Impersonation
Hello, as part of a corporate project, I need to create an application. So far, nothing out of the ordinary, but to put it on the server, I need to impersonate a generic server admin account to access the files. No problem, it's already been done in previous projects. But it no longer works with the latest computers, and we don't know why. Based on the code provided by Microsoft, we've already been able to run a few tests: https://learn.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.impersonate?view=netframework-4.8.1. On a computer configured max before the first half of last year, no problem, whether you're an admin or not. But on more recent PCs, we systematically get an error 1326 "Incorrect username or password", even though both are correct (as is the domain). The program itself works - it sounds a bit silly when you put it like that, but you can impersonate yourself, it works without a hitch, and there's the connection change and disconnection.
What comes up most often is configuration differences, but finding out exactly what's wrong with an entire computer isn't easy, so if anyone has any ideas, or if it's something else, we'll take it.
WindowsIdentity.Impersonate Method (System.Security.Principal)
Allows code to impersonate a different Windows user.
4 Replies
Impersonation and delegation requires much more than merely the code and sadly many useful articles on that topic have been gone during MSDN to Microsoft Learn migration. So, my advice is 1) try not to use impersonation/delegation any more, even Windows authentication isn't the only option in a corporate environment today. 2) If you do have to go this route, your domain administrators and Microsoft support might be your best guide. Don't waste your own time to troubleshoot as you usually don't know enough (many of us in the same situation).
What could I use instead of impersonation then ? Unfortunately, I can't tell too much because of enterprise policies, but there's multiple generic users, especially one to launch the app on the server, but without access to the file system, and one with this access, which we were trying to impersonate. And as it's not a small company, I can't really ask for some changes in the environment, there'll be dozens of apps to update
The options are already there for many years and you use those every day when you log into Microsoft/Google/Facebook accounts. Even the banks (very big ones) I worked with before have adopted certain identity solutions. Microsoft itself offers Entra ID (Azure Active Directory) as a modern alternative.
Like I said, if you don't have time to fully migrate, escalate the issue to your domain administrators so that they can review things for you, and they can contact Microsoft support when needed.
It's just too much for a developer like you to troubleshoot such.
Well then I'll report it, thanks for the answer
But I'll still have to find a solution, even if they do anything about it, it'll take weeks, or even months, there isn't enough people in the IT service, I'm in a work-study program, and already working for 7 countries
Let's hope more project management than development will be enough for the diploma