Can I impersonate a user on a different Active Directory domain in .NET?

Question

I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain

Answer 1

I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.

You need to call the LogonUser API to create an access token that represents the user's domain B credentials.

Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.

I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.

Answer 2

If your computer (the one doing the impersonation) is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then impersonation will fail. Anybody who says otherwise, I would love to see proof.

Answer 3

Check out this question, which covers the impersonation issues you need.