;
lpProfile.dwFlags = 1;
Userenv.LoadUserProfile(tokenDuplicate, ref lpProfile);
Kernel.CloseHandle(token);
Kernel.CloseHandle(tokenDuplicate);
token = IntPtr.Zero;
tokenDuplicate = IntPtr.Zero;
return(impersonationContext);
}
}
}
else
{
throw new SecurityException(string.Format(@"Unable to impersonate user: {0}\{1}", domain, userName));
}
}
if (token != IntPtr.Zero)
{
Kernel.CloseHandle(token);
token = IntPtr.Zero;
}
if (tokenDuplicate != IntPtr.Zero)
{
Kernel.CloseHandle(tokenDuplicate);
tokenDuplicate = IntPtr.Zero;
}
return(null);
}
/// <summary>
/// Logon onto the Exchange server.
/// </summary>
/// <param name="logonType">Specify the logon folder type: PublicFolder, MailBox.</param>
/// <param name="userDN">Identifies the mailbox to logon.</param>
/// <param name="objHandle">The server object handle.</param>
/// <returns>The Logon ROP response.</returns>
private RopLogonResponse ROPLogon(LogonType logonType, string userDN, out uint objHandle)
{
RopLogonRequest logonRequest;
this.inobjHandle = 0;
logonRequest.RopId = 0xFE;
logonRequest.LogonId = 0x0;
logonRequest.OutputHandleIndex = 0x0;
logonRequest.StoreState = 0;
string fullUserDNString = userDN + StringNullTerminator;
if (LogonType.PublicFolder == logonType)
{
logonRequest.LogonFlags = 0x00; // Logon to public folders
logonRequest.OpenFlags = 0x01000002; // Logon to public folders
logonRequest.EssdnSize = 0;
logonRequest.Essdn = null;
}
else
{
logonRequest.LogonFlags = 0x01; // Logon to a private mailbox
logonRequest.OpenFlags = 0x01000000;
logonRequest.EssdnSize = (ushort)Encoding.ASCII.GetByteCount(fullUserDNString);
logonRequest.Essdn = Encoding.ASCII.GetBytes(fullUserDNString);
}
this.responseSOHs = this.DoRopCall(logonRequest, this.inobjHandle, ref this.response, ref this.rawData);
RopLogonResponse logonResponse = (RopLogonResponse)this.response;
Site.Assert.AreEqual<uint>(UINT32SUCCESS, logonResponse.ReturnValue, "0 indicates RopLogon operates successfully.");
objHandle = this.responseSOHs[0][logonResponse.OutputHandleIndex];
return logonResponse;
}
///// <summary>
///// Impersonates the specified user account.
///// </summary>
//public void Impersonate(string domainName, string userName, string password)
//{
// Impersonate(domainName, userName, password, LogonType.Interactive, LogonProvider.Default);
//}
/// <summary>
/// Impersonates the specified user account.
/// </summary>
public void Impersonate(string domainName, string userName, string password, LogonType logonType = LogonType.Interactive, LogonProvider logonProvider = LogonProvider.Default)
{
UndoImpersonation();
IntPtr logonToken = IntPtr.Zero;
IntPtr logonTokenDuplicate = IntPtr.Zero;
try
{
// revert to the application identity, saving the identity of the current requestor
_wic = WindowsIdentity.Impersonate(IntPtr.Zero);
// do logon & impersonate
if (Win32Sec.LogonUser(userName, domainName, password, (int)logonType, (int)logonProvider, ref logonToken))
{
if (Win32Sec.DuplicateToken(logonToken, (int)ImpersonationLevel.SecurityImpersonation, ref logonTokenDuplicate) != 0)
{
var wi = new WindowsIdentity(logonTokenDuplicate);
wi.Impersonate(); // discard the returned identity context (which is the context of the application pool)
}
else
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
throw new Win32Exception(Marshal.GetLastWin32Error());
}
finally
{
if (logonToken != IntPtr.Zero)
Win32Sec.CloseHandle(logonToken);
if (logonTokenDuplicate != IntPtr.Zero)
Win32Sec.CloseHandle(logonTokenDuplicate);
}
}
/// <summary>
/// Connect to the server for RPC calling.
