什么是神奇到Windows模拟与LOGON32_LOGON_NEW_CREDENTIALS? [英] What is the magic to Windows impersonation with LOGON32_LOGON_NEW_CREDENTIALS?
问题描述
从我的用户模拟阅读在Windows上,应正确使用LOGON32_LOGON_NEW_CREDENTIALS登录类型供用户模仿到数据库。使用马特约翰逊漂亮的模仿包装(最初发布
From my reading on user impersonation on Windows, one should properly use the LOGON32_LOGON_NEW_CREDENTIALS logon type for impersonating a user to a database. Using Matt Johnson's nice impersonation wrapper (originally posted here and then polished up here), I tried to test this out--here is my entire program except for constants defining my particular DOMAIN, USER, PWD, and CONN_STRING.
using System;
using System.Data.SqlClient;
using SimpleImpersonation;
namespace ImpersonationDemo
{
class Program
{
private static SqlConnection _connection;
static void Main(string[] args)
{
using (Impersonation.LogonUser(
DOMAIN, USER, PWD, LogonType.NewCredentials))
{
GetOpenConnection();
CheckDbCredentials();
CloseConnection();
}
Console.WriteLine("Press return to exit");
Console.ReadLine();
}
private static void CheckDbCredentials()
{
using (
var command = new SqlCommand(
"SELECT nt_user_name, SUSER_SNAME() "
+"FROM sys.dm_exec_sessions WHERE session_id = @@SPID",
_connection))
{
using (SqlDataReader reader = command.ExecuteReader())
{
while (reader.Read())
{
Console.WriteLine("{0}, {1}",
reader.GetString(0), reader.GetString(1));
}
}
}
}
private static void GetOpenConnection()
{
_connection = new SqlConnection(CONN_STRING);
_connection.Open();
}
private static void CloseConnection()
{
_connection.Close();
}
}
}
但是,这并不行。的输出报告我来自 nt_user_name 和 SUSER_NAME(我的底层登录的用户)( )。 (和SQL事件探查器报告完全一样的东西;在代码中的查询仅仅是为了看看SQL事件探查器告诉我一个便捷的方式。)
But that does not work. The output reports me (my underlying logged in user) from both nt_user_name and SUSER_NAME(). (And SQL Profiler reports exactly the same thing; the query in code is simply a convenient way to see what SQL Profiler tells me.)
如果我改变从 LogonType.NewCredentials 到 LogonType.Interactive (这些枚举有你所期望的值,上的 pinvoke.net ),那么它的工作 - 上面的代码报告正确域和用户模拟。但是,这也意味着当前会话被假冒,我不想 - 我只想数据库连接进行模拟
If I change from LogonType.NewCredentials to LogonType.Interactive (these enums have the values you would expect, as defined on pinvoke.net), then it does work--the above code reports the correct DOMAIN and USER impersonation. But this also means the current session is being impersonated which I do not want--I only want the DB connection to be impersonated.
我想我找到了一个小故障在以上 - 约翰逊的假冒包装硬编码登录提供商为 LOGON32_PROVIDER_DEFAULT ,当时的 LogonUser的API 明确指出, LOGON32_LOGON_NEW_CREDENTIALS 登录类型仅由<$ C $支持C> LOGON32_PROVIDER_WINNT50 登录提供。于是我抓起源并增加了一个参数,允许指定所需的登录提供...但是,这并没有区别。
I thought I found one glitch in the above--Johnson's Impersonation wrapper hard-codes the logon provider as LOGON32_PROVIDER_DEFAULT, when the LogonUser API clearly states that the LOGON32_LOGON_NEW_CREDENTIALS logon type is supported only by the LOGON32_PROVIDER_WINNT50 logon provider. So I grabbed the source and added a parameter to allow specifying the requisite logon provider... but that made no difference.
那我缺少什么?
推荐答案
答案,我很惭愧地说,就在我面前都一起。该LogonUser的API状态:
The answer, I am ashamed to say, was right in front of me all along. The LogonUser API states:
这个登录类型允许调用克隆其当前令牌并指定新凭据的出站连接。新的登录会话的具有相同的本地标识符,但使用其他网络连接不同的凭据。 [重点煤矿] 的
This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identifier but uses different credentials for other network connections. [emphasis mine]
不过,我的数据库是在同一台机器作为我正在运行的程序上,以便顾名思义它不会显示新凭据!我相信的模拟将与 LOGON32_LOGON_NEW_CREDENTIALS 正常工作,一旦我将我的数据库到不同的盒子。的叹息。的
But my database is on the same machine as my running program so by definition it will not show the new credentials! I am confident the impersonation will work correctly with LOGON32_LOGON_NEW_CREDENTIALS once I move my database to a different box. Sigh.
这篇关于什么是神奇到Windows模拟与LOGON32_LOGON_NEW_CREDENTIALS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
