Impersonation Fails using valid credentials

Question

4.75/5 (4 votes)

See more:

Hello Everybody

I'm writing an application that allows to impersonate a user if required.
However, the impersonation keeps failing with message: "Logon failure: unknown user name or bad password".
Even the error sounds pretty clear, it can't be the case, cause the credentials are valid and I'm able to logon to the domain using the given credentials. I also tried different examples, which return the same error

MSDN Example[^]
or
A Complete Impersonation Demo in C#.NET[^]
or
User Impersonation in .NET[^]

Can anybody point-out what I'm doing wrong? The machine I'm testing on it not joined to any domain though. Could that be the problem?

Here's the code I'm using:

C#

public Impersonation(string domain, string username, string password, LogonType LOGON_TYPE, LogonProvider LOGON_PROVIDER)
        {
            bool ok = LogonUser(username, domain, password, (int)LOGON_TYPE, (int)LOGON_PROVIDER, out this._handle);
            if (!ok)
            {
                int ret = Marshal.GetLastWin32Error();
                throw new System.ComponentModel.Win32Exception(ret);
            }

            this._context = WindowsIdentity.Impersonate(this._handle.DangerousGetHandle());
        }

        public void Dispose()
        {
            this._context.Dispose();
            this._handle.Dispose();
        }

        [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
        private static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out SafeTokenHandle phToken);

The calling method:

C#

try
            {
                _slImpersonation = new Impersonation(tbx_Domain.Text, tbx_UserName.Text, tbx_Password.Text, LogonType.LOGON32_LOGON_INTERACTIVE, LogonProvider.LOGON32_PROVIDER_DEFAULT);
                toolStripStatusLabel1.Text = "Impersonation succeeded";
                _slImpersonation.Dispose();
                _slImpersonation = null;
            }
            catch (Exception exp)
            {
                toolStripStatusLabel1.Text = "Impersonation failed";
                MessageBox.Show(this, exp.Message, "Error", MessageBoxButtons.OK);
                _slImpersonation = null;
                toolStripStatusLabel1.Text = "";
            }

Can anybody explain why this keeps failing although the credentials are valid?

Thanks very much for your answers

Posted 4-Feb-13 4:20am

genese1977

Updated 4-Feb-13 6:31am

v3

Add a Solution

Comments

CHill60 4-Feb-13 10:50am

For a starter - put a breakpoint on bool ok = LogonUser(username, domain, password, (int)LOGON_TYPE, (int)LOGON_PROVIDER, out this._handle); and run in debug mode. Check that the user details are really what you think they are

genese1977 4-Feb-13 10:57am

Hi CHill60, I did that again, to verify and yes the credentials are as they should be. I also tried another set which also fails.
Interesting enough if I change the calling method to
_slImpersonation = new Impersonation(tbx_Domain.Text, tbx_UserName.Text, tbx_Password.Text, LogonType.LOGON32_LOGON_NEW_CREDENTIALS, LogonProvider.LOGON32_PROVIDER_DEFAULT);
it always succeeds even when providing wrong credentials. This is really wired.

CHill60 4-Feb-13 12:05pm

Agree it's weird! Also agree with Marco - well formed question. This might come down to some environment "feature" ... what platform are you running on?

Marco Bertschi 4-Feb-13 11:22am

Eventhough I don't know the answer, I like to congrat you because of the good formatted question which has a good code sample!

genese1977 4-Feb-13 12:22pm

Thanks for the compliment guys!
@CHill60: This might come down to some environment "feature"
Well this is an Microsoft active directory. ADS is of version 2k8. The machine I'm testing on is not part of any domain but member of "workgroup".

Trying to impersonate against a different domain behaves the same. I even ran the application as local administrator and it still failed. This thing is driving me nuts :)

Is there additional logging one could turn on to better troubleshoot this issue?
Thanks very much for you help.

Zoltán Zörgő 4-Feb-13 12:25pm

Makes little sense, but try using string scalar type instead of String class in the DllImport section. Can happen, that if you don't specify mashal type, the automatic marshaling method is making wrong assumptions. The correct usage is here: http://www.pinvoke.net/default.aspx/advapi32.logonuser

genese1977 4-Feb-13 12:35pm

Thanks for your hints. I'll read through the link provided and give it a try.

genese1977 4-Feb-13 13:13pm

- Changing String to string did not change anything
- Following the article provided still throw error 1326
- commenting out
int ret = Marshal.GetLastWin32Error();
throw new System.ComponentModel.Win32Exception(ret)
causes the impersonation to always succeed, even if the credentials are wrong.
I'm really wondering if I should go with unmanaged C++ to solve this (although won't make much sense to me)

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)