Can I impersonate a user on a different Active Directory domain in .NET?

Question

I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?

Example Workflow:

1. User logs in to domain A.
2. User launches desktop application.
3. User specifies resource in domain B.
4. Application prompts user for domain B credentials.
5. Application impersonates user's domain B identity to access specified resource.
6. User manipulates domain B resource using application.

Answer 1

I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.

You need to call the LogonUser API to create an access token that represents the user's domain B credentials.

Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.

I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.