/// </summary>
/// <param name="logonType">The logon type.</param>
/// <returns>Result of connecting.</returns>
private bool RpcConnect(LogonType logonType)
{
ConnectionType connectionType = ConnectionType.PrivateMailboxServer;
if (logonType == LogonType.PublicFolder)
{
connectionType = ConnectionType.PublicFolderServer;
}
bool retValue1 = this.oxcropsClient.Connect(
Common.GetConfigurationPropertyValue("SutComputerName", this.Site),
connectionType,
Common.GetConfigurationPropertyValue("UserEssdn", this.Site),
Common.GetConfigurationPropertyValue("Domain", this.Site),
Common.GetConfigurationPropertyValue("UserName", this.Site),
Common.GetConfigurationPropertyValue("Password", this.Site));
bool retValue2 = this.oxcropsClientSession2.Connect(
Common.GetConfigurationPropertyValue("SutComputerName", this.Site),
connectionType,
Common.GetConfigurationPropertyValue("UserEssdn", this.Site),
Common.GetConfigurationPropertyValue("Domain", this.Site),
Common.GetConfigurationPropertyValue("UserName", this.Site),
Common.GetConfigurationPropertyValue("Password", this.Site));
return retValue1 && retValue2;
}
internal SafeAccessTokenHandle Impersonate(LogonType logonType)
{
return(Impersonate(logonType, LogonProvider.Default));
}
/// <summary>
/// Impersonates the specified user account.
/// </summary>
/// <param name="userName">Name of the user.</param>
/// <param name="domainName">Name of the domain.</param>
/// <param name="password">The password. <see cref="System.String"/></param>
/// <param name="logonType">Type of the logon.</param>
/// <param name="logonProvider">The logon provider. <see cref="Mit.Sharepoint.WebParts.EventLogQuery.Network.LogonProvider"/></param>
public void Impersonate(Credential credential, LogonType logonType, LogonProvider logonProvider)
{
UndoImpersonation();
IntPtr logonToken = IntPtr.Zero;
IntPtr logonTokenDuplicate = IntPtr.Zero;
try
{
// revert to the application pool identity, saving the identity of the current requestor
_wic = WindowsIdentity.Impersonate(IntPtr.Zero);
// do logon & impersonate
if (Win32NativeMethods.LogonUser(credential.UserName,
credential.Domain,
credential.Password,
(int)logonType,
(int)logonProvider,
ref logonToken) != 0)
{
if (Win32NativeMethods.DuplicateToken(logonToken, (int)ImpersonationLevel.SecurityImpersonation, ref logonTokenDuplicate) != 0)
{
var wi = new WindowsIdentity(logonTokenDuplicate);
wi.Impersonate(); // discard the returned identity context (which is the context of the application pool)
}
else
throw new Win32Exception(Marshal.GetLastWin32Error());
}
else
throw new Win32Exception(Marshal.GetLastWin32Error());
}
finally
{
if (logonToken != IntPtr.Zero)
Win32NativeMethods.CloseHandle(logonToken);
if (logonTokenDuplicate != IntPtr.Zero)
Win32NativeMethods.CloseHandle(logonTokenDuplicate);
}
}
public static extern bool LogonUser([In] string lpszUserName, [In] string lpszDomain, [In] string lpszPassword, [In] LogonType dwLogonType, [In] LogonProvider dwLogonProvider, out SafeCloseHandle phToken);
public ImpersonationLogon(string userName, string domainName, string password, LogonType logonType, LogonProvider logonProvider)
{
this.userName = userName;
this.domainName = domainName;
this.password = password.ToSecureString();
this.logonType = logonType;
this.logonProvider = logonProvider;
}
public SystemLogonSession(
string authenticationPackage,
string dnsDomainName,
string logonDomain,
Luid logonId,
string logonServer,
DateTime logonTime,
LogonType logonType,
int session,
Sid sid,
string upn,
string userName
)
{
this.AuthenticationPackage = authenticationPackage;
this.DnsDomainName = dnsDomainName;
this.LogonDomain = logonDomain;
this.LogonId = logonId;
this.LogonServer = logonServer;
this.LogonTime = logonTime;
this.LogonType = logonType;
this.Session = session;
this.Sid = sid;
this.Upn = upn;
this.UserName = userName;
}
private static bool LogonUser(string username, string domain, SecureString password, LogonType logonType, LogonProvider logonProvider, out IntPtr token)
{
if (password == null)
{
throw new ArgumentNullException("password");
}
IntPtr plainpassword = IntPtr.Zero;
try
{
plainpassword = Marshal.SecureStringToGlobalAllocUnicode(password);
return(LogonUser(username, domain, plainpassword, logonType, logonProvider, out token));
}
finally
{
Marshal.ZeroFreeGlobalAllocUnicode(plainpassword);
}
}
/// <summary> /// Initialises a new instance of the <see cref="UserFactAttribute"/> class. /// </summary> /// <param name="userSecretsId">Id used to retrieve user credentials for test impersonation</param> /// <param name="logonType">Logon method to use</param> /// <param name="displayNameOnTest">Append username to test</param> public UserFactAttribute(string userSecretsId, LogonType logonType = Default.Logon, bool displayNameOnTest = Default.DisplayName) => UserContext = new UserContextSettings(userSecretsId, logonType, displayNameOnTest);
private static extern bool LogonUser(string username, string domain,
string password, LogonType logonType,
LogonProvider logonProvider,
out IntPtr userToken);
/// <summary>
/// This method is used to log on to a private mailbox or public folder and will be called before other ROPs
/// </summary>
/// <param name="logonType">The logon type.</param>
/// <param name="userDN">The user Essdn to be used to logon a specific mailbox</param>
/// <param name="objHandle">The Object handle.</param>
/// <returns>The logon response.</returns>
protected RopLogonResponse Logon(LogonType logonType, string userDN, out uint objHandle)
{
RopLogonRequest logonRequest;
logonRequest.RopId = (byte)RopId.RopLogon;
logonRequest.LogonId = LogonId;
// Set OutputHandleIndex to 0x0, which specifies the location in the Server object handle table
// where the handle for the output Server object will be stored.
