是否访问服务器资源需要客户端进程登录到服务器的机器吗？ [英] Does access to server resources require client process to login to server machine?

问题描述

转贴我的<一个href=\"http://social.technet.microsoft.com/Forums/en-US/winserverPN/thread/a0ce2a89-5a5b-4fa9-883a-398d33eb05fa\"相对=nofollow>在technet.microsoft问题答复？

MSDN上的ASP.NET委派的文章讲述：

• 1）当你配置为使用特定帐户的进程标识，ASP.NET试图委派帐户。如果这是一个本地帐户是相同的（包括密码）的本地帐户在远程计算机上，代表团是可能的。如果这样的帐户没有远程计算机上存在，它显示为Windows的匿名帐户（NT AUTHORITY \\ ANONYMOUS登录）网络。此外，代表团还可能的，如果帐户是具有域帐户访问远程机器，在这种情况下使用该帐户的域网络标识。

同样经常重复的故事在手动/交互式在工作组访问远程计算机（服务器资源）的情况下 - 这是必须创建具有相同的用户名，相同的密码的本地帐户。但是，为什么？

The same frequently repeated story as in case of manually/interactively accessing remote computer (server resource) in workgroup - it is necessary to create local account with the same username, the same password. But why?

如果一个工作组中的Windows客户端程序，而无需在目标机器上这样的（本地）帐户重复不能访问服务器上的资源已经pre-创建的，
这是否意味着客户端（工艺，机器或用户）可以有记录（开放登录会话）到服务器计算机后，只有用/访问服务器资源？

If a workgroup Windows client process cannot access resources on server machine without having duplicate of such (local) account on target machine already pre-created, does it mean that client (process, machine, or user) can access server resources only by/after having logged (opening logon session) into server machine?

或者说，如何理解该访问是不可能的，而无需服务器上对应的重复的本地帐户？

Or, how to understand that such access is impossible without having corresponding duplicate local account on server machine?

同样 MSDN上的ASP.NET委派的文章讲述：

• 网络服务帐户，它的行为一样的系统帐户，该帐户拥有其中的它是一个成员的域的计算机帐户相关联的网络凭据（域名\\计算机名）

不任何Windows有帐户（（NT AUTHORITY \\ NETWORK SERVICE）？结果
还有许多其他常见pre-内置帐户？结果
为什么他们（前的任何加入到域）安装，但不能被用于远程网络访问和客户标识？

Does not any Windows have accounts ((NT AUTHORITY\NETWORK SERVICE)?
as well as many other common pre-built accounts?
Why are they installed (before any joining to domain) but cannot be used for remote network access and client identification ?

和什么是身份使用时从工作组的Windows下的进程标识（（NT AUTHORITY \\ NETWORK SERVICE）访问远程服务器？

And what is identity used when the process from workgroup Windows under identity ((NT AUTHORITY\NETWORK SERVICE) accesses a remote server?

我的相关问题：

• domained本地系统与非畴LocalSystem帐户在Windows-ES？


• how检查一个NT AUTHORITY \\帐户的组成员？


• Is客户端本地系统（系统）由目标/服务器机确定了吗？在此范围内？


• Window工作组在LocalSystem与域（AD）本地系统[关闭]


• how更好地建立机的发展无论是在工作组和Windows域？ [关闭]


• interoperating从workrgroup Windows域的计算机的Windows [关闭]


• the AD-加入机的本地用户的情况下？它是域计算机帐户或本地计算机帐户？


• RunAs在非广告窗口[关闭]
域帐户

• how更好地建立机的发展无论是在工作组和Windows域？ [关闭]


• how与多重引导工作组的Windows安装程序共享同一个域计算机帐户？

• domained LocalSystem vs. non-domained LocalSystem account in Windows-es ?
• how to check group membership of an "NT AUTHORITY\" account ?
• Is client LocalSystem (SYSTEM) identified by target/server machine? and in which context?
• Window workgroup LocalSystem vs. domain (AD) LocalSystem [closed]
• how to better set up machine for development both in workgroup and Windows domain? [closed]
• interoperating with Windows domain computer from workrgroup Windows [closed]
• the context of local user of AD-joined machine? Is it of domain machine account or of local machine account?
• RunAs under domain account from non-AD Windows [closed]
• how to better set up machine for development both in workgroup and Windows domain? [closed]
• how to share the same domain machine account with multi-boot workgroup Windows setup?

推荐答案

Q1：同样经常重复的故事在手动/交互式在工作组访问远程计算机（服务器资源）的情况下 - 这是必要建立本地帐户与相同的用户名，密码相同。但是，为什么？

Q1: The same frequently repeated story as in case of manually/interactively accessing remote computer (server resource) in workgroup - it is necessary to create local account with the same username, the same password. But why?

A1：是的。见下面A3。

A1: Yes. See A3 below.

Q2：如果一个工作组中的Windows客户端进程离不开其目标机器上这样的（本地）帐户重复访问服务器上的资源已经pre-创建的，它意味着客户端（工艺，机器，或用户）可以有登录后，只能通过/访问服务器资源（开放登录会话）到服务器机器？

Q2: If a workgroup Windows client process cannot access resources on server machine without having duplicate of such (local) account on target machine already pre-created, does it mean that client (process, machine, or user) can access server resources only by/after having logged (opening logon session) into server machine?

