视窗模拟：在软膏中的缺陷 [英] Windows Impersonation: A Flaw in the Ointment

问题描述

在我的旅程，掌握用户模拟的Windows中我第一次有关于得到模拟到远程数据库在所有出现问题的细微差别（见的这太问题），但我终于想通了这一点。我的下一个障碍是撤消/取消/恢复（选择自己喜欢的动词）模拟

In my journey to master the nuances of user impersonation in Windows I first had an issue about getting impersonation to a remote database to occur at all (see this SO question) but I finally figured that out. My next hurdle is undoing/cancelling/reverting (choose your favorite verb) impersonation.

我都试过，似乎可信给我一对夫妇不同的模拟库：

I have tried a couple different impersonation libraries that seem credible to me:

• 菲尔·哈丁的的冒领


• 马特·约翰逊的 SimpleImpersonation

• Phil Harding's Impersonator
• Matt Johnson's SimpleImpersonation

结果与这两个库相同。使用LOGON32_LOGON_NEW_CREDENTIALS登录类型的最佳实践要求（请参阅Windows API的为远程数据库连接LogonUser函数）。当我这样做，这里是我的示例代码生成：

The results are identical with both libraries. Best practices dictate using the LOGON32_LOGON_NEW_CREDENTIALS logon type (see the Windows API LogonUser function) for a remote DB connection. When I do that here is what my sample code produces:

// SCENARIO A
BEGIN impersonation.
Local user = MyDomain\MyUser
DB reports: MyDomain\ImpersonatedUser
END impersonation.
Local user = MyDomain\MyUser
DB reports: MyDomain\ImpersonatedUser << NOT EXPECTED HERE!!

我发现的唯一的解决方法是使用LOGON32_LOGON_INTERACTIVE登录类型，然后我得到这样的：

The only workaround I have found is to use the LOGON32_LOGON_INTERACTIVE logon type and then I get this:

// SCENARIO B
BEGIN impersonation.
Local user = MyDomain\ImpersonatedUser << EXPECTED, BUT NOT WANTED!
DB reports: MyDomain\ImpersonatedUser
END impersonation.
Local user = MyDomain\MyUser
DB reports: MyDomain\MyUser

从 WindowsImpersonationContext.Undo 方法的简洁描述，确保似乎应该在方案A工作过。

From the terse description of the WindowsImpersonationContext.Undo method it sure seems like it should have worked in Scenario A.

是否有可能使用LOGON32_LOGON_NEW_CREDENTIALS登录类型恢复？

Is it possible to revert using the LOGON32_LOGON_NEW_CREDENTIALS logon type?

推荐答案

由于哈利·约翰斯顿输入（注释中附加的问题）和菲尔·哈丁（在单独的通信），我能够确定的SQL Server的连接池在这里的罪魁祸首。由于池由连接字符串的唯一性（如反向参数的秩序中，甚至只是添加在后面加上一个空格）决定通过稍微改变连接字符串我再观察我所期望的行为。

Thanks to input from Harry Johnston (in comments attached to the question) and Phil Harding (in separate communication) I was able to determine that SQL Server connection pooling was the culprit here. Since pooling is determined by uniqueness of the connection string, by slightly varying the connection string (e.g. reversing order of parameters within, or even just adding a space on the end) I then observed the behaviors I expected.

===== TEST WITH SAME CONN STRING: True
BEGIN impersonation
Local user: MyDomain\msorens
DB reports: MyDomain\testuser
END impersonation
Local user: MyDomain\msorens
DB reports: MyDomain\testuser <<<<< still impersonating !!

===== TEST WITH SAME CONN STRING: False
BEGIN impersonation
Local user: MyDomain\msorens
DB reports: MyDomain\testuser
END impersonation
Local user: MyDomain\msorens
DB reports: MyDomain\msorens  <<<<< this is what I wanted to get

这篇关于视窗模拟：在软膏中的缺陷的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！