Impersonate applicationpoolidentity

Question

I want the ability to impersonate any possible application pool identity from an installer. I can  do it for NetworkService and LocalService but I can't do it for applicationpoolIdentity "IIS APPPOOL\<apppool name>". I get LogonUser failed with error code : 1311. Exception occurred. There are currently no logon servers available to service the logon request.

I am using code ripped from the WindowsIdentity docs run as an Nunit test called from psexec -s to execute as SYSTEM.

  using System;
    using System.Runtime.InteropServices;
    using System.Security.Principal;
    using System.Security.Permissions;
    using Microsoft.Win32.SafeHandles;
    using System.Runtime.ConstrainedExecution;
    using System.Security;
    using NUnit.Framework;


    public class ImpersonationDemo
    {
        [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
        public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,
            int dwLogonType, int dwLogonProvider, out SafeTokenHandle phToken);

        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        public extern static bool CloseHandle(IntPtr handle);

        // Test harness.
        // If you incorporate this code into a DLL, be sure to demand FullTrust.
        [PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
        [Test]
        public void Main()
        {
            SafeTokenHandle safeTokenHandle;
            try
            {
                string userName, domainName;
                // Get the user token for the specified user, domain, and password using the
                // unmanaged LogonUser method.
                // The local machine name can be used for the domain name to impersonate a user on this machine.
                domainName = "IIS APPPOOL";

                userName = "ASP.NET v4.0";


                const int LOGON32_PROVIDER_DEFAULT = 0;
                //This parameter causes LogonUser to create a primary token.
                const int LOGON32_LOGON_INTERACTIVE = 2;

                const int LOGON32_SERVICE = 5;

                // Call LogonUser to obtain a handle to an access token.
                bool returnValue = LogonUser(userName, domainName, null,
                    LOGON32_SERVICE, LOGON32_PROVIDER_DEFAULT,
                    out safeTokenHandle);


                if (false == returnValue)
                {
                    int ret = Marshal.GetLastWin32Error();
                    Console.WriteLine("LogonUser failed with error code : {0}", ret);
                    throw new System.ComponentModel.Win32Exception(ret);
                }
                using (safeTokenHandle)
                {

                    // Check the identity.
                    Console.WriteLine("Before impersonation: "
                        + WindowsIdentity.GetCurrent().Name);
                    // Use the token handle returned by LogonUser.
                    WindowsIdentity newId = new WindowsIdentity(safeTokenHandle.DangerousGetHandle());
                    using (WindowsImpersonationContext impersonatedUser = newId.Impersonate())
                    {

                        // Check the identity.
                        Console.WriteLine("After impersonation: "
                            + WindowsIdentity.GetCurrent().Name);
                    }
                    // Releasing the context object stops the impersonation
                    // Check the identity.
                    Console.WriteLine("After closing the context: " + WindowsIdentity.GetCurrent().Name);
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine("Exception occurred. " + ex.Message);
            }

        }
    }
    public sealed class SafeTokenHandle : SafeHandleZeroOrMinusOneIsInvalid
    {
        private SafeTokenHandle()
            : base(true)
        {
        }

        [DllImport("kernel32.dll")]
        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
        [SuppressUnmanagedCodeSecurity]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool CloseHandle(IntPtr handle);

        protected override bool ReleaseHandle()
        {
            return CloseHandle(handle);
        }
    }
}

---

Dick Page

Answer 1

I am fairly certain the username is "IIS AppPool\ASP.Net v4.0".  You have set a domain name of "IIS AppPool" and a username of "ASP.Net v4.0".  This is better asked in an ASP.Net forum though.

--
Mike

Answer 2

Hi dickP,

Thank you for visiting the MSDN forum. I’m afraid that it is not the correct forum about this issue. I am moving your question to the moderator forum ("Where is the forum for..?"). The owner of the forum will direct you to a right forum. Thanks for your understanding.

---

Bob Shen [MSFT]
MSDN Community Support | Feedback to us

Answer 3

Try http://social.msdn.microsoft.com/Forums/en/windowssecurity/threads

---

---

The following is signature, not part of post
Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
Visual C++ MVP

Answer 4

Or the IIS forums: http://forums.iis.net

Thanks!

---

Ed Price (a.k.a User Ed), SQL Server Experience Program Manager (Blog, Twitter, Wiki)

Answer 5

Did you found a fix for this one

Answer 6

It was so long ago I don't remember! I don't write IIS hosted apps any more.

---

Dick Page