{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 男人必须洒脱 的问题《Can I impersonate a user on a different Active Dir》','https://www.manongdao.com/q-327170.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?
Example Workflow:
- User logs in to domain A.
- User launches desktop application.
- User specifies resource in domain B.
- Application prompts user for domain B credentials.
- Application impersonates user's domain B identity to access specified resource.
- User manipulates domain B resource using application.
I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.
You need to call the LogonUser API to create an access token that represents the user's domain B credentials.
Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.
I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.
Check out this question, which covers the impersonation issues you need.
If your computer (the one doing the impersonation) is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then impersonation will fail. Anybody who says otherwise, I would love to see proof.