logonRequest.OutputHandleIndex = OutputHandleIndex0;
logonRequest.StoreState = (uint)StoreState.None;
if (LogonType.PublicFolder == logonType)
{
// Set other parameters for logon type of PublicFolder.
logonRequest.LogonFlags = (byte)LogonFlags.PublicFolder;
logonRequest.OpenFlags = (uint)OpenFlags.UsePerMDBReplipMapping + (uint)OpenFlags.Public;
// Set EssdnSize to 0, which specifies the size of the Essdn field.
logonRequest.EssdnSize = 0;
// Initialize the Essdn to null.
logonRequest.Essdn = null;
}
else
{
// Set other parameters for logon type of Mailbox (private mailbox).
logonRequest.LogonFlags = (byte)LogonFlags.Private;
logonRequest.OpenFlags = (uint)OpenFlags.UsePerMDBReplipMapping;
// Set EssdnSize to the byte count of user DN, which specifies the size of the Essdn field.
logonRequest.EssdnSize = (ushort)Encoding.ASCII.GetByteCount(userDN);
// Set Essdn to the content of user DN, which specifies it will log on to the mail box of user represented by the user DN.
logonRequest.Essdn = Encoding.ASCII.GetBytes(userDN);
}
// Send the RopLogon request and get the response.
this.responseSOHs = this.cropsAdapter.ProcessSingleRop(
logonRequest,
this.inputObjHandle,
ref this.response,
ref this.rawData,
RopResponseType.SuccessResponse);
RopLogonResponse logonResponse = (RopLogonResponse)this.response;
Site.Assert.AreEqual<uint>(
TestSuiteBase.SuccessReturnValue,
logonResponse.ReturnValue,
"If ROP succeeds, the ReturnValue of its response is 0 (success)");
objHandle = this.responseSOHs[0][logonResponse.OutputHandleIndex];
return logonResponse;
}
public Impersonator(string userName, string domainName, string password, LogonType logonType,
LogonProvider logonProvider)
{
Impersonate(userName, domainName, password, logonType, logonProvider);
}
/// <summary>Constructs a terminal logon request object.</summary>
/// <param name="LogonType">The logon type to perform.</param>
public PINPADLogonRequest(LogonType LogonType) : base(true, typeof(PINPADLogonResponse))
{
this.LogonType = LogonType;
}
/// <summary>
/// Tries to logon a user represented by <paramref name="credential"/> via the native <see cref="LogonUser"/> function
/// </summary>
/// <param name="credential"><see cref="NetworkCredential"/> used to log on.</param>
/// <param name="type"><see cref="LogonType"/> used to log on.</param>
/// <param name="provider"><see cref="LogonProvider"/> used to log on.</param>
/// <param name="id"><see cref="WindowsIdentity"/> of the logged on user if the call was successful; otherwise <c>null</c></param>
/// <returns><c>true</c> if the call was successful; otherwise <c>false</c></returns>
internal bool TryLogon(NetworkCredential credential, LogonType type, LogonProvider provider, out WindowsIdentity id)
{
id = null;
// Log parameters to debug log
_debugLogger.Info("LogonHelper: Trying to logon:");
_debugLogger.Info(" User: '******'", credential.UserName);
_debugLogger.Info(" Domain: '{0}'", credential.Domain);
_debugLogger.Info(" LogonType: '{0}'", type);
_debugLogger.Info(" LogonProvider: '{0}'", provider);
// Parameter Checks
if (!TryCheckUserNameAndDomain(credential))
return false;
CheckTypeAndProvider(ref type, ref provider);
// Prepare for call to LogonUser API function
var passwordPtr = IntPtr.Zero;
bool success;
SafeTokenHandle safeTokenHandle = null;
try
{
// Copy password in cleartext into unmanaged memory
passwordPtr = Marshal.SecureStringToGlobalAllocUnicode(credential.SecurePassword);
success = LogonUser(credential.UserName, credential.Domain, passwordPtr, type, provider, out safeTokenHandle);
}
catch (Exception e)
{
if (safeTokenHandle != null)
safeTokenHandle.Dispose();
_debugLogger.Error("LogonHelper: Exception while calling LogonUser:"******"LogonHelper: LogonUser was not successful (ErrorCode:{0}, Message:{1})", error, new Win32Exception(error).Message);
return false;
}
// Store Token in WindowsIdentity if LogonUser was successful
_debugLogger.Info("LogonHelper: User logged on successfully");
