Scott Hanselman

I’ve got a small C# Security Application that I’m writing an Editor for.  I was hoping to let the user run the application as whoever they choose to, and then use LogonUser to create a WindowsImpersonationContext and log them in as SOMEONE ELSE to do the DPAPI Encryption (because it will be that other use that will be decrypting the data.)

I’m using DPAPI with a User Store, not a Machine Store.  I’ve got a managed wrapper for DPAPI that works fine.  I’ve got a Managed “ImpersonateUser” function that returns a WindowsImpersonationContext and internally users LogonUser and also works fine.  

The psuedocode/gist is be basically:

Load App

            Do some stuff

            Load XML File

            Call ImpersonateUser (someotherguy) [succeeds and WindowsIdentity.GetCurrent().Name changes to reflect the change

            Call DPAPI to Encrypt Element Context (this works fine if I DON’T IMPERSONATE...)

                        ERROR: Win32 Marshal.GetLastWin32Error() reports “The System couldn’t find the file specified”

            Save File

            Call ImpersonationContext.Undo

Exit App

Apparently this is either utterly stupid of me, or noone has ever tried it.   All the doc on DPAPI is either highly theoretical “how it works internally” or very trivial “here’s how I used the Machine Store from ASP.NET.”  The doc on WindowsImpersonationContext is even worse.

Am I going to just make the user to a “RunAs” to launch my app? (which works fine, BTW)  It just would have been so nice to have a "Run As" menu item...thoughts anyone?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By