WindowsIdentity.Impersonate Method (IntPtr)
Assembly: mscorlib (in mscorlib.dll)
public static WindowsImpersonationContext Impersonate ( IntPtr userToken )
public static function Impersonate ( userToken : IntPtr ) : WindowsImpersonationContext
Not applicable.
Parameters
- userToken
The handle of a Windows account token. This token is usually retrieved through a call to unmanaged code, such as a call to the Win32 API LogonUser function. For more information on calls to unmanaged code, see Consuming Unmanaged DLL Functions.
Return Value
A WindowsImpersonationContext object that represents the Windows user prior to impersonation; this object can be used to revert to the original user's context.On Windows NT platforms, the current user must have sufficient rights to allow impersonation.
Note: |
|---|
| Calling the Impersonate(IntPtr) method with a userToken value of Zero is equivalent to calling the Win32 RevertToSelf function. If another user is currently being impersonated, control reverts to the original user. |
The following complete example demonstrates how to obtain a Windows account token by calling the unmanaged Win32 API LogonUser function, and how to use that token to impersonate another user and then revert to the original identity.
// This sample demonstrates the use of the WindowsIdentity class to impersonate a user. // IMPORTANT NOTES: // This sample can be run only on Windows XP. The default Windows 2000 security policy // prevents this sample from executing properly, and changing the policy to allow // proper execution presents a security risk. // This sample requests the user to enter a password on the console screen. // Because the console window does not support methods allowing the password to be masked, // it will be visible to anyone viewing the screen. // The sample is intended to be executed in a .NET Framework 1.1 environment. To execute // this code in a 1.0 environment you will need to use a duplicate token in the call to the // WindowsIdentity constructor. See KB article Q319615 for more information. #using <System.dll> using namespace System; using namespace System::Runtime::InteropServices; using namespace System::Security::Principal; using namespace System::Security::Permissions; [assembly:SecurityPermissionAttribute(SecurityAction::RequestMinimum,UnmanagedCode=true)]; [assembly:PermissionSetAttribute(SecurityAction::RequestMinimum,Name="FullTrust")]; [DllImport("advapi32.dll",SetLastError=true)] bool LogonUser( String^ lpszUsername, String^ lpszDomain, String^ lpszPassword, int dwLogonType, int dwLogonProvider, IntPtr * phToken ); [DllImport("kernel32.dll",CharSet=System::Runtime::InteropServices::CharSet::Auto)] int FormatMessage( int dwFlags, IntPtr * lpSource, int dwMessageId, int dwLanguageId, interior_ptr<String^> lpBuffer, int nSize, IntPtr * Arguments ); [DllImport("kernel32.dll",CharSet=CharSet::Auto)] bool CloseHandle( IntPtr handle ); [DllImport("advapi32.dll",CharSet=CharSet::Auto,SetLastError=true)] bool DuplicateToken( IntPtr ExistingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, IntPtr * DuplicateTokenHandle ); // Test harness. // If you incorporate this code into a DLL, be sure to demand FullTrust. [PermissionSetAttribute(SecurityAction::Demand,Name="FullTrust")] int main() { IntPtr tokenHandle = IntPtr(0); IntPtr dupeTokenHandle = IntPtr(0); try { String^ userName; String^ domainName; // Get the user token for the specified user, domain, and password using the // unmanaged LogonUser method. // The local machine name can be used for the domain name to impersonate a user on this machine. Console::Write( "Enter the name of the domain on which to log on: " ); domainName = Console::ReadLine(); Console::Write( "Enter the login of a user on {0} that you wish to impersonate: ", domainName ); userName = Console::ReadLine(); Console::Write( "Enter the password for {0}: ", userName ); const int LOGON32_PROVIDER_DEFAULT = 0; //This parameter causes LogonUser to create a primary token. const int LOGON32_LOGON_INTERACTIVE = 2; const int SecurityImpersonation = 2; tokenHandle = IntPtr::Zero; // Call LogonUser to obtain a handle to an access token. bool returnValue = LogonUser( userName, domainName, Console::ReadLine(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &tokenHandle ); Console::WriteLine( "LogonUser called." ); if ( false == returnValue ) { int ret = Marshal::GetLastWin32Error(); Console::WriteLine( "LogonUser failed with error code : {0}", ret ); throw gcnew System::ComponentModel::Win32Exception( ret ); } Console::WriteLine( "Did LogonUser Succeed? {0}", (returnValue ? (String^)"Yes" : "No") ); Console::WriteLine( "Value of Windows NT token: {0}", tokenHandle ); // Check the identity. Console::WriteLine( "Before impersonation: {0}", WindowsIdentity::GetCurrent()->Name ); // The token that is passed to the following constructor must // be a primary token in order to use it for impersonation. WindowsIdentity^ newId = gcnew WindowsIdentity( tokenHandle ); WindowsImpersonationContext^ impersonatedUser = newId->Impersonate(); // Check the identity. Console::WriteLine( "After impersonation: {0}", WindowsIdentity::GetCurrent()->Name ); // Stop impersonating the user. impersonatedUser->Undo(); // Check the identity. Console::WriteLine( "After Undo: {0}", WindowsIdentity::GetCurrent()->Name ); // Free the tokens. if ( tokenHandle != IntPtr::Zero ) CloseHandle( tokenHandle ); } catch ( Exception^ ex ) { Console::WriteLine( "Exception occurred. {0}", ex->Message ); } }
- SecurityPermission for ability to manipulate the principal object. Associated enumeration: SecurityPermissionFlag.ControlPrincipal.
Windows Server 2000 SP4, Windows Millennium Edition, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition
The Microsoft .NET Framework 3.0 is supported on Windows Vista, Microsoft Windows XP SP2, and Windows Server 2003 SP1.
Note: