Running a COM Component in .NET On Different Account

0
votes

I have a COM component which I call from a .NET Windows service which runs as Local System. This service calls a COM component which then runs under the SYSTEM account. While I am debugging, I am trying to test running the COM component under different user accounts. I am using Impersonation to do this and I have used the same code for doing this successfully for other things. However, trying to do the same thing to load the COM component under a different account isn't working. It is still loading as SYSTEM account.

Is there a different procedure for doing this with COM components being loaded with COM Interop?

The code is just:

var identity = Impersonate.GetIdentity(Username, Domain, Password);
identity.Impersonate();
MyLib.Component com = new MyLib.Component();
2
c#.netcomimpersonation
If you create the COM component from a normal application, does it run using your windows identity? Some COM components can be configured to only run under particular accounts.Damien_The_Unbeliever
If run from a normal application then yes it runs using my windows identity. And that is what I am trying to achieve by using Impersonation but it continues to run under SYSTEM.Jonnster
It works for an application because the identity that started the application was not System. In the case of the service the identity that started it IS system.Security Hound

2 Answers

1
votes

I would try using the unmananged LogonUser method as demonstrated in the WindowsIdentity.Impersonate Method documentation.

Basically logon as the user and then user that token to impersonate that user:

bool returnValue = LogonUser(userName, domainName, password,
            LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
            out safeTokenHandle);

using (WindowsImpersonationContext impersonatedUser = 
         WindowsIdentity.Impersonate(userToken)
{
    Console.WriteLine("After impersonation: " + WindowsIdentity.GetCurrent().Name);

    MyLib.Component com = new MyLib.Component();
}

The above is a simplified non-compiling snippet based on the MSDN code to show the overall approach.

The bad part is that the password must be provided to the LogonUser method.

0
votes

COM+ (AKA Control Panel/Admin tools/Component Services) is your friend. Create a new package, add your component to it, configure any user you want for that package. Consumers won't even notice the difference.

The component will run out-of-process, certainly, so some aspects of it might break in theory (like, say, passing process-specific handles as parameters). But in interop scenarios this is rather rare.

Also, you can debug the component apart from the caller service.