try
{
id = new WindowsIdentity(safeTokenHandle.DangerousGetHandle());
}
catch (Exception e)
{
_debugLogger.Error("LogonHelper: Error creating WindowsIdentity:", e);
return false;
}
_debugLogger.Info("LogonHelper: WindowsIdentity successfully created");
return true;
}
}
public static WindowsImpersonationContext Impersonate(this PrincipalContext principalContext, string username, string password, LogonType logonType)
{
if (username == null)
{
throw new ArgumentNullException(nameof(username));
}
if (password == null)
{
throw new ArgumentNullException(nameof(password));
}
if (string.IsNullOrEmpty(username))
{
throw new ArgumentException("The parameter cannot be empty", nameof(username));
}
if (string.IsNullOrEmpty(password))
{
throw new ArgumentException("The parameter cannot be empty", nameof(password));
}
SafeTokenHandle handle = null;
try
{
if (!UnsafeNative.LogonUser(username, principalContext.Name, password, (int)logonType, 3 /* LOGON32_PROVIDER_WINNT50 */, out handle))
{
throw new PrincipalOperationException("Could not impersonate the user.", Marshal.GetLastWin32Error());
}
var identity = WindowsIdentity.Impersonate(handle.DangerousGetHandle());
return(identity);
}
catch
{
throw;
}
finally
{
handle?.Dispose();
}
}
private static extern bool LogonUser(String lpszUsername, String lpszDomain, IntPtr lpszPassword, LogonType dwLogonType, LogonProvider dwLogonProvider, out SafeTokenHandle phToken);
private bool Logon(String sDomain, String sUser, String sPassword, out IntPtr token, LogonType type)
{
token = IntPtr.Zero;
try
{
var succees = Win32Sec.LogonUser(sUser, sDomain, sPassword, (int)type, (int)LogonProvider.Default, ref token);
// did impersonation fail?
if (!succees)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
//int nErrorCode = Marshal.GetLastWin32Error();
//throw new UnauthorizedAccessException("LogonUser() failed with error code: " + nErrorCode);
}
return true;
}
catch (Exception e)
{
Trace.WriteLine("SECURITY ERROR: " + e.Message);
Trace.TraceError(e.ToString());
}
return false;
}
/// <summary>
/// Impersonates a specific user account to get a safe access token handle.
/// </summary>
/// <param name="userCredentials">The credentials of the user account to impersonate.</param>
/// <param name="logonType">The logon type used when impersonating the user account.</param>
/// <returns>The safe access token handle.</returns>
public SafeAccessTokenHandle Impersonate(UserCredentials userCredentials, LogonType logonType)
{
return(userCredentials.Impersonate(logonType));
}
/// <summary>
/// Log in windows authentication using impersonation
/// </summary>
public static ImpersonationHelper LogonUser(string domain, string username, string password, LogonType logonType = LogonType.Interactive)
{
return(new ImpersonationHelper(domain, username, password, logonType));
}
public static extern bool LogonUser(string username, string domain, string password, LogonType dwLogonType, LogonProvider dwLogonProvider, out IntPtr phToken);
/// <summary>
/// Begins impersonation with the given credentials, Logon type and Logon provider.
/// </summary>
/// <param name="userName">Name of the user.</param>
/// <param name="domainName">Name of the domain.</param>
/// <param name="password">The password. <see cref="System.String"/></param>
/// <param name="logonType">Type of the logon.</param>
/// <param name="logonProvider">The logon provider. <see cref="Mit.Sharepoint.WebParts.EventLogQuery.Network.LogonProvider"/></param>
public NetworkConnection(string NetworkLocation, string userName, string domainName, string password, LogonType logonType, LogonProvider logonProvider)
{
Impersonate(NetworkLocation, userName, domainName, password, logonType, logonProvider);
}
private static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, LogonType dwLogonType, LogonProvider dwLogonProvider, out IntPtr phToken);
/// <summary>
/// Impersonates the specified user account.
