如何在服务器上登录用户并运行给定Kerberos票证的进程 [英] How to logon a user on a server and run a process given a Kerberos Ticket

问题描述

在使用Kerberos的Windows上，身份验证和登录如何工作?我要实现的是在服务器上登录用户并为该用户运行一个进程.

首先，我在客户端上创建Kerberos票证并将其发送到服务器.在服务器上，我不知道用于给用户提供凭单的用户登录的API. 当然，我可以使用AcceptSecurityContext(SSPI)接受安全上下文，但是不会启动登录.

我认为Windows的某些SSH实现可以做到这一点.但是我想知道他们可能如何以及使用什么API?

解决方案

有几种方法可以做到这一点.您确实需要在票证上调用AcceptSecurityContext以获得安全上下文.这就是引导Windows中所有内容的原因.从那里您可以做几件事.

通常，您调用ImpersonateSecurityContext，以便当前线程了解它认为需要的用户.之后，您可以调用QuerySecurityContextToken以获得Windows访问令牌句柄.使用此句柄，然后调用CreateProcessAsUser.您还可以告诉它执行必要的操作，例如在需要时加载配置文件.

这实际上并没有像LogonUserX那样进行登录，但是它实际上以该用户身份启动了一个过程，这通常是人们希望完成的过程.

How does authentication and logon work on Windows with Kerberos? What I want to achieve is to logon a user on a server and run a process for that user.

As a first step, I create a Kerberos ticket on the client and send it to the server. On the server, I do not know the API to logon the user given its ticket. Of course I can accept the security context using AcceptSecurityContext (SSPI), but that does not initiate a logon.

I think that some SSH implementations for Windows do exactly that. But I want to know how and what API they probably use?

解决方案

There are a few ways you can do this. You do need to call AcceptSecurityContext on the ticket to get a security context. This is what bootstraps everything in Windows. From there you can do a couple different things.

Usually you call ImpersonateSecurityContext so the current thread understands what user it thinks it needs to be. After that you can call QuerySecurityContextToken to get a Windows access token handle. With this handle you then call CreateProcessAsUser. You can also tell it to do things like load the profile if necessary.

This doesn't really do a logon like LogonUserX does, but it effectively starts a process as that user, which is usually what people are looking to accomplish.

这篇关于如何在服务器上登录用户并运行给定Kerberos票证的进程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！