Create remote object with specified credentials.

[Guest]

Hi everyone,

Currently I am working on an application that will perform a remote scan of
a specified server using the following code:

Type t = Type.GetTypeFromProgID( "Microsoft.Update.Session", "proact" );
UpdateSession UpdSess = (UpdateSession) Activator.CreateInstance(t);

This code works quite well, as long as the user you are currently
authenticated to also has administrative access on the target device. This
won't always be the case, so I need to be able to prompt the user for a name
and password on the target server to use instead.

What is the best way to do this?

John.
PS: I'm fairly new to this whole remote object game, so if there is a
'better' way to hook into the Windows Update Agent, please let me know.

 

[Nicholas Paldino [.NET/C# MVP]]

Heliotic,

You can make a call to LogonUser through the P/Invoke layer to get a
user token for a user (given a username and password). When you have that
token, you can pass it to the constructor or Impersonate method on the
WindowsIdentity class to impersonate that user. It will return to you a
WindowsImpersonationContext instance which you then must call Undo upon to
revert back to the the original user identity.

You would then place your call to Activator.CreateInstance in between
the call to Impersonate and Undo.

Check the "about" documentation for the WindowsImpersonationContext
class for an example of the calls you need to make.

Hope this helps.

 

[Guest]

Thanks Nicholas,

I finally have it authenticating to the remote server (which is a great
relief, since the helpfile explicitly states that LogonUser can't provide
this functionality)

However I continue to get access denied when I try to instance the object. I
know the authentication code is working, because I replaced the COM code with
some code to copy a file, and it worked fine.

Here is the code I am currently using (apologies for the spam):

IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);

string userName = txtUserName.Text, domainName = txtDomain.Text, password
= txtPassword.Text;

const int LOGON32_PROVIDER_WINNT50 = 3;
const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
const int SecurityDelegation = 3;

tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;

// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domainName, password,
LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, ref tokenHandle);

if (returnValue == false)
{
int ret = Marshal.GetLastWin32Error();
MessageBox.Show("LogonUser failed with error code : "+ ret.ToString() );
MessageBox.Show("\nError: "+ ret.ToString() +" ,"+ GetErrorMessage(ret));
int errorCode = 0x5; //ERROR_ACCESS_DENIED
throw new System.ComponentModel.Win32Exception(errorCode);
return;
}

MessageBox.Show("Did LogonUser Succeed? " + returnValue.ToString() );
MessageBox.Show("Value of Windows NT token: " + tokenHandle.ToString() );

bool retVal = DuplicateToken(tokenHandle, SecurityDelegation, ref
dupeTokenHandle);

if (false == retVal)
{
CloseHandle(tokenHandle);
Console.WriteLine("Exception thrown in trying to duplicate token.");

return;
}

//Impersonation.
MessageBox.Show("Before impersonation: " +
WindowsIdentity.GetCurrent().Name);

WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
WindowsImpersonationContext impersonatedUser = newId.Impersonate();

MessageBox.Show("After impersonation: " +
WindowsIdentity.GetCurrent().Name);


Type t = Type.GetTypeFromProgID( "Microsoft.Update.Session",
txtDomain.Text );

UpdateSession UpdSess = (UpdateSession) Activator.CreateInstance(t);

IUpdateSearcher UpdSrch = UpdSess.CreateUpdateSearcher();
ISearchResult sr = UpdSrch.Search("IsInstalled=0 and Type='Software'");
MessageBox.Show( "Found "+ sr.Updates.Count.ToString() + " updates" );

foreach( IUpdate temp in sr.Updates )
MessageBox.Show( temp.Description.ToString() );

impersonatedUser.Undo();

// Free the tokens.
if (tokenHandle != IntPtr.Zero)
CloseHandle(tokenHandle);

if (dupeTokenHandle != IntPtr.Zero)
CloseHandle(dupeTokenHandle);
return;


The other strange thing I've noticed is that the 'after impersonation'
message still displays my local userid instead of the remote one. (Even when
the copy worked successfully).

In my searching, I've come across some references to a feature within COM
where it will ignore impersonated access. Does that apply here? If so, is
there a way to bypass it?

Heliotic,

You can make a call to LogonUser through the P/Invoke layer to get a
user token for a user (given a username and password). When you have that
token, you can pass it to the constructor or Impersonate method on the
WindowsIdentity class to impersonate that user. It will return to you a
WindowsImpersonationContext instance which you then must call Undo upon to
revert back to the the original user identity.

You would then place your call to Activator.CreateInstance in between
the call to Impersonate and Undo.

Check the "about" documentation for the WindowsImpersonationContext
class for an example of the calls you need to make.

Hope this helps.

