帮助理解模拟 [英] Help Understanding Impersonation

问题描述

我一直在寻找到启动方式/停止Windows服务驻留在使用C＃代码远程机器，发现下面的代码示例。它工作正常的我。它是利用模拟技术，这显然既需要的机器（假设A和B）有相同的用户名+密码组合的用户帐户编码。

I was looking for a way to Start / Stop Windows Services residing in a remote machine using C# code, and found the following code sample. It works fine for me. It is coded using Impersonation Technique, which apparently requires both the machines (let's say A and B) have a user account with the same UserName + Password combination.

int LOGON32_LOGON_INTERACTIVE = 2;
int LOGON32_PROVIDER_DEFAULT = 0;

private bool impersonateValidUser(String userName, String machineName, String passWord)
    {
      WindowsIdentity tempWindowsIdentity;
      IntPtr token = IntPtr.Zero;
      IntPtr tokenDuplicate = IntPtr.Zero;

      if (RevertToSelf())
      {
        if (LogonUserA(userName, machineName, passWord, 
                LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
        {
          if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
          {
            tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
            impersonationContext = tempWindowsIdentity.Impersonate();
            if (impersonationContext != null)
            {
              CloseHandle(token);
              CloseHandle(tokenDuplicate);
              return true;
            }
          }
        }
      }
      if (token != IntPtr.Zero)
      {
        CloseHandle(token);
      }
      if (tokenDuplicate != IntPtr.Zero)
      {
        CloseHandle(tokenDuplicate);
      }

      return false;
    }

现在我需要知道的答案，下面的问题，所以将不胜感激如果有人能帮助我。

Now I need to know the answers to the following questions, so would greatly appreciate if somebody could help me.

1. 在一般的代码的解释。

1. An explanation of the code in general.

为什么要对两台机器都使用相同的用户名+ passoword组合的用户帐户？

Why is it necessary for both machines to have user accounts with identical username + passoword combination?

为什么它的特权两个用户帐户（管理员或非管理员）是无关紧要的？

Why is it the privileges of the two user accounts (Admin or Non-Admin) is irrelevant?

感谢您提前。

推荐答案

下面是模拟一个很好的一般解释：的 .NET开发者指南Windows安全：了解假冒

Here is a good general explanation of impersonation: A .NET Developer's Guide to Windows Security: Understanding Impersonation

1）什么代码所做的就是登录上作为用户。这里的核心API是LogonUser的（本地通话）和模拟（）（.NET），这是记录在这里：的 http://msdn.microsoft.com/en-us/library/aa378184（VS.85）的.aspx 这里：的 http://msdn.microsoft.com/en-us/library/w070t6ka.aspx

1) what the code does is "Logon on as a user". The central APIs here are LogonUser (Native call) and Impersonate() (.NET), which are documented here: http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspx and here: http://msdn.microsoft.com/en-us/library/w070t6ka.aspx

剩下的就是或多或少需要的管道。

The rest is more or less needed plumbing.

2），这是没有必要的，但我想这就是已经被选定的基础设施，因为机器可能不是在同一个帐户域，或者没有帐户域在所有。在这种情况下，相同的帐户名+密码是一个老把戏。如果机器是在同一个Windows域（AD），这是没有必要的。

2) It's not necessary, but I suppose that's what has been chosen in your infrastructure because the machine may not be in the same account domain, or there is no account domain at all. In this case the identical account names+passwords is an old trick. If the machine are in the same Windows Domain (AD), it's not needed.

3）模拟并不需要管理员特权（仅适用于Windows 2000和之前，如果我没记错的话）

3) Impersonation does not require the Admin priviledge (only on Windows 2000 and before, if I remember correctly)

这篇关于帮助理解模拟的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！