/// </summary>
/// <param name="userName">Name of the user.</param>
/// <param name="domainName">Name of the domain.</param>
/// <param name="password">The password. <see cref="System.String"/></param>
/// <param name="logonType">Type of the logon.</param>
/// <param name="logonProvider">The logon provider. <see cref="Mit.Sharepoint.WebParts.EventLogQuery.Network.LogonProvider"/></param>
private void Impersonate(string NetworkLocation, string userName, string domainName, string password, LogonType logonType, LogonProvider logonProvider)
{
try
{
UndoImpersonation();
/*
* if (userName.Contains("\\") || userName.Contains("/"))
* {
* string[] tokens = userName.Split(new char[] { '\\', '/' });
* if (tokens.Length != 2) throw new Exception("Expected user name to contain at most one / or \\ character. User name: " + userName);
* if (domainName.Trim().Length != 0) throw new Exception("Cannot specify a / or \\ in user name when domain is also given. User name: " + userName + " Domain: " + domainName);
* domainName = tokens[0];
* userName = tokens[1];
* }
*/
IntPtr logonToken = IntPtr.Zero;
IntPtr logonTokenDuplicate = IntPtr.Zero;
try
{
// revert to the application pool identity, saving the identity of the current requestor
_wic = WindowsIdentity.Impersonate(IntPtr.Zero);
// do logon & impersonate
if (Win32NativeMethods.LogonUser(userName,
domainName,
password,
(int)logonType,
(int)logonProvider,
ref logonToken) != 0)
{
if (Win32NativeMethods.DuplicateToken(logonToken, (int)ImpersonationLevel.SecurityImpersonation, ref logonTokenDuplicate) != 0)
{
var wi = new WindowsIdentity(logonTokenDuplicate);
wi.Impersonate(); // discard the returned identity context (which is the context of the application pool)
}
else
{
ThrowSpecificException();
}
}
else
{
ThrowSpecificException();
}
}
finally
{
if (logonToken != IntPtr.Zero)
{
Win32NativeMethods.CloseHandle(logonToken);
}
if (logonTokenDuplicate != IntPtr.Zero)
{
Win32NativeMethods.CloseHandle(logonTokenDuplicate);
}
}
}
catch (Exception ex)
{
throw new IOException("Unable to access path:\n" + NetworkLocation + "\nAs username: "******"\nOn domain: " + domainName + "\nError: " + ex.ToString());
}
}
/// <summary> /// Initialises a new instance of the <see cref="UserFactAttribute"/> class. /// </summary> /// <param name="username">Username to use for test impersonation</param> /// <param name="password">Password to use for test impersonation</param> /// <param name="domain">Domain that user belongs to</param> /// <param name="logonType">Logon method to use</param> /// <param name="displayNameOnTest">Append username to test</param> public UserFactAttribute(string username, string password, string domain, LogonType logonType = Default.Logon, bool displayNameOnTest = Default.DisplayName) => UserContext = new UserContextSettings(username, password, domain, logonType, displayNameOnTest);
/// <summary>
/// Begins impersonation with the given credentials, Logon type and Logon provider.
/// </summary>
/// <param name="userName">Name of the user.</param>
/// <param name="domainName">Name of the domain.</param>
/// <param name="password">The password. <see cref="System.String"/></param>
/// <param name="logonType">Type of the logon.</param>
/// <param name="logonProvider">The logon provider. <see cref="Mit.Sharepoint.WebParts.EventLogQuery.Network.LogonProvider"/></param>
public Impersonator(string userName, string domainName, string password, LogonType logonType, LogonProvider logonProvider)
{
Impersonate(userName, domainName, password, logonType, logonProvider);
}
public static extern bool LogonUser(string username, string domain, string password, LogonType dwLogonType, LogonProvider dwLogonProvider, out IntPtr phToken);
public static Result CreateProcessAsUser(string username, string password, LogonFlags logonFlags, LogonType logonType,
string lpApplicationName, string lpCommandLine, string lpCurrentDirectory, IDictionary environment,
string stdin)
{
byte[] stdinBytes;
if (String.IsNullOrEmpty(stdin))
{
stdinBytes = new byte[0];
}
else
{
if (!stdin.EndsWith(Environment.NewLine))
{
stdin += Environment.NewLine;
}
stdinBytes = new UTF8Encoding(false).GetBytes(stdin);
}
return(CreateProcessAsUser(username, password, logonFlags, logonType, lpApplicationName, lpCommandLine,
lpCurrentDirectory, environment, stdinBytes));
}
public static SafeTokenHandle LogonUser(string userName, string domain, string password, LogonType logonType, LogonProvider logonProvider)
{
IntPtr token;
if (!LogonUser(userName, domain, password, (int)logonType, (int)logonProvider, out token))
{
WindowsApi.NativeMethods.ReportWin32Exception();
}
return(new SafeTokenHandle(token));
}
/// <summary>
/// Creates a process as another user account. This method will attempt to run as another user with the
/// highest possible permissions available. The main privilege required is the SeDebugPrivilege, without
/// this privilege you can only run as a local or domain user if the username and password is specified.
