Is there a way to get the privileges associated with a C# program? If yes, how?
I know that in C, you have to create a token and make use of the GetTokenInformation() method to get information about the token.
Is there something similar in C#?
My C# is a little rusty, but if i remember correctly this does the trick
WindowsIdentity windowsIdentity = WindowsIdentity.GetCurrent();
Related
I am trying to make use of the active directory membership rather than SQL but there is very limited documentation available online. I have managed to connect my application to the domain controller without any problems but when you use "Context.User.Identity.Name" it comes up with DOMAIN\User. I want to basically drill down and get information such as full name, e-mail address, etc.
I just need a useful link and the searching I have done doesn't appear to have got me anywhere!
Many thanks
This should give you a bit of a clue: http://msdn.microsoft.com/en-us/library/ms973834.aspx
and here is a list of LDAP properties that you might want to play around with in the search result: http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm
Have you tried with this doc?
http://msdn.microsoft.com/en-US/library/system.web.security.activedirectorymembershipprovider%28v=vs.90%29.aspx
Can help?
If you are making use of Active Directory then you are likely using Windows Authentication. If so, all you need to do is:
Reference System.DirectoryServices.AccountManagement
In code (perhaps a controller action or model constructor)
// establishes your domain as the context for your user lookup
var principalContext = new PrincipalContext(ContextType.Domain, "domainName");
// gets the current user's UserPrincipal object
var userPrincipal.FindByIdentity(principalContext, #User.Identity.Name)
// example
var email = userPrincipal.EmailAddress;
Note:
This works because Windows Authentication means User.Identity on the current HttpContext is a WindowsIdentity and thus its Name property can be used to search AD.
You aren't limited to looking up the current user. You can use FindByIdentity() to search any value passed, and this method exists on other principals (ex. GroupPrincipal). You can also designate you wish to search by another type such as SID instead of Name.
Enjoy!
I'd like to utilize the Windows Authentication Model for authenticating users that use my C# 3.5 WinForms application:
The user that has logged on Windows is automatically logged in to my application.
If the user wants to log in explicitely, his user name and password should be checked by Windows, or even better, prompted by Windows with a standard Windows Dialog. The outcome should be another WindowsIdentity object.
The first was very easy to solve long time ago: I read the
WindowsIdentity identity = WindowsIdentity.GetCurrent();
Just to make sure, I check for the
if (identity.IsAuthenticated) { ... }
For the second case I've found some API calls in other SO Q&A's, but I'm pretty sure there must be a managed way for that, am I wrong?
Further I wonder whether my approach for 1. is save and appropriate. Thanks for your feedback!
Update: According to Ivan, I have to use the P/Invoke approach. This is basically alright, but then I still need a way to retrieve a WindowsIdentity object for that certain user, which has its IsAuthenticated property set to true. The P/Invoke call in itself doesn't return such an object. How can this be done?
I am not certain about this but it looks like you want to use the WindowsIdentity Ctor that takes an IntPtr. To get the parameter that is passed into this constructor you can PInvoke the Win32 API LogonUser() function. This will give you a WindowsIdentity for this user.
There is no managed way of doing this, you have to do pinvoke (api call) as you said. Approach #1 is totaly ok ... trust microsoft :)
I want to write a application in C# using WMI that can get and change Windows credential stored in the Windows Credential Manager, as you see in the picture below:
Ookii.Dialogs contains a credential dialog, which calls into CredUIPromptForCredentials or CredUIPromptForWindowsCredentials as appropriate.
Edit: The Credentials API is detailed at http://msdn.microsoft.com/en-us/library/aa374731%28v=VS.85%29.aspx#credentials_management_ui_functions - but it could be tricky to implement from managed code. After CredUIPromptForWindowsCredentials you would call CredWrite to save the credentials.
Edit: Misunderstood the original question since the pic wasn't visible.
I'm not sure if you can do what you want via WMI. However, I think it might be possible using the DPAPI, but the documentation for that doesn't seem to make it very easy. However, there is an opensource project called NCrypto that has a class called UICredentialsHelper which might show you how to do it, or at least how to get started.
There is no Windows API to get a user's password. Passwords are not stored in Windows. Instead Windows stores a one-way hashed version.
You can get the username using WindowsIdentity.GetCurrent(). Alternatively you can get the logged in user name via the Environment.UserName property.
Although to change credentials..... good luck :) Thats my best answer on that. I don't think Microsoft would ever give us the ability to do that.
[void]Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
(new-object Windows.Security.Credentials.PasswordVault).RetrieveAll() | % { $.RetrievePassword(); $ }
In .NET, there appears to be several ways to get the current Windows user name. Three of which are:
string name = WindowsIdentity.GetCurrent().Name;
or
string name = Thread.CurrentPrincipal.Identity.Name;
or
string name = Environment.UserName;
What's the difference, and why choose one method over the other? Are there any other ways?
Environment.UserName calls GetUserName within advapi32.dll. This means that if you're impersonating another user, this property will reflect that.
Thread.CurrentPrincipal has a setter and can be changed programmatically. (This is not impersonation btw.)
WindowsIdentity is your current windows identity, if any. It will not necessarily reflect the user, think ASP.NET with FormsAuthentication. Then the WindowsIdentity will be the NT-service, but the FormsIdentity will be the logged in user. There's also a PassportIdentity, and you can build your own stuff to complicate things further.
You asked for alternative ways.
Of course, you can always use the native Windows API: GetUserName.
I believe the property was put in several places so that it would be easier for the programmer to find. There's only one logged in user, and only one respective name.
The three methods are described as follow:
HttpContext = HttpContext.Current.User, which returns an IPrincipal object that contains security information for the current Web request. This is the authenticated Web client.
WindowsIdentity = WindowsIdentity.GetCurrent(), which returns the identity of the security context of the currently executing Win32 thread.
Thread = Thread.CurrentPrincipal which returns the principal of the currently executing .NET thread which rides on top of the Win32 thread.
And they change in result depending on your IIS configuration as explained in this article:
http://msdn.microsoft.com/en-us/library/aa302377.aspx
How do I get an ICredential object within my web application?
I use Windows Authentication
I tried using the following code:
WindowsImpersonationContext securityContext =
Request.LogonUserIdentity.Impersonate();
After the last line of code both: CredentialCache.DefaultCredentials and CredentialCache.DefaultNetworkCredentials are still empty.
I know that the identity is right because the following property shows the right domain\user account I'm using:
Request.LogonUserIdentity.Name => "domain\user"
This is the authentication type of that object:
Request.LogonUserIdentity.AuthenticationType => "NTLM"
In order to get an ICredential implementation of the user, you first need to get a hold of the WindowsIdentity for the user (e.g. through Page.User.Identity). With the WindowsIdentity object you can impersonate the user. After successful impersonation you can get a hold of the credentials for the user through CredentialCache.DefaultCredentials.
The question now is, what do you want to do with the credentials? If you want to use those credentials to access some ressource on a different server you'd probably have to have Keberos delegation enabled to allow the server hop. I wouldn't know how to do that :-)
Where do you need it for?
You can retrieve the username from System.Threading.Thread.CurrentPrincipal.Identity