Hi

In my webservice, for certain requests, I need to start another
process on the server side.
To start My process, I need to have administrative rights, so i'm
using the impersonation mechanism using a predefined fixed user
account on server machine.
All works fine, no problem, but after the process starts, I need to
"revert" to ASPNET or NETWORK SERVICES user account priviledges. This
part is what I'm missing.

To impersonate, i'm using this code:

public static bool impersonateValidUser(String userName, String
domain, String password) {
	WindowsIdentity tempWindowsIdentity;
	IntPtr token = IntPtr.Zero;
	IntPtr tokenDuplicate = IntPtr.Zero;

	if(WinAPI.RevertToSelf()) {
		if(WinAPI.LogonUserA(userName, domain, password,
WinAPI.LOGON32_LOGON_INTERACTIVE,
			WinAPI.LOGON32_PROVIDER_DEFAULT, ref token) != 0) {
			if(WinAPI.DuplicateToken(token, 2, ref tokenDuplicate) != 0) {
				tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
				impersonationContext = tempWindowsIdentity.Impersonate();
				if (impersonationContext != null) {
					WinAPI.CloseHandle(token);
					WinAPI.CloseHandle(tokenDuplicate);
					return true;
				}
			}
		}
	}
	if(token!= IntPtr.Zero)
		WinAPI.CloseHandle(token);
	if(tokenDuplicate!=IntPtr.Zero)
		WinAPI.CloseHandle(tokenDuplicate);
	return false;
}

I tried using the above method like this:

//save current user account:
string name = Environment.UserName;
string domain = Environment.UserDomainName;

bool b = impersonateValidUser("admin_user", "domain", "pass");
//b gets the value of true, so impersonation succeeded
//now, start the process
.....
//succeeded
//trying to revert to previous user account (ASPNET or NETWORK
SERVICES for server systems):
b = impersonateValidUser(name, domain, string.Empty);
//b is false - it seems that the ASPNET has a default password (?)

Any ideas? Thanks.

I think I found my answer.
Calling WinAPI.RevertToSelf() after finishing all operations that
required impersonation seems to work.



nano2k a scris:

> Hi
>
> In my webservice, for certain requests, I need to start another
> process on the server side.
> To start My process, I need to have administrative rights, so i'm
> using the impersonation mechanism using a predefined fixed user
> account on server machine.
> All works fine, no problem, but after the process starts, I need to
> "revert" to ASPNET or NETWORK SERVICES user account priviledges. This
> part is what I'm missing.
>
> To impersonate, i'm using this code:
>
> public static bool impersonateValidUser(String userName, String
> domain, String password) {
> 	WindowsIdentity tempWindowsIdentity;
> 	IntPtr token = IntPtr.Zero;
> 	IntPtr tokenDuplicate = IntPtr.Zero;
>
> 	if(WinAPI.RevertToSelf()) {
> 		if(WinAPI.LogonUserA(userName, domain, password,
> WinAPI.LOGON32_LOGON_INTERACTIVE,
> 			WinAPI.LOGON32_PROVIDER_DEFAULT, ref token) != 0) {
> 			if(WinAPI.DuplicateToken(token, 2, ref tokenDuplicate) != 0) {
> 				tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
> 				impersonationContext = tempWindowsIdentity.Impersonate();
> 				if (impersonationContext != null) {
> 					WinAPI.CloseHandle(token);
> 					WinAPI.CloseHandle(tokenDuplicate);
> 					return true;
> 				}
> 			}
> 		}
> 	}
> 	if(token!= IntPtr.Zero)
> 		WinAPI.CloseHandle(token);
> 	if(tokenDuplicate!=IntPtr.Zero)
> 		WinAPI.CloseHandle(tokenDuplicate);
> 	return false;
> }
>
> I tried using the above method like this:
>
> //save current user account:
> string name = Environment.UserName;
> string domain = Environment.UserDomainName;
>
> bool b = impersonateValidUser("admin_user", "domain", "pass");
> //b gets the value of true, so impersonation succeeded
> //now, start the process
> ....
> //succeeded
> //trying to revert to previous user account (ASPNET or NETWORK
> SERVICES for server systems):
> b = impersonateValidUser(name, domain, string.Empty);
> //b is false - it seems that the ASPNET has a default password (?)
>
> Any ideas? Thanks.