使用LOGON32_LOGON_NETWORK_CLEARTEXT的令牌委派 [英] Token delegation using LOGON32_LOGON_NETWORK_CLEARTEXT
问题描述
使用我们有以下情况:
Web服务器A正在使用Win32 LogonUser.然后,它需要在服务器B上调用一个asmx方法.
Web server A is using Win32 LogonUser. Then it needs to invoke an asmx method on server B.
如果使用的登录类型为LOGON32_LOGON_INTERACTIVE,则效果很好.但是,客户拒绝此操作,因为它需要交互式访问.
If the used logon type is LOGON32_LOGON_INTERACTIVE it works well. However the customer rejects this because it requires interactive access.
如果我们使用LOGON32_LOGON_NETWORK,则这将不允许令牌委派给远程服务器,并且我们会得到401(如预期的那样,根据MSDN).
If we use LOGON32_LOGON_NETWORK this does not allow token delegation to the remote server and we get 401 (as expected, according to the MSDN).
尝试使用DuplicateToken将令牌升级"为交互式失败.此尝试基于本文的内容,其中指出:
Attempting to use DuplicateToken to "upgrade" the token to interactive fails. This attempt was based on this article where it states:
当您请求交互式登录时,LogonUser返回一个主 令牌,可让您在模拟时创建进程.什么时候 您请求网络登录,LogonUser返回一个模拟令牌 可用于访问本地资源,但不能用于创建 流程. 如果需要,您可以将模拟令牌转换为 调用Win32 DuplicateToken函数获取主令牌."
"When you request an interactive logon, LogonUser returns a primary token that allows you to create processes while impersonating. When you request a network logon, LogonUser returns an impersonation token that can be used to access local resources, but not to create processes. If required, you can convert an impersonation token to a primary token by calling the Win32 DuplicateToken function."
But it seems that if we use LOGON32_LOGON_NETWORK_CLEARTEXT as stated in this old thread, delegation works. But how safe is it for usage? According to MSDN:
此登录类型在身份验证中保留名称和密码 程序包,它允许服务器建立与其他网络的连接 服务器,同时模拟客户端.服务器可以接受纯文本 来自客户端的凭据,调用LogonUser,验证该用户可以 通过网络访问系统,并且仍然与其他人通信 服务器."
"This logon type preserves the name and password in the authentication package, which allows the server to make connections to other network servers while impersonating the client. A server can accept plaintext credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers."
以这种格式使用的凭据是否始终对嗅探者可见(我们使用Windows集成安全性,有时使用SSL,但并非总是如此).
Are the credentials used in this format visible in anyway to sniffers (we're using Windows Integrated security, sometimes with SSL but not always).
请告知.
推荐答案
我有相同的问题,尽管我没有找到明确的答案,但我已经进行了一些调查研究并仔细阅读了这句话,这就是我的结论(欢迎更正):
I had the same question, and though I haven't found a definitive answer I've done some investigating and reading between the lines, and this is my conclusion (corrections welcome):
最理想/最安全的用例是您的代码看起来像这样的伪代码:
The ideal/safest use case is if your code looks like this pseudocode:
success = LogonUser(username, domain, password,
LOGON32_LOGON_NETWORK_CLEARTEXT, provider, out token)
if (success) {
StartImpersonation(token)
remoteConnection = AuthenticateToRemoteServer()
StopImpersonation()
CloseHandle(token)
// continue to use remoteConnection
}
关闭LogonUser会话的句柄时,与LogonUser会话关联的纯文本凭据将被破坏(我没有找到对此的引用,但我认为它们没有意义).因此,在令牌的整个生命周期中,都有用户凭据的副本,该凭据用于向远程服务器进行身份验证.但是您的应用程序已经在内存中以明文形式存储了凭据(在变量username,domain和password中),因此这并没有真正带来额外的安全风险.
The plaintext credentials associated with the LogonUser session will be destroyed when you close its handle (I haven't found a reference for this, but it doesn't make sense to me that they wouldn't). So for the lifetime of the token there was a copy of the user's credentials and it was used to authenticate to the remote server. But your application already had the credentials in memory in plaintext (in the variables username, domain and password) so this doesn't really present a additional security risk.
任何使用Windows身份验证的远程服务器的身份验证都将使用NTML或Kerberos,并且两种协议都不会在线发送凭据,因此不必担心.我不能肯定地说如果远程服务器要求进行基本身份验证会发生什么,但是我认为它失败的可能性大于发送您的凭据的可能性.
Any authentication with a remote server that uses Windows authentication will be using NTML or Kerberos and neither protocol sends the credentials on the wire, so that's not a concern. I can't say for sure what would happen if the remote server asked for basic authentication, but I think it's more likely that it would fail than your credentials would be sent over.
如果您需要将令牌保留更长的时间,则文档中会说明凭证以明文(某处)存储.我转储了一个测试过程,却无法在转储文件中找到它们,所以我不知道这是否意味着它们存储在内核内存中或存储在什么内容中.如果我不得不长时间保留此令牌,我会有点担心.
If you need to keep the token around longer, the documentation does state that the credentials are stored in plaintext (somewhere). I took a dump of a test process and wasn't able to find them in the dump file, so I don't know if that means that they are stored in kernel memory or what. I would be a little worried if I had to keep this token around for a long time.
这篇关于使用LOGON32_LOGON_NETWORK_CLEARTEXT的令牌委派的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
