如何正确使用LogonUser从工作组客户端模拟域用户
ASP.NET:针对VMWare上的域进行模拟
这个问题是我问的,但答案并没有提供关于_token如何派生的细节。 它似乎只使用WindowsIdentity.GetCurrent().Token
所以没有模仿发生。
我可以在.NET中模拟不同的Active Directory域上的用户吗?
接下来的问题有相互矛盾的答案,接受的答案有一个评论:“我开始怀疑我的问题在别处。” 没有帮助。
LogonUser只适用于我的域名
接下来的问题似乎暗示这是不可能的,但它涉及2个域名,所以我不确定它是否相关。
我真正的问题是:
我到目前为止所尝试的是,使用http://msdn.microsoft.com/en-us/library/chf6fbt4%28v=VS.80%29.aspx中的代码
bool returnValue = LogonUser(user, domain, password,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);
// after this point, returnValue = false
Win32错误是
登录失败:未知的用户名或密码错误
很少有帖子建议使用LOGON_TYPE_NEW_CREDENTIALS
而不是LOGON_TYPE_NETWORK
或LOGON_TYPE_INTERACTIVE
。 我有一台机器连接到一个域的模拟问题,一个没有,并且这固定了它。 这篇文章中的最后一段代码片段表明,跨森林模仿确实有效,但它没有具体说明有关建立信任的任何信息。 所以这可能值得尝试:
const int LOGON_TYPE_NEW_CREDENTIALS = 9;
const int LOGON32_PROVIDER_WINNT50 = 3;
bool returnValue = LogonUser(user, domain, password,
LOGON_TYPE_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50,
ref tokenHandle);
MSDN表示LOGON_TYPE_NEW_CREDENTIALS
只有在使用LOGON32_PROVIDER_WINNT50
时才有效。
这对我有用,完整的工作例子(我希望更多的人会这样做):
//logon impersonation
using System.Runtime.InteropServices; // DllImport
using System.Security.Principal; // WindowsImpersonationContext
using System.Security.Permissions; // PermissionSetAttribute
...
class Program {
// obtains user token
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword,
int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
// closes open handes returned by LogonUser
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle);
public void DoWorkUnderImpersonation() {
//elevate privileges before doing file copy to handle domain security
WindowsImpersonationContext impersonationContext = null;
IntPtr userHandle = IntPtr.Zero;
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_INTERACTIVE = 2;
string domain = ConfigurationManager.AppSettings["ImpersonationDomain"];
string user = ConfigurationManager.AppSettings["ImpersonationUser"];
string password = ConfigurationManager.AppSettings["ImpersonationPassword"];
try {
Console.WriteLine("windows identify before impersonation: " + WindowsIdentity.GetCurrent().Name);
// if domain name was blank, assume local machine
if (domain == "")
domain = System.Environment.MachineName;
// Call LogonUser to get a token for the user
bool loggedOn = LogonUser(user,
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref userHandle);
if (!loggedOn) {
Console.WriteLine("Exception impersonating user, error code: " + Marshal.GetLastWin32Error());
return;
}
// Begin impersonating the user
impersonationContext = WindowsIdentity.Impersonate(userHandle);
Console.WriteLine("Main() windows identify after impersonation: " + WindowsIdentity.GetCurrent().Name);
//run the program with elevated privileges (like file copying from a domain server)
DoWork();
} catch (Exception ex) {
Console.WriteLine("Exception impersonating user: " + ex.Message);
} finally {
// Clean up
if (impersonationContext != null) {
impersonationContext.Undo();
}
if (userHandle != IntPtr.Zero) {
CloseHandle(userHandle);
}
}
}
private void DoWork() {
//everything in here has elevated privileges
//example access files on a network share through e$
string[] files = System.IO.Directory.GetFiles(@"domainservere$images", "*.jpg");
}
}
我在冒充另一个域中的用户方面取得了成功,但只有在这两个域之间建立了信任关系。
var token = IntPtr.Zero;
var result = LogonUser(userID, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token);
if (result)
{
return WindowsIdentity.Impersonate(token);
}
链接地址: http://www.djcxy.com/p/36083.html
上一篇: How to use LogonUser properly to impersonate domain user from workgroup client
下一篇: How to provide user name and password when connecting to a network share