A2：是的 - 所有访问通过流程的系统1的资源在系统2必须通过身份验证 - 除了在极少数情况下，当有人已经配置在系统2的一个或多个资源（和系统策略）允许匿名（即未经身份验证）的访问。此外，Server2上只能验证了present凭据系统2可以验证的网络请求 - 无论是从系统2本地用户帐户和密码，或通过接触受信任的域控制器（如果系统2被加入到域）。系统2不知道用户帐户或用户上下文任何东西（这是以往任何时候都只有那些特别账户像本地系统，交互，本地服务再由专用硬件$ C $光盘的SID psented $ P $），它们只出现在相关系统1 - 其中包括对系统1中定义的任何本地用户帐户，任何这些特殊的SID

A2: Yes - all access by processes on System1 to resources on System2 must be authenticated - except in the rare cases when someone has configured one or more resources (and system policies) on System2 to allow anonymous (i.e. unauthenticated) access. Further, Server2 can only authenticate network requests that present credentials that System2 can verify - either from the local user accounts and passwords on System2, or by contacting a trusted domain controller (if System2 is joined to a domain). System2 doesn't know anything about user accounts or "user contexts" (those special 'accounts' like LocalSystem, Interactive, LocalService which are only ever represented by special hard-coded SIDs) that are only relevant on System1 - which includes any local user account defined on System1, and any of those special SIDs.

Q3：？或者说，如何理解，而无需服务器上对应的副本本地帐户这样的访问是不可能的。

Q3: Or, how to understand that such access is impossible without having corresponding duplicate local account on server machine?

A3：唯一的例外（而且它不是一个例外，这是一个设计，在使用的情况下）是当系统1认证使用用户名+密码都在系统2相同。什么，你会在网络流量看到的是，系统1的过程（目前例如，作为系统1 \\ UserX运行），将通过网络请求对系统2的资源（例如文件共享，数据库对象，网页）。在从系统1的要求，包括即系统1正试图用验证凭证（这是一个抽象的概括，从描述具体到任何一个认证协议的事情逃脱 - 只是它承担）。在其他情况下，该帐户UserX不会对系统2存在，或者它有不同的密码，这样身份验证尝试在系统2失败，系统1的请求失败。也就是说，系统2假定UserX必须是系统2 \\ UserX，要不就是帐户不存在或密码不匹配。

A3: The only exception (and it's not an exception, it's a designed-in use case) is when System1 authenticates using a username + password that are the same on System2. What you'll see in the network traffic is that System1's process (currently running e.g. as System1\UserX) will make a request over the network for a resource on System2 (e.g. file share, database object, web page). In that request from System1, is included "the credentials that System1 is trying to use to authenticate" (this is an abstract generalization to get away from describing things specific to any one authentication protocol - just bear with it). Under other circumstances, the account UserX doesn't exist on System2, or it has a different password, so that the authentication attempt fails on System2, and System1's request fails. That is, System2 assumes that UserX must be System2\UserX, and either the account doesn't exist or the password doesn't match.

在那里有匹配的本地帐户的情况下，系统2认为该系统1是在不与账户系统1 \\ UserX，但系统2 \\ UserX记录，而且由于密码匹配，验证尝试成功。

Under the circumstance where there are matching local accounts, System2 "thinks" that System1 is logging on not with account "System1\UserX" but with "System2\UserX", and since the password matches, the authentication attempt succeeds.

Q4：不会将任何Windows系统有帐户（（NT AUTHORITY \\ NETWORK SERVICE）？
还有许多其他常见pre-内置帐户？
为什么它们安装，但不能被用于远程网络访问和客户标识（任何加入到域之前）？

Q4: Does not any Windows have accounts ((NT AUTHORITY\NETWORK SERVICE)? as well as many other common pre-built accounts? Why are they installed (before any joining to domain) but cannot be used for remote network access and client identification ?

A4：记住，网络服务是不是一个定义的帐户（你不会发现它在本地用户和组小程序上市），而只是一个SID - 如果任何进程包括SID在它的令牌（视情况而定如何使用该令牌的过程中创建），那么，让网络服务（真正的意思是允许网络服务SID的任何资源）来访问资源的任何资源将允许它通过。否则，网络服务只是一个用户友好的抽象，不幸的是用户友好的，通常使事情变得更难于它是如何真正起作用的底部。

A4: Remember, NETWORK SERVICE isn't a defined account (you won't find it listed in Local Users and Groups applet) but simply a SID - and if any process includes that SID in its token (depending on the circumstances of how the process with that token is created), then any resource that allows "Network Service" (which really means "any resource that allows the Network Service SID") to access the resource will allow it to pass. Otherwise, Network Service is just a user-friendly abstraction, and unfortunately user friendly usually makes things harder to get to the bottom of how it really works.

前的系统被连接到该域，则可能能够权限或权限分配给网络服务的SID，但请求到远程系统将为这取决于如果机器被连接到作为网络服务运行一个服务响应非常不同域或没有。如果加入到域中，远程请求将使用域计算机帐户本地系统通常（现代Windows版本）尝试远程认证。如果没有加入到域中，不会有与远程请求发送的凭据，远程系统必须把它作为一个匿名（即未经身份验证的）要求。

You might be able to assign permissions or Privileges to the Network Service SID before the system is joined to the domain, but requests to remote systems will respond very differently for a service running as Network Service depending on if the machine is joined to a domain or not. If joined to a domain, the remote request will usually (on modern Windows versions) attempt the remote authentication using the Domain Computer account for the local system. If not joined to a domain, there will be no credentials sent with the remote request, and the remote system will have to treat it as an anonymous (i.e. unauthenticated) request.

Q5：什么是当从工作组的Windows下的进程标识（（NT AUTHORITY \\ NETWORK SERVICE）访问远程服务器使用的身份

Q5: And what is identity used when the process from workgroup Windows under identity ((NT AUTHORITY\NETWORK SERVICE) accesses a remote server?

A5：如A4暗示的，还有的没有的身份远程服务器认为，在这种情况下

A5: As implied in A4, there is no identity that the remote server sees in this scenario.

这篇关于是否访问服务器资源需要客户端进程登录到服务器的机器吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！