DPAPI and WindowsImpersonationContext and the one that got away...
Ive got a small C# Security Application that Im writing an Editor for. I was hoping to let the user run the application as whoever they choose to, and then use LogonUser to create a WindowsImpersonationContext and log them in as SOMEONE ELSE to do the DPAPI Encryption (because it will be that other use that will be decrypting the data.)
Im using DPAPI with a User Store, not a Machine Store. Ive got a managed wrapper for DPAPI that works fine. Ive got a Managed ImpersonateUser function that returns a WindowsImpersonationContext and internally users LogonUser and also works fine.
The psuedocode/gist is be basically:
Do some stuff
Load XML File
Call ImpersonateUser (someotherguy) [succeeds and WindowsIdentity.GetCurrent().Name changes to reflect the change
Call DPAPI to Encrypt Element Context (this works fine if I DONT IMPERSONATE...)
ERROR: Win32 Marshal.GetLastWin32Error() reports The System couldnt find the file specified
Apparently this is either utterly stupid of me, or noone has ever tried it. All the doc on DPAPI is either highly theoretical how it works internally or very trivial heres how I used the Machine Store from ASP.NET. The doc on WindowsImpersonationContext is even worse.
Am I going to just make the user to a RunAs to launch my app? (which works fine, BTW) It just would have been so nice to have a "Run As" menu item...thoughts anyone?