CreateProcessAsUser() 给出“客户端不持有所需的权限";哪一个? [英] CreateProcessAsUser() gives "A required privilege is not held by the client" Which one?
问题描述
使用在我的交互式会话中运行的 IIS Express 中的 System.Diagnostic.Process.Start(),我可以执行一个以作为不同用户运行的程序,并具有更正功能.不幸的是,这似乎不适用于非交互式会话.
Using System.Diagnostic.Process.Start() from IIS Express running in my interactive session, I can execute a program running as a different user with correction functionality. Unfortunately, it seems that this doesn't work from non-interactive sessions.
Process.Start 在内部调用 CreateProcessWithLogonW(CPLW) 时凭据已指定.无法调用 CreateProcessWithLogonW来自 Windows 服务环境(例如 IIS WCF 服务).它只能从交互式进程(应用程序由通过 CTRL-ALT-DELETE 登录的用户启动).-- 来自这个 SO 答案
Process.Start internally calls CreateProcessWithLogonW(CPLW) when credentials are specified. CreateProcessWithLogonW cannot be called from a Windows Service Environment (such as an IIS WCF service). It can only be called from an Interactive Process (an application launched by a user who logged on via CTRL-ALT-DELETE). -- from this SO answer
我需要将此站点从应用程序池帐户发布到 IIS 8.所以我按照上面引用的答案的建议 CreateProcessAsUser .我已经使用本地安全策略设置了服务帐户和代理帐户,并按照该答案中的建议重新启动 - 服务帐户可以替换令牌、修改配额并且代理帐户可以批量登录(以及作为该测试的服务).但我无法在 IIS Express(或控制台测试应用程序)或 IIS 8 中使用它.我尝试以 LOGON32_LOGON_BATCH、LOGON32_LOGON_NETWORK_CLEARTEXT 和 运行>LOGON32_LOGON_SERVICE,甚至 LOGON32_LOGON_INTERACTIVE.我什至给了我自己的帐户作为服务登录"和作为操作系统的一部分"的特权,没有任何更改 - 所有这些都在重新启动后进行了测试.
I need to publish this site to IIS 8 from the app pool account. So I CreateProcessAsUser as suggested by the above-quoted answer. I've set the service account and agent account with Local Security Policies and restarted as suggested in that answer - service account can replace token, modify quotas and agent account can logon as batch (and as service for that test). But I can't get it to work in IIS Express (or a console test app) nor IIS 8. I've tried running as LOGON32_LOGON_BATCH, LOGON32_LOGON_NETWORK_CLEARTEXT, and LOGON32_LOGON_SERVICE, and even LOGON32_LOGON_INTERACTIVE. I've even given my own account "logon as service" and "act as part of the operating system" privilege with no change - all tested after a reboot.
对于所有配置,我都从 IIS Express 收到客户端不持有所需的特权".在服务器上,我得到相同的运行控制台应用程序.但是发布应用程序,它似乎启动过程很好,但随后我似乎收到了权限错误.
I'm getting "A required privilege is not held by the client" from IIS Express for all configurations. On the server, I get the same running the console app. But publishing the app, it seems to start the process just fine, but then I seem to be getting permissions errors subsequently.
我想知道我的帐户在本地运行时缺少哪个权限,以便我可以正确调试它们(并最终找出我遇到的任何权限错误).有什么办法可以确定吗?无论哪种方式,如果您知道问题所在,我也愿意!
I'd like to know WHICH privilege my accounts are missing when running locally so I can debug them properly (and eventually figure out whatever permissions error I'm getting). Is there any way to determine that? Either way, if you know what the issue is, I'd like that too!
谢谢!
推荐答案
根据文档:
通常,调用 CreateProcessAsUser 函数的进程必须具有 SE_INCREASE_QUOTA_NAME 权限,如果令牌不可分配,则可能需要 SE_ASSIGNPRIMARYTOKEN_NAME 权限.如果此函数因 ERROR_PRIVILEGE_NOT_HELD (1314) 而失败,请使用 CreateProcessWithLogonW函数代替.CreateProcessWithLogonW 不需要特殊权限,但必须允许指定的用户帐户交互登录.通常,最好使用 CreateProcessWithLogonW 创建具有备用凭据的进程.
...
如果 hToken 是调用者主令牌的受限版本,则不需要 SE_ASSIGNPRIMARYTOKEN_NAME 权限.如果尚未启用必要的权限,CreateProcessAsUser 会在通话期间启用它们.
Typically, the process that calls the CreateProcessAsUser function must have the SE_INCREASE_QUOTA_NAME privilege and may require the SE_ASSIGNPRIMARYTOKEN_NAME privilege if the token is not assignable. If this function fails with ERROR_PRIVILEGE_NOT_HELD (1314), use the CreateProcessWithLogonW function instead. CreateProcessWithLogonW requires no special privileges, but the specified user account must be allowed to log on interactively. Generally, it is best to use CreateProcessWithLogonW to create a process with alternate credentials.
...
If hToken is a restricted version of the caller's primary token, the SE_ASSIGNPRIMARYTOKEN_NAME privilege is not required. If the necessary privileges are not already enabled, CreateProcessAsUser enables them for the duration of the call.
调用线程可以使用OpenThreadToken() 和 AdjustTokenPrivileges() 在调用 CreateProcessAsUser() 之前根据需要启用个人权限.但由于它在内部无论如何都是这样做的,这意味着与调用线程相关联的用户没有那些可用的权限.
The calling thread can use OpenThreadToken() and AdjustTokenPrivileges() to enable individual privileges as needed before calling CreateProcessAsUser(). But since it does that internally anyway, that implies the user associated with the calling thread does not have those privileges available to begin with.
这篇关于CreateProcessAsUser() 给出“客户端不持有所需的权限";哪一个?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
