是否有一系列标志允许 LogonUser
在计算机未连接到网络时返回可用于冒充本地用户的令牌(但所有帐户已在本地存在) .
我有域帐户执行应用程序
MYDOMAIN \ FooUser
而我正试图获得一个假冒令牌
MYLAPTOP \ TestUser
然后我读了一个文件夹中的一系列文本文件,这些文件都可以被 FooUser
读取,但有些文件文件的 TestUser
读取权限被拒绝了 .
如果我登录到Windows并从 TestUser
运行应用程序,则权限映射正确,并且文件上的权限被拒绝 . 如果我已连接到我的域并从 FooUser
运行应用程序,我还可以模拟 TestUser
和文件权限再次正确拒绝访问(使用 LOGON32_LOGON_INTERACTIVE
) .
当我的以太网电缆被拔出并且我尝试为 TestUser
调用 LogonUser
时会出现问题,我希望我能以某种方式验证本地凭据......本地?
使用 LOGON32_LOGON_INTERACTIVE
:
-
输入
TestUser
的凭据将返回错误,指示"Bad username or password" -
输入
FooUser
的凭据返回错误,指示"No logon servers available"(有道理,我不是在抱怨......除非我没有连接到我的域时如何首先登录Windows?)
使用 LOGON32_LOGON_NEW_CREDENTIALS
:
- 输入乱码凭据会返回一个与
FooUser
具有相同访问权限的令牌
using System;
using System.ComponentModel;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Principal;
using Common.NativeMethods.Enumerations;
namespace Common.NativeMethods
{
public static class AdvApi32
{
// http://www.pinvoke.net/default.aspx/advapi32.logonuser
// http://msdn.microsoft.com/en-us/library/system.runtime.interopservices.marshal.securestringtoglobalallocunicode(v=vs.100).aspx
// PInvoke into the Win32 API to provide access to the
// LogonUser and CloseHandle functions.
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
internal static extern bool LogonUser(
IntPtr username,
IntPtr domain,
IntPtr password,
LogonType logonType,
LogonProvider logonProvider,
ref IntPtr token
);
public static WindowsIdentity LogonUser(SecureString p_userName, SecureString p_password, SecureString p_domainName)
{
IntPtr UserAccountToken = IntPtr.Zero;
IntPtr UserNamePointer = IntPtr.Zero;
IntPtr PasswordPointer = IntPtr.Zero;
IntPtr DomainNamePointer = IntPtr.Zero;
try
{
// Marshal the SecureString to unmanaged memory.
UserNamePointer = Marshal.SecureStringToGlobalAllocUnicode(p_password);
PasswordPointer = Marshal.SecureStringToGlobalAllocUnicode(p_userName);
DomainNamePointer = Marshal.SecureStringToGlobalAllocUnicode(p_domainName);
// Call LogonUser, passing the unmanaged (and decrypted) copy of the SecureString password.
bool ReturnValue =
AdvApi32
.LogonUser(
UserNamePointer,
DomainNamePointer,
PasswordPointer,
LogonType.LOGON32_LOGON_INTERACTIVE, //.LOGON32_LOGON_NEW_CREDENTIALS,
LogonProvider.LOGON32_PROVIDER_DEFAULT, //.LOGON32_PROVIDER_WINNT50,
ref UserAccountToken);
// Get the Last win32 Error and throw an exception.
if (!ReturnValue && UserAccountToken == IntPtr.Zero)
{
int error = Marshal.GetLastWin32Error();
throw
new Win32Exception(error);
}
// The token that is passed to the following constructor must
// be a primary token in order to use it for impersonation.
return
new WindowsIdentity(UserAccountToken);
}
finally
{
// Zero-out and free the unmanaged string reference.
Marshal.ZeroFreeGlobalAllocUnicode(UserNamePointer);
Marshal.ZeroFreeGlobalAllocUnicode(PasswordPointer);
Marshal.ZeroFreeGlobalAllocUnicode(DomainNamePointer);
// Close the token handle.
Kernel32.CloseHandle(UserAccountToken);
}
}
}
}
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;
using System.Runtime.ConstrainedExecution;
using System.Security;
namespace Common.NativeMethods
{
// http://msdn.microsoft.com/en-us/library/system.security.principal.windowsimpersonationcontext%28v=vs.100%29.aspx
public static class Kernel32
{
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
[SuppressUnmanagedCodeSecurity]
[return: MarshalAs(UnmanagedType.Bool)]
internal extern static bool CloseHandle(IntPtr handle);
}
}
1 回答
哎呀...我在重构时弄错了 .
LogonUser
没有连接到域时工作正常;如果你至少指向正确的参数 .固定