SingleSideLogin或重用Token,CreateProcessAsUser,NamedPipe,ImpersonateNamedPipeClient,ACL / DACL,NT-Domain,网络驱动器 [英] SingleSideLogin or reusing Token, CreateProcessAsUser, NamedPipe, ImpersonateNamedPipeClient, ACL/DACL, NT-Domain, Network drives
问题描述
你好,
也许(shure)我错过了Windows-Security-achitecture(NT4到Win8.1)的内容。
Perhaps (shure) I have missed something in the Windows-Security-achitecture (NT4 to Win8.1).
我尝试实现("Server-Service / UserMode-Application","Client-Application") 解决此问题的对:
服务器应用程序应该可以在服务器S上作为Windows服务或用户模式应用程序运行;
客户端应用程序可以在服务器S上运行但主要在其他计算机C上运行。
I try to implement a ("Server-Service/UserMode-Application", "Client-Application") pair which solves this problem:
The Server-application should be runnable on the server S as a Windows-Service or as a usermode application;
the Client-Application could run on server S but mostly run on some other computer C.
要求(在我的UseCase中):
人员P1和P2,P3拥有有效帐户。
P1,P2,P3可以登录计算机C和服务器S.
P1,P2和P3不是 管理员。
P1和P2的帐户是同一NT域组的一部分,即"酷"。
P3属于另一个NT-Domain-Group,即"Non-Cool"。
P1登录在计算机C上, P1未在服务器S上登录。
P2,P3 未登录(不在C或S上)。
操作系统:NT4到Win8.1
Requirement (in my UseCase):
Person P1 and P2, P3 have valid accounts.
P1, P2, P3 could login on Computer C and Server S.
P1, P2 and P3 are not Administrators.
The accounts of P1 and P2 are part of the same NT-Domain-Group, i.e. "Cool".
P3 belongs to another NT-Domain-Group, i.e. "Non-Cool".
P1 is logged in on Computer C, P1 is not logged in on Server S.
P2, P3 is not logged in (not on C nor S).
Operationsystem: NT4 to Win8.1
Server-Application创建一个NamedPipe,Person P1使用Client-Application连接此NamedPipe。
在NamedPipe具有客户端连接之后,Server-Application应该在Person P1的安全上下文中的服务器S上启动另一个Programm T,该服务器必须使用来自用户P1的服务器S上的windows-profile的设置,因为它需要访问networkdrives
和环境变量等。
The Server-Application creates a NamedPipe and Person P1 uses the Client-Application to connect with this NamedPipe.
After the NamedPipe has a client connection, the Server-Application should start on server S within security context of Person P1 an other Programm T, which must use settings from windows-profile on server S of user P1 because it needs access to networkdrives
and environment variables etc.
问题1:
NamedPipe ACL / DACL:我还没想出如何限制读,写访问(启用NT-Domain-Group"Cool", 启用NT-Domain-Administrator,启用ServerLocal-Administrator,禁用所有其他)正确。
Problem1:
NamedPipe ACL/DACL: I havn't figured out yet how to restrict read,write access (enable for NT-Domain-Group "Cool", enable for NT-Domain-Administrator, enable for ServerLocal-Administrator, disable all other) correctly.
问题2:
我可以在服务器S上重用计算机C中人员P1的当前logintoken吗?
或者:我如何正确地将ImpersonateNamedPipeClient与CreateProcessAsUser进行交互?
Problem2:
Can I reuse the current logintoken of person P1 from Computer C on server S?
Or: How can I correctly interact ImpersonateNamedPipeClient with CreateProcessAsUser?
问题3:
("服务器 - 服务/用户模式 - 应用程序",","客户端应用程序")应该在混合的os环境中运行:NT4,Win XP(32 / 64bit),Win 8.1(32 / 64bit)。
Problem3:
The ("Server-Service/UserMode-Application", "Client-Application") should run in a mixed os-environment: NT4, Win XP (32/64bit), Win 8.1 (32/64bit) .
最佳reagards,
Best reagards,
Robert
推荐答案
嗨sporach,
Hi sporach,
感谢您在MSDN论坛上发帖,但似乎您的帖子中没有VC ++发展问题。所以我会把它移到论坛的哪个地方...论坛里有人会把你重定向到一个正确的论坛。谢谢你的理解。
Thanks for posting in MSDN forum, but it seems that you have no VC++ develop issue in your post. So I will move this to where is forum for... forum where someone will redirect you to a right forum. Thanks for your understanding.
祝你好运,
舒虎
这篇关于SingleSideLogin或重用Token,CreateProcessAsUser,NamedPipe,ImpersonateNamedPipeClient,ACL / DACL,NT-Domain,网络驱动器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
