如何使用的LogonUser正确地从工作组客户端模拟域用户 [英] How to use LogonUser properly to impersonate domain user from workgroup client

查看:575
本文介绍了如何使用的LogonUser正确地从工作组客户端模拟域用户的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

<一个href="http://stackoverflow.com/questions/278132/asp-net-impersonate-against-a-domain-on-vmware">ASP.NET:冒充反对在VMWare

这个问题是什么,我问,但答案并不提供对_token是如何得出的详细信息。它似乎只能用 WindowsIdentity.GetCurrent()。令牌所以没有模拟发生。

<一个href="http://stackoverflow.com/questions/997001/can-i-impersonate-a-user-on-a-different-active-directory-domain-in-net">Can我冒充一个不同的Active Directory域中的用户在.NET?

这下一个问题有矛盾的答案,所接受的一个轴承评论我开始怀疑,我的问题出在其它地方。没有帮助的。

的LogonUser只为我的域名作品

这下一个问题似乎在暗示这是不可能的,但它有2个域处理,所以我不知道这是否是相关的。

我的真正的问题是:

  • 这可能吗?如果是这样,
  • 如何?我上哪儿去了?

我已经试过到目前为止,使用code从<一个href="http://msdn.microsoft.com/en-us/library/chf6fbt4%28v=VS.80%29.aspx">http://msdn.microsoft.com/en-us/library/chf6fbt4%28v=VS.80%29.aspx

 布尔的returnValue = LogonUser的(用户,域,密码,
            LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT,
            裁判tokenHandle);
//这点之后,的returnValue = FALSE
 

Win32错误是

  

登录失败:未知的用户名或密码错误

解决方案

很少帖建议使用 LOGON_TYPE_NEW_CREDENTIALS 而不是 LOGON_TYPE_NETWORK LOGON_TYPE_INTERACTIVE 。我有一个问题,假冒一体机连接到域,一个没有了,这个固定。 在最后code段这个帖子表明,跨林冒充做的工作,但它并没有具体说有关信任任何正在建立。因此,这可能是值得一试:

  const int的LOGON_TYPE_NEW_CREDENTIALS = 9;
const int的LOGON32_PROVIDER_WINNT50 = 3;
布尔的returnValue = LogonUser的(用户,域,密码,
            LOGON_TYPE_NEW_CREDENTIALS,LOGON32_PROVIDER_WINNT50,
            裁判tokenHandle);
 

MSDN说 LOGON_TYPE_NEW_CREDENTIALS 仅在使用适用 LOGON32_PROVIDER_WINNT50

ASP.NET: Impersonate against a domain on VMWare

This question is what I am asking, but the answer does not provide details on how the _token is derived. It seems to only use WindowsIdentity.GetCurrent().Token so there's no impersonation happening.

Can I impersonate a user on a different Active Directory domain in .NET?

This next question has conflicting answers, with the accepted one bearing a comment "I'm beginning to suspect that my problem lies elsewhere." Not helpful.

LogonUser works only for my domain

This next question seems to imply it is not possible, but it deals with 2 domains so I am not sure if it is relevant.

My real question is:

  • Is it possible? And if so,
  • How? or Where did I go wrong?

What I have tried so far is, using the code from http://msdn.microsoft.com/en-us/library/chf6fbt4%28v=VS.80%29.aspx

bool returnValue = LogonUser(user, domain, password,
            LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT,
            ref tokenHandle);
// after this point, returnValue = false

The Win32 error is

Logon failure: unknown user name or bad password

解决方案

Very few posts suggest using LOGON_TYPE_NEW_CREDENTIALS instead of LOGON_TYPE_NETWORK or LOGON_TYPE_INTERACTIVE. I had an impersonation issue with one machine connected to a domain and one not, and this fixed it. The last code snippet in this post suggests that impersonating across a forest does work, but it doesn't specifically say anything about trust being set up. So this may be worth trying:

const int LOGON_TYPE_NEW_CREDENTIALS = 9;
const int LOGON32_PROVIDER_WINNT50 = 3;
bool returnValue = LogonUser(user, domain, password,
            LOGON_TYPE_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50,
            ref tokenHandle);

MSDN says that LOGON_TYPE_NEW_CREDENTIALS only works when using LOGON32_PROVIDER_WINNT50.

这篇关于如何使用的LogonUser正确地从工作组客户端模拟域用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