Overload LogonUser to not always impersonate

Steve Syfuhs · Steve Syfuhs · commit 5164aca7320c · 2023-07-20T15:11:25.000-07:00
diff --git a/Kerberos.NET/Win32/LsaInterop.cs b/Kerberos.NET/Win32/LsaInterop.cs
@@ -155,20 +155,43 @@ public static LsaInterop Connect(string package = KerberosPackageName)
         /// <param name="realm">The default realm to be used by LSA for the any outbound ticket requests not already cached.</param>
         public unsafe void LogonUser(string username = null, string password = null, string realm = null)
         {
-            if (username == null)
-            {
-                username = DefaultUserName;
-            }
+            username ??= DefaultUserName;
 
-            if (password == null)
+            if (this.impersonationContext != null)
             {
-                password = string.Empty;
+                this.impersonationContext.Dispose();
+                this.impersonationContext = null;
             }
 
-            if (realm == null)
-            {
-                realm = string.Empty;
-            }
+            this.impersonationContext = this.LogonUser(username, password, realm, LogonType.NewCredentials);
+
+
+            // this call to impersonate will set the current thread token to be the token out of LsaLogonUser
+            // do we need to do anything special if this gets used within an async context?
+
+            this.impersonationContext.Impersonate();
+        }
+
+        /// <summary>
+        /// Create a logon session for the current LSA Handle.
+        /// </summary>
+        /// <param name="username">The username to be used.
+        /// Passing an empty string will cause LSA to treat this as an anonymous user.</param>
+        /// <param name="password">The password to be used by LSA for any future outbound ticket requests not already cached.</param>
+        /// <param name="realm">The default realm to be used by LSA for the any outbound ticket requests not already cached.</param>
+        /// <param name="logonType">The type of logon session to create</param>
+        public unsafe LsaTokenSafeHandle LogonUser(
+            string username,
+            string password,
+            string realm,
+            LogonType logonType
+        )
+        {
+            username ??= string.Empty;
+
+            password ??= string.Empty;
+
+            realm ??= string.Empty;
 
             var originName = new LSA_STRING
             {
@@ -182,12 +205,7 @@ public unsafe void LogonUser(string username = null, string password = null, str
                 (username.Length * 2) +
                 (password.Length * 2);
 
-            if (this.impersonationContext != null)
-            {
-                this.impersonationContext.Dispose();
-                this.impersonationContext = null;
-            }
-
+            LsaTokenSafeHandle tokenHandle = null;
             LsaBufferSafeHandle profileBuffer = null;
 
             WithFixedBuffer(bufferSize, (p, _) =>
@@ -211,7 +229,7 @@ public unsafe void LogonUser(string username = null, string password = null, str
                     int result = LsaLogonUser(
                          this.lsaHandle,
                          ref originName,
-                         SECURITY_LOGON_TYPE.NewCredentials,
+                         logonType,
                          this.negotiateAuthPackage,
                          pLogon,
                          bufferSize,
@@ -220,7 +238,7 @@ public unsafe void LogonUser(string username = null, string password = null, str
                          out profileBuffer,
                          ref profileLength,
                          out this.luid,
-                         out this.impersonationContext,
+                         out tokenHandle,
                          out IntPtr pQuotas,
                          out int subStatus
                      );
@@ -233,10 +251,7 @@ out int subStatus
                 }
             });
 
-            // this call to impersonate will set the current thread token to be the token out of LsaLogonUser
-            // do we need to do anything special if this gets used within an async context?
-
-            this.impersonationContext.Impersonate();
+            return tokenHandle;
         }
 
         /// <summary>
diff --git a/Kerberos.NET/Win32/LsaTokenSafeHandle.cs b/Kerberos.NET/Win32/LsaTokenSafeHandle.cs
@@ -10,7 +10,7 @@
 
 namespace Kerberos.NET.Win32
 {
-    internal class LsaTokenSafeHandle : SafeHandle
+    public class LsaTokenSafeHandle : SafeHandle
     {
         public LsaTokenSafeHandle()
             : base(IntPtr.Zero, true)
@@ -49,7 +49,7 @@ public void Impersonate()
             this.Impersonating = true;
         }
 
-        private void Revert()
+        public void Revert()
         {
             if (!this.Impersonating)
             {
@@ -66,4 +66,4 @@ private void Revert()
             this.Impersonating = false;
         }
     }
-}
+}
diff --git a/Kerberos.NET/Win32/NativeMethods.cs b/Kerberos.NET/Win32/NativeMethods.cs
@@ -14,6 +14,23 @@
 
 namespace Kerberos.NET.Win32
 {
+    public enum LogonType
+    {
+        UndefinedLogonType = 0,
+        Interactive = 2,
+        Network,
+        Batch,
+        Service,
+        Proxy,
+        Unlock,
+        NetworkCleartext,
+        NewCredentials,
+        RemoteInteractive,
+        CachedInteractive,
+        CachedRemoteInteractive,
+        CachedUnlock
+    }
+
     internal unsafe class NativeMethods
     {
         private const string SECUR32 = "secur32.dll";
@@ -176,7 +193,7 @@ out int AuthenticationPackage
         public static extern int LsaLogonUser(
           LsaSafeHandle LsaHandle,
           ref LSA_STRING OriginName,
-          SECURITY_LOGON_TYPE LogonType,
+          LogonType LogonType,
           int AuthenticationPackage,
           void* AuthenticationInformation,
           int AuthenticationInformationLength,
@@ -272,23 +289,6 @@ public enum KERB_LOGON_SUBMIT_TYPE
             KerbLuidLogon = 84,
         }
 
-        public enum SECURITY_LOGON_TYPE
-        {
-            UndefinedLogonType = 0,
-            Interactive = 2,
-            Network,
-            Batch,
-            Service,
-            Proxy,
-            Unlock,
-            NetworkCleartext,
-            NewCredentials,
-            RemoteInteractive,
-            CachedInteractive,
-            CachedRemoteInteractive,
-            CachedUnlock
-        }
-
         [StructLayout(LayoutKind.Sequential)]
         internal struct LSA_STRING
         {

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`
`11`	`11`	`namespace Kerberos.NET.Win32`
`12`	`12`	`{`
`13`		`- internal class LsaTokenSafeHandle : SafeHandle`
	`13`	`+ public class LsaTokenSafeHandle : SafeHandle`
`14`	`14`	`{`
`15`	`15`	`public LsaTokenSafeHandle()`
`16`	`16`	`: base(IntPtr.Zero, true)`
`@@ -49,7 +49,7 @@ public void Impersonate()`
`49`	`49`	`this.Impersonating = true;`
`50`	`50`	`}`
`51`	`51`
`52`		`- private void Revert()`
	`52`	`+ public void Revert()`
`53`	`53`	`{`
`54`	`54`	`if (!this.Impersonating)`
`55`	`55`	`{`
`@@ -66,4 +66,4 @@ private void Revert()`
`66`	`66`	`this.Impersonating = false;`
`67`	`67`	`}`
`68`	`68`	`}`
`69`		`-}`
	`69`	`+}`