获取委托令牌 [英] Obtaining a Delegation Token
问题描述
我无法使用WindowsIdentity.impersonate()获得正确的模拟令牌类型.我的代码尝试使用运行该文件共享的用户帐户访问该文件共享,但该用户被拒绝访问该文件共享.如果此过程失败,我将尝试模拟有权访问文件共享的管理员帐户,然后再次访问它.但是,我的WindowsImpersonationContext的ImpersonationLevel是模拟,而不是委托.我确保我的进程启用了SeTcbPrivilege,并且确保运行代码的计算机启用了约束委派.
据我了解,我无法访问文件共享,因为它是一种网络资源,要访问网络资源,我需要具有委派ImpersonationLevel,Impersonation仅适用于访问本地系统上的资源(我已将其验证为在职的).在AD上我的计算机的属性下,在委派设置下为WIN-J5H5R939SN7
添加了cifs服务.
我还需要采取其他步骤来获得委派令牌吗?
I am having trouble getting the correct type of impersonation token using WindowsIdentity.impersonate(). My code attempts to access a file share using the account of the user who is running it, who has been denied access to it. When this process fails the I attempt to impersonate the Administrator account, who has access to the file share, and access it again. However the ImpersonationLevel of my WindowsImpersonationContext is Impersonation, not Delegation. I have ensured that my process has the SeTcbPrivilege enabled and that the machine that the code runs on has constrained delegation enabled.
From my understanding I am not able to access the file share because it is a network resource, and to access a network resource I need to have a Delegation ImpersonationLevel, Impersonation will only work for accessing resources on the local system (which I have verified as working). Under the properties for my machine on AD I have the cifs service added for WIN-J5H5R939SN7
under the delegation settings.
Are there any other steps I need to take to receive a Delegation token?
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Principal;
using System.Security;
using System.IO;
namespace DelegationTest
{
class Program
{
static bool printDirectory(string directory)
{
Console.WriteLine("Attempting to read directory " + directory + " as " + WindowsIdentity.GetCurrent().Name);
try
{
DirectoryInfo dirInfo = new DirectoryInfo(directory);
FileInfo[] files = dirInfo.GetFiles();
foreach (FileInfo f in files)
{
Console.WriteLine(f.FullName);
}
}
catch (Exception e)
{
//Console.WriteLine(e.ToString());
Console.WriteLine(e.Message);
return false;
}
return true;
}
static void Main(string[] args)
{
string dir = @"\\WIN-J5H5R939SN7\demoCA";
if (!printDirectory(dir))
{
Console.WriteLine("Attempt to impersonate Administrator and try again");
string userName = "Administrator";
WindowsIdentity wid = new WindowsIdentity(userName);
WindowsImpersonationContext wic;
try
{
wic = wid.Impersonate();
System.Console.WriteLine(wid.ImpersonationLevel.ToString());
printDirectory(dir);
wic.Undo();
}
catch (Exception e)
{
System.Console.WriteLine(e.Message);
}
}
}
}
}
推荐答案
我的代码尝试使用运行共享文件的用户的帐户来访问文件共享,但该用户的帐户被拒绝访问.如果此过程失败,我将尝试模拟管理员帐户"
听起来一切都按预期进行-您也需要管理员密码.
这可能会帮助您正确执行操作(您仍然需要密码):
用于模拟用户的小型C#类 [
"My code attempts to access a file share using the account of the user who is running it, who has been denied access to it. When this process fails the I attempt to impersonate the Administrator account"
Sounds like things are working as they should - you need the administrator password too.
This might help you to do it right (You will still need the password):
A small C# Class for impersonating a User[^]
Best regards
Espen Harlinn
这篇关于获取委托令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!