I have a non-admin user (without SeImpersonatePrivilege) that needs to temporarily impersonate another user. According to the MSDN article for ImpersonateLoggedOnUser (emphasis mine):
All impersonate functions, including ImpersonateLoggedOnUser allow the requested impersonation if one of the following is true:• The requested impersonation level of the token is less than SecurityImpersonation, such as SecurityIdentification or SecurityAnonymous. • The caller has the SeImpersonatePrivilege privilege. • A process (or another process in the caller's logon session) created the token using explicit credentials through LogonUser or LsaLogonUser function. • The authenticated identity is same as the caller.
I'm attempting to use the Italicized approach. I can create the token using LogonUserW:
HANDLE token = NULL;
if (::LogonUserW(user, L".", password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, &token))
{
if (::ImpersonateLoggedOnUser(token))
{
DoOtherUserStuff();
}
}
This calls succeed; I reach the DoOtherUserStuff function. However, when I then try to use the token I just created to do anything at all requiring a privilege check, it fails. GetLastError returns 1346, which is
Either a required impersonation level was not provided, or the provided impersonation level is invalid.
This is the error you get if you try to impersonate another user using a token obtained through some other method (OpenThreadToken, etc.) and don't have SeImpersonatePrivilege. However, I am creating the token using LogonUser with explicit credentials. Why isn't it working? Is the MSDN documentation just wrong?
I've tried using different logon types and different logon providers, to no avail. LOGON32_LOGON_NETWORK produces an impersonation token, as expected, but otherwise fails in exactly the same way.
System is Windows 8.0 Enterprise. The caller is a Microsoft account, but the user being logged on and impersonated is a local account.
