作为远程进程读取/写入网络位置时访问被拒绝 [英] Access denied when reading / writing to network location as a remote process
问题描述
我目前正在尝试使用 C# 中的 WMI 在远程计算机上启动一个进程.该进程读取和写入存储在单独服务器上的文件.
当我手动登录到远程机器时,我可以运行该进程并且一切正常.
但是,当我尝试使用 WMI 从本地计算机远程启动进程时,出现以下错误:
System.UnauthorizedAccessException:拒绝访问路径\\server\path\input.txt".我尝试了多个连接选项,但不确定如何重新创建手动登录时似乎拥有的权限...我需要做什么?
本地机器码
static void LaunchRemoteProcess(string remoteMachine, string command){ConnectionOptions connectionOptions = 新的 ConnectionOptions{Impersonation = ImpersonationLevel.Impersonate,启用特权 = 真};var managementScope = new ManagementScope(string.Format(@"\\{0}\root\cimv2", remoteMachine), connectionOptions);managementScope.Connect();var managementPath = new ManagementPath("Win32_Process");var objectGetOptions = new ObjectGetOptions();var managementClass = new ManagementClass(managementScope, managementPath, objectGetOptions);//异步启动命令var inParams = managementClass.GetMethodParameters("Create");inParams["CommandLine"] = 命令;var outParams = managementClass.InvokeMethod("Create", inParams, null);}远程机器码
string networkPath = @"\\server\path";string inputFile = "input.txt";string inputText = File.ReadAllText(Path.Combine(networkPath, inputFile));string outputFile = "output.txt";File.WriteAllText(Path.Combine(networkPath, outputFile), inputText);编辑 1
如果我手动登录到远程计算机,我已经尝试使用该进程为其工作的用户的凭据,但该进程仍然失败并出现相同的错误:
ConnectionOptions connectionOptions = new ConnectionOptions{用户名 = "用户名",密码 = "密码",权限 = "ntlmdomain:COMPANYNAME.CO.UK,启用特权 = 真};我是否遗漏了有关 Authority、Authentication 或 Impersonation 属性的内容?
模仿与委托
您的 WMI 代码使用模拟,因此服务器端在调用客户端代码的用户的安全上下文中运行.但这仅对服务器本身有效,不适用于访问,例如远程 CIFS 共享(如您的情况).
你必须使用委托.
首先,改变
Impersonation = ImpersonationLevel.Impersonate,到
Impersonation = ImpersonationLevel.Delegate,如果您遇到异常,则委托在您的环境中还不起作用.
检查:
呼叫用户帐户:不得在用户属性(Active Directory 用户和计算机)中选中帐户是敏感的,不能被委派"
服务器计算机帐户:必须选中信任此计算机以委派任何服务..."
服务器上的本地安全策略:使计算机和用户帐户受信任以进行委派"必须包括调用用户.
见
https://msdn.microsoft.com/en-us/library/aa389288%28VS.85%29.aspx
有关此主题的更多信息.
<小时>添加:(见下面的评论):
如果 Delegate 在您的环境中不是一个选项(例如组策略不允许这样做,并且您无权更改它们),您可以检查一些替代方法.>
您可能听说过 psexec.
或者,我几年前所做的,并且在企业环境中在几台服务器上的生产环境中运行多年非常成功:
我创建了一个计划任务,它启动一个程序并为此任务设置技术用户+密码.任务配置为在 2200 年运行一次 :-)".
然后我在队列中写入命令(我使用了一个简单的命令文件)并从远程机器启动了任务.
这样做,不需要委派,因为计划任务本身以技术用户帐户登录(需要以批处理方式登录"权限).
I'm currently trying to launch a process on a remote machine using WMI in C#. The process reads and writes to a file that is stored on a separate server.
When I manually login to the remote machine, I can run the process and it all works fine.
However, when I try to launch the process on the remote from my local machine using WMI, I get the following error:
System.UnauthorizedAccessException: Access to the path '\\server\path\input.txt' is denied.
I've tried multiple connection options, but I'm not sure how to re-create the permissions that I seem to have when I login manually... What do I need to do?
Local machine code
static void LaunchRemoteProcess(string remoteMachine, string command)
{
ConnectionOptions connectionOptions = new ConnectionOptions
{
Impersonation = ImpersonationLevel.Impersonate,
EnablePrivileges = true
};
var managementScope = new ManagementScope(string.Format(@"\\{0}\root\cimv2", remoteMachine), connectionOptions);
managementScope.Connect();
var managementPath = new ManagementPath("Win32_Process");
var objectGetOptions = new ObjectGetOptions();
var managementClass = new ManagementClass(managementScope, managementPath, objectGetOptions);
// Launch the command asynchronously
var inParams = managementClass.GetMethodParameters("Create");
inParams["CommandLine"] = command;
var outParams = managementClass.InvokeMethod("Create", inParams, null);
}
Remote machine code
string networkPath = @"\\server\path";
string inputFile = "input.txt";
string inputText = File.ReadAllText(Path.Combine(networkPath, inputFile));
string outputFile = "output.txt";
File.WriteAllText(Path.Combine(networkPath, outputFile), inputText);
Edit 1
I have already tried using the credentials of the user for which the process works if I log on to the remote machine manually and the process still fails with the same error:
ConnectionOptions connectionOptions = new ConnectionOptions
{
Username = "username",
Password = "password",
Authority = "ntlmdomain:COMPANYNAME.CO.UK,
EnablePrivileges = true
};
Am I missing something with regards to the Authority, Authentication, or Impersonation attributes?
Impersonation vs Delegation
Your WMI code uses impersonation, so the server side runs in the security context of the user who calls the code on the client. But this is only valid on the server itself, not for accessing e.g. a remote CIFS share (as in your case).
You have to use delegation.
First, change
Impersonation = ImpersonationLevel.Impersonate,
to
Impersonation = ImpersonationLevel.Delegate,
If you get an exception then, delegation does not yet work in your environment.
Check:
Calling user account: "Account is sensitive and cannot be delegated" must not be checked in the user properties (Active Directory Users and Computers)
server machine account: "Trust this computer for delegation to any service..." must be checked
local security policy on the server: "Enable computer and user accounts to be trusted for delegation" must include the calling user.
See
https://msdn.microsoft.com/en-us/library/aa389288%28VS.85%29.aspx
for further information on this topic.
Added: (see the comments below):
If Delegate is not an option in your environment (e.g. group policies do not allow for this, and you do not have the rights to change them), you may check some alternative ways.
You probably heard of psexec.
Or, what I did some years ago, and which runs in production in a enterprise environment on a few servers for many years very successfull:
I created a scheduled task which starts a program and set the technical user + password for this task. The task was configured for "run once in year 2200 :-)".
Then I wrote commands in a queue (I used a simple command file) and started the task from a remote machine.
Doing it this way, delegation is not required, since the scheduled task itself logs on as the technical user account ("logon as batch" privs are required).
这篇关于作为远程进程读取/写入网络位置时访问被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
