获取委托令牌 [英] Obtaining a Delegation Token

问题描述

我无法使用WindowsIdentity.impersonate()获得正确的模拟令牌类型.我的代码尝试使用运行该文件共享的用户帐户访问该文件共享，但该用户被拒绝访问该文件共享.如果此过程失败，我将尝试模拟有权访问文件共享的管理员帐户，然后再次访问它.但是，我的WindowsImpersonationContext的ImpersonationLevel是模拟，而不是委托.我确保我的进程启用了SeTcbPrivilege，并且确保运行代码的计算机启用了约束委派.

据我了解，我无法访问文件共享，因为它是一种网络资源，要访问网络资源，我需要具有委派ImpersonationLevel，Impersonation仅适用于访问本地系统上的资源(我已将其验证为在职的).在AD上我的计算机的属性下，在委派设置下为WIN-J5H5R939SN7添加了cifs服务.

我还需要采取其他步骤来获得委派令牌吗?

I am having trouble getting the correct type of impersonation token using WindowsIdentity.impersonate(). My code attempts to access a file share using the account of the user who is running it, who has been denied access to it. When this process fails the I attempt to impersonate the Administrator account, who has access to the file share, and access it again. However the ImpersonationLevel of my WindowsImpersonationContext is Impersonation, not Delegation. I have ensured that my process has the SeTcbPrivilege enabled and that the machine that the code runs on has constrained delegation enabled.

From my understanding I am not able to access the file share because it is a network resource, and to access a network resource I need to have a Delegation ImpersonationLevel, Impersonation will only work for accessing resources on the local system (which I have verified as working). Under the properties for my machine on AD I have the cifs service added for WIN-J5H5R939SN7 under the delegation settings.

Are there any other steps I need to take to receive a Delegation token?

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Principal;
using System.Security;
using System.IO;

namespace DelegationTest
{
    class Program
    {

        static bool printDirectory(string directory)
        {
            Console.WriteLine("Attempting to read directory " + directory + " as " + WindowsIdentity.GetCurrent().Name);
            try
            {
                DirectoryInfo dirInfo = new DirectoryInfo(directory);
                FileInfo[] files = dirInfo.GetFiles();
                foreach (FileInfo f in files)
                {
                    Console.WriteLine(f.FullName);
                }
            }
            catch (Exception e)
            {
                //Console.WriteLine(e.ToString());
                Console.WriteLine(e.Message);
                return false;
            }
            return true;
        }
        static void Main(string[] args)
        {
            string dir = @"\\WIN-J5H5R939SN7\demoCA";
            if (!printDirectory(dir))
            {
                Console.WriteLine("Attempt to impersonate Administrator and try again");
                string userName = "Administrator";
                WindowsIdentity wid = new WindowsIdentity(userName);
                WindowsImpersonationContext wic;
                try
                {
                    wic = wid.Impersonate();
                    System.Console.WriteLine(wid.ImpersonationLevel.ToString());
                    printDirectory(dir);
                    wic.Undo();
                }
                catch (Exception e)
                {
                    System.Console.WriteLine(e.Message);
                }
            }

        }
    }
}

推荐答案

我的代码尝试使用运行共享文件的用户的帐户来访问文件共享，但该用户的帐户被拒绝访问.如果此过程失败，我将尝试模拟管理员帐户"

听起来一切都按预期进行-您也需要管理员密码.

这可能会帮助您正确执行操作(您仍然需要密码):
用于模拟用户的小型C#类 [

"My code attempts to access a file share using the account of the user who is running it, who has been denied access to it. When this process fails the I attempt to impersonate the Administrator account"

Sounds like things are working as they should - you need the administrator password too.

This might help you to do it right (You will still need the password):
A small C# Class for impersonating a User[^]


Best regards
Espen Harlinn

这篇关于获取委托令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！