Impersonation - Is this possible?

  • Thread starter Thread starter steve Sweales
  • Start date Start date
S

steve Sweales

I am trying to design a windows forms application (not asp.net) in C#,
and need to know if the following scenario is possible :

Once my application is running I need to be able to impersonate another
user account which will have access to a network drive that the current
user account does not have access to. Is it possible to impersonate the
required user account and map to the drive in code, enabling the current
user to view the required files?

I need to do this so that users can only view/alter files from my
application. All the files will only be accessible via a user account
(which only the admin will know), thus stopping tampering with the files
except via the application.

Can anybody can tell me if this is possible, and if it is possible some
example code would be much appreciated.
 
Steve,

You could do this, using the WindowsIdentity class, and the Impersonate
method on that class. However, you would have to store the username and
password somewhere, and that is where it gets tricky. Unless you are
obfuscating your code, it will be easy enough to find out where you are
getting that username and password from.

Check the documentation for the Impersonate method to see how to
impersonate another user.

Hope this helps.
 
Even though the following article says 'asp.net' in the title, it is actually
applicable to what you want to do (impersonate a specific user).

http://support.microsoft.com/kb/306158

Specifically see the section "Impersonate a Specific User in Code", which
uses PInvokes some logon functions. There are some uphill battles to fight,
however. Like deciding where to store a username and password.

As an alternative, perhaps you could detect if the file has been tampered
by having the application stamp the file with a crytographic hash?
 
steve Sweales said:
I am trying to design a windows forms application (not asp.net) in C#,
and need to know if the following scenario is possible :

Once my application is running I need to be able to impersonate another
user account which will have access to a network drive that the current
user account does not have access to. Is it possible to impersonate the
required user account and map to the drive in code, enabling the current
user to view the required files?

I need to do this so that users can only view/alter files from my
application. All the files will only be accessible via a user account
(which only the admin will know), thus stopping tampering with the files
except via the application.

Can anybody can tell me if this is possible, and if it is possible some
example code would be much appreciated.
Click to expand...

If you are running this in Windows XP I suggest you run the remote file
access code from a EnterpriseServices server type application (COM+).

So you'll have something like this:
1. Your windows forms application running as an interactive user having NO
access to the file share data.
2. A ES (COM+ server type) application running with fixed credentials and
appropriate permissions set for both launch and component access, this
application runs the code to access to the file share data.
3. As a bonus you can apply role based security at the ES application so you
can further restrict access based on finer grained usage/access rules.

Note: There is no need to map the share, use UNC paths to access the remote
files.

Willy.
 
Thanks for the feedback.

I have managed to impersonate a user (still haven't given any thought on
where to store the username & password yet) but have run into a problem.

Although I have managed to impersonate a user, I am unable to access the
folder on a server that the user should have access to. Does the fact
that our network uses Novell have any bearing on this? For me to map to
the folder, I am required to authenticate via Novell.
 
See inline ***

Willy.

steve Sweales said:
Thanks for the feedback.

I have managed to impersonate a user (still haven't given any thought on
where to store the username & password yet) but have run into a problem.
Click to expand...
*** What problem exactly, and how are you impersonating?
Please post some code.
 
Back
Top