/// </summary>
/// <param name="username">The username of the runas user</param>
/// <param name="password">The password of the runas user</param>
/// <param name="logonFlags">LogonFlags to control how to logon a user when the password is specified</param>
/// <param name="logonType">Controls what type of logon is used, this only applies when the password is specified</param>
/// <param name="lpApplicationName">The name of the executable or batch file to executable</param>
/// <param name="lpCommandLine">The command line to execute, typically this includes lpApplication as the first argument</param>
/// <param name="lpCurrentDirectory">The full path to the current directory for the process, null will have the same cwd as the calling process</param>
/// <param name="environment">A dictionary of key/value pairs to define the new process environment</param>
/// <param name="stdin">Bytes sent to the stdin pipe</param>
/// <returns>Ansible.Process.Result object that contains the command output and return code</returns>
public static Result CreateProcessAsUser(string username, string password, LogonFlags logonFlags, LogonType logonType,
string lpApplicationName, string lpCommandLine, string lpCurrentDirectory, IDictionary environment, byte[] stdin)
{
// While we use STARTUPINFOEX having EXTENDED_STARTUPINFO_PRESENT causes a parameter validation error
Process.NativeHelpers.ProcessCreationFlags creationFlags = Process.NativeHelpers.ProcessCreationFlags.CREATE_UNICODE_ENVIRONMENT;
Process.NativeHelpers.PROCESS_INFORMATION pi = new Process.NativeHelpers.PROCESS_INFORMATION();
Process.NativeHelpers.STARTUPINFOEX si = new Process.NativeHelpers.STARTUPINFOEX();
si.startupInfo.dwFlags = Process.NativeHelpers.StartupInfoFlags.USESTDHANDLES;
SafeFileHandle stdoutRead, stdoutWrite, stderrRead, stderrWrite, stdinRead, stdinWrite;
ProcessUtil.CreateStdioPipes(si, out stdoutRead, out stdoutWrite, out stderrRead, out stderrWrite,
out stdinRead, out stdinWrite);
FileStream stdinStream = new FileStream(stdinWrite, FileAccess.Write);
// $null from PowerShell ends up as an empty string, we need to convert back as an empty string doesn't
// make sense for these parameters
if (lpApplicationName == "")
{
lpApplicationName = null;
}
if (lpCurrentDirectory == "")
{
lpCurrentDirectory = null;
}
// A user may have 2 tokens, 1 limited and 1 elevated. GetUserTokens will return both token to ensure
// we don't close one of the pairs while the process is still running. If the process tries to retrieve
// one of the pairs and the token handle is closed then it will fail with ERROR_NO_SUCH_LOGON_SESSION.
List <SafeNativeHandle> userTokens = GetUserTokens(username, password, logonType);
try
{
using (Process.SafeMemoryBuffer lpEnvironment = ProcessUtil.CreateEnvironmentPointer(environment))
{
bool launchSuccess = false;
StringBuilder commandLine = new StringBuilder(lpCommandLine);
foreach (SafeNativeHandle token in userTokens)
{
// GetUserTokens could return null if an elevated token could not be retrieved.
