客户是本地系统（SYSTEM）确定的目标/服务器机器？在此范围内？ [英] Is client LocalSystem (SYSTEM) identified by target/server machine? and in which context?

问题描述

[1]讲述：

• 当你配置为使用特定帐户的进程标识，ASP.NET试图委派帐户。如果这是一个本地帐户，等同在远程机器上（包括密码）的本地帐户，代表团是可能的。如果这样的帐户没有远程计算机上存在，它显示为Windows的匿名帐户（NT AUTHORITY \\ ANONYMOUS登录）网络。此外，代表团还可能的，如果该帐户是能够访问到远​​程机器，在这种情况下使用该帐户的域网络标识的域帐户。

• "When you configure to use a particular account as the process identity, ASP.NET attempts to delegate that account. If it is a local account that is identical (including password) to a local account on a remote machine, delegation is possible. If such an account does not exist on the remote machine, to the network it appears as the Windows anonymous account (NT AUTHORITY\ANONYMOUS LOGON). In addition, delegation is also possible if the account is a domain account that has access to the remote machine, in which case it uses the domain network identity of that account."

[2]通知：

• 的帐户中所有区域的名称是\\ LocalSystem的身份。名称，本地系统或计算机名\\本地系统也可以用
  
  
  
  • 服务presents计算机的凭据到远程服务器
  
  
  • "The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used"
    • "The service presents the computer's credentials to remote servers

    此外，predefinedNT AUTHORITY \\ LOCAL SYSTEM（或系统[3]）在任何Windowses结果present
    而应该是识别可用的（甚至当客户端（进程）从工作组的Windows访问），不应该有？

    Also, the predefined "NT AUTHORITY\LOCAL SYSTEM" (or SYSTEM [3]) is present in any Windowses
    and should have been usable for identification (even when client (process) accessed from workgroup Windows), shouldn't have?

    虽然，答案的一排，为前，[3]告诉相反：

    Though, a row of answers, for ex., [3] tells the opposite:

    
    
    • 在工作组的SID只有在本地工作站上的意义。当访问其他工作站的SID不转移只是名字。 本地系统不能访问任何其他系统
    
    
    • 'In Workgroups, the SID only has a meaning on the local workstation. When accessing another workstation, the SID is not transferred just the name. The 'Local System' can not access any other systems'

    时的本地系统远程/目标机器识别或不？
    如何？

    Is LocalSystem identified or not by remote/target machine? and how?

    
    
    • 为计算机名\\本地系统？结果
      或
    
    
    • 作为NT AUHORITY \\ LOCAL SYTEM？
    
    

    更新：结果
    这个问题是完全的开发环境在Windows工作组的上下文中......结果
    尽管所有的答案偏向Windows域...

    Update:
    This question is completely inside the context of development environment in Windows workgroup...
    though all answers deviated to Windows domain...

    引：结果
    [1]结果
    ASP.NET代表团结果
    http://msdn.microsoft.com/en-us/library/aa291350.aspx 结果
    [2]结果，
    LocalSystem帐户结果
    http://msdn.microsoft.com/en-us/library/ms684190.aspx 结果
    [3]结果
    sysadmin1138的回答我的问题的Windows本地系统与系统结果
    <一href=\"http://serverfault.com/questions/168752/windows-localsystem-vs-system\">http://serverfault.com/questions/168752/windows-localsystem-vs-system

    我的相关问题：

    
    
    • domained本地系统与非畴LocalSystem帐户在Windows-ES？
    
    
    • how检查一个NT AUTHORITY \\帐户的组成员？
    
    
    • Does访问服务器资源需要客户端进程登录到服务器机器？
    
    
    • Windows工作组在LocalSystem与域（AD）本地系统[关闭]
    
    
    • how更好地建立机的发展无论是在工作组和Windows域？ [关闭]
    
    
    • interoperating从workrgroup Windows域的计算机的Windows [关闭]
    
    
    • the AD-加入机的本地用户的情况下？它是域计算机帐户或本地计算机帐户？
    
    
    • RunAs在非广告窗口[关闭]
    域帐户
    
    • how更好地建立机的发展无论是在工作组和Windows域？ [关闭]
    
    
    • how与多重引导工作组的Windows安装程序共享同一个域计算机帐户？
    
    
    • domained LocalSystem vs. non-domained LocalSystem account in Windows-es ?
    • how to check group membership of an "NT AUTHORITY\" account ?
    • Does access to server resources require client process to login to server machine?
    • Windows workgroup LocalSystem vs. domain (AD) LocalSystem [closed]
    • how to better set up machine for development both in workgroup and Windows domain? [closed]
    • interoperating with Windows domain computer from workrgroup Windows [closed]
    • the context of local user of AD-joined machine? Is it of domain machine account or of local machine account?
    • RunAs under domain account from non-AD Windows [closed]
    • how to better set up machine for development both in workgroup and Windows domain? [closed]
    • how to share the same domain machine account with multi-boot workgroup Windows setup?

    推荐答案

    有两种可能性在你的情况下，根据Windows的本地（客户）的机器上和版本的服务与Windows如何整合服务API：
    - 远程机器会看到从要求客户机器作为NT AUTHORITY \\ ANONYMOUS
    - 远程计算机将看到从客户计算机的请求域\\ COMPUTER_ACCOUNT_NAME

    There are two possibilities in your scenario, depending on the version of Windows on the local ("client") machine and on how well the service integrates with the Windows services APIs: - remote machines will see requests from the "client" machine as NT AUTHORITY\ANONYMOUS - remote machines will see requests from the "client" machine as DOMAIN\COMPUTER_ACCOUNT_NAME

    一个远程机器上只能看到从它的的的进程的请求从SYSTEM /本地系统的到来。

    A remote machine will only see requests from its own processes as coming from SYSTEM/LocalSystem.

    如果您想通过测试占你因远程请求看到上下文中找出来，使审核登录事件（成功和失败）的审核策略在远程系统上。您也可以通过使用协议分析仪一样的 Microsoft网络监视器和捕捉客户发送到远程机器背面的数据包流。

    If you want to find out through testing which account context you're seeing due to remote requests, enable Audit Logon Events (Success and Failure) in Audit Policy on the remote system. You can also find complementary (and sometimes helpful) information by using a protocol analyser like Microsoft Network Monitor, and capture the packet stream sent from "client" to remote machine and back.

    修改：又见<一个href=\"http://stackoverflow.com/questions/3765751/does-access-to-server-resources-require-client-process-to-login-to-server-machine/4037271#4037271\">my回答相关的/重叠的问题，在这里为的相关详细信息。

    Edit: also see my answer to the related/overlapping question here for related details.

    这篇关于客户是本地系统（SYSTEM）确定的目标/服务器机器？在此范围内？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！