How to Perform Impersonation in .NET?

Understanding .NET Impersonation

.NET impersonation allows code execution under a designated user account, frequently coupled with credential-based account access. The .NET framework provides the necessary APIs for both impersonation and user account management.

Impersonation Techniques

The System.Security.Principal namespace offers several ways to achieve impersonation:

• WindowsIdentity.RunImpersonated: Executes code using a specified user token, accepting an Action or Func<T> delegate for the code block.
• WindowsIdentity.Impersonate: Generates a WindowsImpersonationContext object, enabling impersonation within a using block for structured resource management.

Accessing User Accounts with Credentials

Accessing a user account using provided credentials typically involves the native Win32 API LogonUser:

<code class="language-csharp">[DllImport("advapi32.dll")]
internal static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out IntPtr phToken);</code>

While functional, LogonUser can be intricate. A simpler alternative is the SimpleImpersonation library:

<code class="language-csharp">using SimpleImpersonation;

var credentials = new UserCredentials(domain, username, password);
using (SafeAccessTokenHandle userHandle = credentials.LogonUser(LogonType.Interactive)) {
    // Your impersonated code here
}</code>

Limitations: Remote Impersonation

Impersonation is inherently local; it doesn't extend to remote computers unless they share the same domain or possess a trust relationship.

The above is the detailed content of How to Perform Impersonation in .NET?. For more information, please follow other related articles on the PHP Chinese website!