if (token == null)
{
continue;
}
if (NativeMethods.CreateProcessWithTokenW(token, logonFlags, lpApplicationName,
commandLine, creationFlags, lpEnvironment, lpCurrentDirectory, si, out pi))
{
launchSuccess = true;
break;
}
}
if (!launchSuccess)
{
throw new Process.Win32Exception("CreateProcessWithTokenW() failed");
}
}
return(ProcessUtil.WaitProcess(stdoutRead, stdoutWrite, stderrRead, stderrWrite, stdinStream, stdin,
pi.hProcess));
}
finally
{
userTokens.Where(t => t != null).ToList().ForEach(t => t.Dispose());
}
}
public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, LogonType dwLogonType, LogonProvider dwLogonProvider, ref IntPtr phToken);
private static List <SafeNativeHandle> GetUserTokens(string username, string password, LogonType logonType)
{
List <SafeNativeHandle> userTokens = new List <SafeNativeHandle>();
SafeNativeHandle systemToken = null;
bool impersonated = false;
string becomeSid = username;
if (logonType != LogonType.NewCredentials)
{
// If prefixed with .\, we are becoming a local account, strip the prefix
if (username.StartsWith(".\\"))
{
username = username.Substring(2);
}
NTAccount account = new NTAccount(username);
becomeSid = ((SecurityIdentifier)account.Translate(typeof(SecurityIdentifier))).Value;
// Grant access to the current Windows Station and Desktop to the become user
GrantAccessToWindowStationAndDesktop(account);
// Try and impersonate a SYSTEM token, we need a SYSTEM token to either become a well known service
// account or have administrative rights on the become access token.
// If we ultimately are becoming the SYSTEM account we want the token with the most privileges available.
// https://github.com/ansible/ansible/issues/71453
bool mostPrivileges = becomeSid == "S-1-5-18";
systemToken = GetPrimaryTokenForUser(new SecurityIdentifier("S-1-5-18"),
new List <string>()
{
"SeTcbPrivilege"
}, mostPrivileges);
if (systemToken != null)
{
try
{
TokenUtil.ImpersonateToken(systemToken);
impersonated = true;
}
catch (Process.Win32Exception) { } // We tried, just rely on current user's permissions.
}
}
// We require impersonation if becoming a service sid or becoming a user without a password
if (!impersonated && (SERVICE_SIDS.Contains(becomeSid) || String.IsNullOrEmpty(password)))
{
throw new Exception("Failed to get token for NT AUTHORITY\\SYSTEM required for become as a service account or an account without a password");
}
try
{
if (becomeSid == "S-1-5-18")
{
userTokens.Add(systemToken);
}
// Cannot use String.IsEmptyOrNull() as an empty string is an account that doesn't have a pass.
// We only use S4U if no password was defined or it was null
else if (!SERVICE_SIDS.Contains(becomeSid) && password == null && logonType != LogonType.NewCredentials)
{
// If no password was specified, try and duplicate an existing token for that user or use S4U to
// generate one without network credentials
SecurityIdentifier sid = new SecurityIdentifier(becomeSid);
SafeNativeHandle becomeToken = GetPrimaryTokenForUser(sid);
if (becomeToken != null)
{
userTokens.Add(GetElevatedToken(becomeToken));
userTokens.Add(becomeToken);
}
else
{
becomeToken = GetS4UTokenForUser(sid, logonType);
userTokens.Add(null);
userTokens.Add(becomeToken);
}
}
else
{
string domain = null;
switch (becomeSid)
{
case "S-1-5-19":
logonType = LogonType.Service;
domain = "NT AUTHORITY";
username = "******";
break;
case "S-1-5-20":
logonType = LogonType.Service;
domain = "NT AUTHORITY";
username = "******";
break;
default:
// Trying to become a local or domain account
if (username.Contains(@"\"))
{
string[] userSplit = username.Split(new char[1] {
'\\'
}, 2);
domain = userSplit[0];
username = userSplit[1];
}
else if (!username.Contains("@"))
{
domain = ".";
}
break;
}
SafeNativeHandle hToken = TokenUtil.LogonUser(username, domain, password, logonType,
LogonProvider.Default);
// Get the elevated token for a local/domain accounts only
if (!SERVICE_SIDS.Contains(becomeSid))
{
userTokens.Add(GetElevatedToken(hToken));
}
userTokens.Add(hToken);
}
}
finally
{
if (impersonated)
{
TokenUtil.RevertToSelf();
}
}
return(userTokens);
}
internal static extern bool LogonUser(
string userName,
string domain,
string password,
LogonType logonType,
LogonProvider logonProvider,
