如何在服务器上登录用户并运行给定Kerberos票证的进程 [英] How to logon a user on a server and run a process given a Kerberos Ticket
问题描述
在使用Kerberos的Windows上,身份验证和登录如何工作?我要实现的是在服务器上登录用户并为该用户运行一个进程.
首先,我在客户端上创建Kerberos票证并将其发送到服务器.在服务器上,我不知道用于给用户提供凭单的用户登录的API. 当然,我可以使用AcceptSecurityContext(SSPI)接受安全上下文,但是不会启动登录.
我认为Windows的某些SSH实现可以做到这一点.但是我想知道他们可能如何以及使用什么API?
有几种方法可以做到这一点.您确实需要在票证上调用AcceptSecurityContext
以获得安全上下文.这就是引导Windows中所有内容的原因.从那里您可以做几件事.
通常,您调用ImpersonateSecurityContext
,以便当前线程了解它认为需要的用户.之后,您可以调用QuerySecurityContextToken
以获得Windows访问令牌句柄.使用此句柄,然后调用CreateProcessAsUser
.您还可以告诉它执行必要的操作,例如在需要时加载配置文件.
这实际上并没有像LogonUserX
那样进行登录,但是它实际上以该用户身份启动了一个过程,这通常是人们希望完成的过程.
How does authentication and logon work on Windows with Kerberos? What I want to achieve is to logon a user on a server and run a process for that user.
As a first step, I create a Kerberos ticket on the client and send it to the server. On the server, I do not know the API to logon the user given its ticket. Of course I can accept the security context using AcceptSecurityContext (SSPI), but that does not initiate a logon.
I think that some SSH implementations for Windows do exactly that. But I want to know how and what API they probably use?
There are a few ways you can do this. You do need to call AcceptSecurityContext
on the ticket to get a security context. This is what bootstraps everything in Windows. From there you can do a couple different things.
Usually you call ImpersonateSecurityContext
so the current thread understands what user it thinks it needs to be. After that you can call QuerySecurityContextToken
to get a Windows access token handle. With this handle you then call CreateProcessAsUser
. You can also tell it to do things like load the profile if necessary.
This doesn't really do a logon like LogonUserX
does, but it effectively starts a process as that user, which is usually what people are looking to accomplish.
这篇关于如何在服务器上登录用户并运行给定Kerberos票证的进程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!