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Hi everyone,

Currently I am working on an application that will perform a remote scan
of
a specified server using the following code:

Type t = Type.GetTypeFromProgID( "Microsoft.Update.Session", "proact" );
UpdateSession UpdSess = (UpdateSession) Activator.CreateInstance(t);

This code works quite well, as long as the user you are currently
authenticated to also has administrative access on the target device. This
won't always be the case, so I need to be able to prompt the user for a
name
and password on the target server to use instead.

What is the best way to do this?

John.
PS: I'm fairly new to this whole remote object game, so if there is a
'better' way to hook into the Windows Update Agent, please let me know.

 

[Willy Denoyette [MVP]]

Thanks Nicholas,

I finally have it authenticating to the remote server (which is a great
relief, since the helpfile explicitly states that LogonUser can't provide
this functionality)

However I continue to get access denied when I try to instance the object.
I
know the authentication code is working, because I replaced the COM code
with
some code to copy a file, and it worked fine.

Here is the code I am currently using (apologies for the spam):

IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);

string userName = txtUserName.Text, domainName = txtDomain.Text, password
= txtPassword.Text;

const int LOGON32_PROVIDER_WINNT50 = 3;
const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
const int SecurityDelegation = 3;

tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;

// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domainName, password,
LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, ref tokenHandle);

if (returnValue == false)
{
int ret = Marshal.GetLastWin32Error();
MessageBox.Show("LogonUser failed with error code : "+ ret.ToString() );
MessageBox.Show("\nError: "+ ret.ToString() +" ,"+ GetErrorMessage(ret));
int errorCode = 0x5; //ERROR_ACCESS_DENIED
throw new System.ComponentModel.Win32Exception(errorCode);
return;
}

MessageBox.Show("Did LogonUser Succeed? " + returnValue.ToString() );
MessageBox.Show("Value of Windows NT token: " + tokenHandle.ToString() );

bool retVal = DuplicateToken(tokenHandle, SecurityDelegation, ref
dupeTokenHandle);

if (false == retVal)
{
CloseHandle(tokenHandle);
Console.WriteLine("Exception thrown in trying to duplicate token.");

return;
}

//Impersonation.
MessageBox.Show("Before impersonation: " +
WindowsIdentity.GetCurrent().Name);

WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
WindowsImpersonationContext impersonatedUser = newId.Impersonate();

MessageBox.Show("After impersonation: " +
WindowsIdentity.GetCurrent().Name);


Type t = Type.GetTypeFromProgID( "Microsoft.Update.Session",
txtDomain.Text );

UpdateSession UpdSess = (UpdateSession) Activator.CreateInstance(t);

IUpdateSearcher UpdSrch = UpdSess.CreateUpdateSearcher();
ISearchResult sr = UpdSrch.Search("IsInstalled=0 and Type='Software'");
MessageBox.Show( "Found "+ sr.Updates.Count.ToString() + " updates" );

foreach( IUpdate temp in sr.Updates )
MessageBox.Show( temp.Description.ToString() );

impersonatedUser.Undo();

// Free the tokens.
if (tokenHandle != IntPtr.Zero)
CloseHandle(tokenHandle);

if (dupeTokenHandle != IntPtr.Zero)
CloseHandle(dupeTokenHandle);
return;


The other strange thing I've noticed is that the 'after impersonation'
message still displays my local userid instead of the remote one. (Even
when
the copy worked successfully).

1. That's normal, LOGON32_LOGON_NEW_CREDENTIALS returns a token that uses
the credentials specified to access the network only, the current thread
token remains the same. Please read the docs. on LogonUser carefully.
2. Initializing DCOM security and impersonating when accessing remote
network shares are diferent beasts, the reason for this is that DCOM
security is initialized by the CLR (by calling CoInitializeSecurity) to use
the process credentials by default. So the reason why it fails is because
the default process security blanket is used when calling into COM/DCOM, If
you wan't to apply different security setings for the process you'll have to
call CoInitializeSecurity very early in the process (at least before your
first call into COM/DCOM).


Willy.

 

[Guest]

1. That's normal, LOGON32_LOGON_NEW_CREDENTIALS returns a token that uses
the credentials specified to access the network only, the current thread
token remains the same. Please read the docs. on LogonUser carefully.
2. Initializing DCOM security and impersonating when accessing remote
network shares are diferent beasts, the reason for this is that DCOM
security is initialized by the CLR (by calling CoInitializeSecurity) to use
the process credentials by default. So the reason why it fails is because
the default process security blanket is used when calling into COM/DCOM, If
you wan't to apply different security setings for the process you'll have to
call CoInitializeSecurity very early in the process (at least before your
first call into COM/DCOM).


Willy.