out IntPtr token);
private static SafeNativeHandle GetS4UTokenForUser(SecurityIdentifier sid, LogonType logonType)
{
NTAccount becomeAccount = (NTAccount)sid.Translate(typeof(NTAccount));
string[] userSplit = becomeAccount.Value.Split(new char[1] {
'\\'
}, 2);
string domainName = userSplit[0];
string username = userSplit[1];
bool domainUser = domainName.ToLowerInvariant() != Environment.MachineName.ToLowerInvariant();
NativeHelpers.LSA_STRING logonProcessName = "ansible";
SafeLsaHandle lsaHandle;
IntPtr securityMode;
UInt32 res = NativeMethods.LsaRegisterLogonProcess(logonProcessName, out lsaHandle, out securityMode);
if (res != 0)
{
throw new Process.Win32Exception((int)NativeMethods.LsaNtStatusToWinError(res), "LsaRegisterLogonProcess() failed");
}
using (lsaHandle)
{
NativeHelpers.LSA_STRING packageName = domainUser ? "Kerberos" : "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0";
UInt32 authPackage;
res = NativeMethods.LsaLookupAuthenticationPackage(lsaHandle, packageName, out authPackage);
if (res != 0)
{
throw new Process.Win32Exception((int)NativeMethods.LsaNtStatusToWinError(res),
String.Format("LsaLookupAuthenticationPackage({0}) failed", (string)packageName));
}
int usernameLength = username.Length * sizeof(char);
int domainLength = domainName.Length * sizeof(char);
int authInfoLength = (Marshal.SizeOf(typeof(NativeHelpers.KERB_S4U_LOGON)) + usernameLength + domainLength);
IntPtr authInfo = Marshal.AllocHGlobal((int)authInfoLength);
try
{
IntPtr usernamePtr = IntPtr.Add(authInfo, Marshal.SizeOf(typeof(NativeHelpers.KERB_S4U_LOGON)));
IntPtr domainPtr = IntPtr.Add(usernamePtr, usernameLength);
// KERB_S4U_LOGON has the same structure as MSV1_0_S4U_LOGON (local accounts)
NativeHelpers.KERB_S4U_LOGON s4uLogon = new NativeHelpers.KERB_S4U_LOGON
{
MessageType = 12, // KerbS4ULogon
Flags = 0,
ClientUpn = new NativeHelpers.LSA_UNICODE_STRING
{
Length = (UInt16)usernameLength,
MaximumLength = (UInt16)usernameLength,
Buffer = usernamePtr,
},
ClientRealm = new NativeHelpers.LSA_UNICODE_STRING
{
Length = (UInt16)domainLength,
MaximumLength = (UInt16)domainLength,
Buffer = domainPtr,
},
};
Marshal.StructureToPtr(s4uLogon, authInfo, false);
Marshal.Copy(username.ToCharArray(), 0, usernamePtr, username.Length);
Marshal.Copy(domainName.ToCharArray(), 0, domainPtr, domainName.Length);
Luid sourceLuid;
if (!NativeMethods.AllocateLocallyUniqueId(out sourceLuid))
{
throw new Process.Win32Exception("AllocateLocallyUniqueId() failed");
}
NativeHelpers.TOKEN_SOURCE tokenSource = new NativeHelpers.TOKEN_SOURCE
{
SourceName = "ansible\0".ToCharArray(),
SourceIdentifier = sourceLuid,
};
// Only Batch or Network will work with S4U, prefer Batch but use Network if asked
LogonType lsaLogonType = logonType == LogonType.Network
? LogonType.Network
: LogonType.Batch;
SafeLsaMemoryBuffer profileBuffer;
UInt32 profileBufferLength;
Luid logonId;
SafeNativeHandle hToken;
IntPtr quotas;
UInt32 subStatus;
res = NativeMethods.LsaLogonUser(lsaHandle, logonProcessName, lsaLogonType, authPackage,
authInfo, (UInt32)authInfoLength, IntPtr.Zero, tokenSource, out profileBuffer, out profileBufferLength,
out logonId, out hToken, out quotas, out subStatus);
if (res != 0)
{
throw new Process.Win32Exception((int)NativeMethods.LsaNtStatusToWinError(res),
String.Format("LsaLogonUser() failed with substatus {0}", subStatus));
}
profileBuffer.Dispose();
return(hToken);
}
finally
{
Marshal.FreeHGlobal(authInfo);
}
}
}
/// <summary>
/// Begins impersonation with the given credentials, Logon type and Logon provider.
/// </summary>
/// <param name="userName">Name of the user.</param>
/// <param name="domainName">Name of the domain.</param>
/// <param name="password">The password. <see cref="System.String"/></param>
/// <param name="logonType">Type of the logon.</param>
/// <param name="logonProvider">The logon provider. <see cref="Mit.Sharepoint.WebParts.EventLogQuery.Network.LogonProvider"/></param>
public Impersonator(Credential credential, LogonType logonType, LogonProvider logonProvider)
{
Impersonate(credential, logonType, logonProvider);
}
private static extern bool LogonUser(string userName, string domain, string password, LogonType logonType, LogonProvider logonProvider, out IntPtr userToken);
