为用户 (S4U) 令牌创建服务 [英] Creating a service for user (S4U) token
问题描述
Windows 任务计划程序可以创建使用特定用户帐户运行的任务,而无需存储用户密码.他们称之为S4U",为用户服务.这应该像调度程序为当前用户创建这样的令牌一样工作,并可以使用它来运行该用户帐户下的计划进程.他们声称它无法使用该系统访问网络或加密资源.调度程序本身使用 SYSTEM 帐户运行以使其工作.这是一篇描述它的文章.相关引述:
The Windows Task Scheduler can create tasks that run with the account of a particular user, without storing the user password. They call it "S4U", service for user. This should work something like the scheduler creates such a token for the current user and can use it to run the scheduled process under that user account. They claim that it cannot access network or encrypted resources with this system. The scheduler itself runs with the SYSTEM account for it to work. Here's an article that describes it. The relevant quote from it:
TASK_LOGON_S4U 是另一种提供更安全的选项选择.它利用用户 (S4U) 登录服务代表指定用户运行任务,但不必存储密码.由于任务计划程序在本地运行系统帐户,它可以创建一个 S4U 登录会话并接收一个令牌不仅可以用于识别,还可以用于在本地计算机上模拟.通常 S4U 令牌只是好的用于识别.
TASK_LOGON_S4U is yet another option that provides a more secure alternative. It takes advantage of a service for user (S4U) logon to run the task on behalf of the specified user, but without having to store the password. Since the Task Scheduler runs within the local system account, it can create a S4U logon session and receive a token that can not only be used for identification, but also for impersonation on the local computer. Normally a S4U token is only good for identification.
我需要在我的应用程序中使用此身份验证方案,但不能让任务计划程序执行此操作而需要自己执行此操作,因为我需要为任意数量的帐户使用它.每当用户向我的应用程序注册任务时,任何后续任务都必须在同一用户下运行.但由于它们不能重叠,我需要自己进行序列化.
I need to use this authentication scheme in my application, but can't let the Task Scheduler do it but need to do it myself, because I need it for any number of accounts. Whenever a user registers a task with my application, any followup tasks must run under the same user. But since they cannot overlap, I need to do the serialisation myself.
我找不到关于这个S4U"的任何信息.我怎样才能在我的应用程序中实现它?首选 C#,但 WINAPI 和 C 也可以.
I cannot find any information about this "S4U" thing. How could I implement it in my application? C# preferred, but WINAPI and C is okay.
更新:这是我尝试过的,但不起作用.
Update: This is what I've tried, and it doesn't work.
// The WindowsIdentity(string) constructor uses the new
// Kerberos S4U extension to get a logon for the user
// without a password.
WindowsIdentity wi = new WindowsIdentity(identity);
WindowsImpersonationContext wic = null;
try
{
wic = wi.Impersonate();
// Code to access network resources goes here.
}
catch()
{
// Ensure that an exception is not propagated higher in the call stack.
}
finally
{
// Make sure to remove the impersonation token
if( wic != null)
wic.Undo();
}
但我现在的印象是,你不能只说你想成为某个用户.甚至不作为系统.您需要以该用户身份登录,并且可以生成一些令牌,允许您稍后再次成为该用户,而无需密码.所以这必须是一个两步的事情,首先我需要获取令牌并将其存储在磁盘上;稍后我可以使用该令牌来模拟.没有一个例子解释了这一点.
But I've got the impression now, that you can't just say you want to be a certain user. Not even as System. You need to be logged in as that user and can generate some token that allows you to become that user later again, without the password. So this must be a two-step thing, first I need to get the token and store it on disk; later I can use that token to impersonate. None of the examples explains this.
推荐答案
计算机可能未加入域"
S4U 需要访问 KDC.S4U实际上是两个协议.S4U2Self 和 S4U2Proxy.它正在做的是使用 Kerberos 的附加功能来为用户获取服务票证,但是获取票证的那个帐户必须启用一个特殊的委托.请参阅此处了解此设置.
S4U requires access to a KDC. S4U is actually two protocols. S4U2Self and S4U2Proxy. What it is doing is using an addition to Kerberos to get service tickets for a user, but that account that goes and gets the ticket has to have a special delegation enabled on it. See here for this set up.
但是除非你真的让进程死掉等等,为什么不直接获取用户服务票或 TGT?您的应用程序是本地的还是对用户远程运行的服务?
But unless you are actually letting the process die etc, why not just get the users service ticket or TGT? Is your application local or is it a service running remote to the user?
任务调度程序需要去获取一个新的,因为服务票不是永远有效的.或者在某些委托方案中,用户没有将服务票证传递给应用程序服务器,然后 AS 通过 S4U2Self 请求和服务票证,然后使用该服务票证通过 S4U2Proxy 请求第二个服务的票证.
Task scheduler needs to go get a new one because a service ticket isn't valid forever. Or in some delegation schemes the user hasn't passed a service ticket to the Application Server and then the AS goes and requests and service ticket via S4U2Self, and then uses that service ticket to request a ticket to a second service via S4U2Proxy.
这篇关于为用户 (S4U) 令牌创建服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
