获取当前用户名模拟时, [英] Getting the Current username when impersonated
问题描述
我是用类似如下的方法来模拟用户在我的code:
I am using something like the following method to impersonate a user in my code:
在另一个类,我需要找出当前用户(如MYDOMAIN \驼鹿),但我不会有任何想法,如果我目前假冒其他用户或没有。
In another class, I need to find out the current user (like "mydomain\moose"), but I won't have any idea if I'm currently impersonating another user or not.
我如何获取用户名,如果我模仿别人?
How do I get the username, if I'm impersonating someone?
System.Environment.UserName和System.Security.Principal.WindowsIdentity.GetCurrent()。名称都返回原来的用户,而不是当前模拟的用户。
System.Environment.UserName and System.Security.Principal.WindowsIdentity.GetCurrent().Name both return the original user, not the currently impersonated user.
更多详情:
我这样做是模仿,这样我可以访问一元网络共享的用户通常没有访问某些文件。
I am doing this impersonation so that I can access some files in a netowrk share the user usually does not have access to.
如果我用LOGON32_LOGON_INTERACTIVE的登录类型,我确实看到了新用户,但我不能访问网络共享。如果我使用LOGON32_LOGON_NEW_CREDENTIALS的登录类型(值9),我可以访问网络共享,但我没有看到Environment.UserName新用户。
If I use a logon type of LOGON32_LOGON_INTERACTIVE, I do see the new user, but I cannot access the network share. If I use a logon type of LOGON32_LOGON_NEW_CREDENTIALS (a value of 9), i can access the network share but I don't see the new user in Environment.UserName.
推荐答案
BEGIN编辑: 我意识到,我的第一次尝试回答这个问题也不是很清楚。所以,我想 启动另一个尝试:
BEGIN I've realized that my first attempt to answer the question wasn't very clear. So, I'd like to start another attempt:
首先,我想指出的是什么属性 WindowsIdentity.GetCurrent()。名称返回
如果你使用 LOGON32_LOGON_NEW_CREDENTIALS 或 LOGON32_LOGON_INTERACTIVE 作为LogonUser的登录类型(模拟类中)功能:
First, I'd like to point out what the property WindowsIdentity.GetCurrent().Name will return
if you use LOGON32_LOGON_NEW_CREDENTIALS or LOGON32_LOGON_INTERACTIVE as logon type for the LogonUser (inside the impersonation class) function:
-
使用
LOGON32_LOGON_INTERACTIVE
// Assuming this code runs under USER_B
using (var imp = new Impersonation("treyresearch", "USER_A", "SecurePwd", LOGON32_LOGON_INTERACTIVE ))
{
// Now, we run under USER_A
Console.Out.WriteLine(WindowsIdentity.GetCurrent().Name); // Will return USER_A
}
使用 LOGON32_LOGON_NEW_CREDENTIALS
// Assuming this codes runs under USER_B
using (var imp = new Impersonation("treyresearch", "USER_A", "SecurePwd", LOGON32_LOGON_NEW_CREDENTIALS ))
{
Console.Out.WriteLine(WindowsIdentity.GetCurrent().Name); // Will return USER_B
}
这是因为你在你的问题都说明,并与MSDN上的描述为的LogonUser 函数相一致的行为。对于 LOGON32_LOGON_NEW_CREDENTIALS 创建的用户令牌是当前用户令牌只是一个克隆。这意味着,在用户会话具有相同的标识符调用线程。传递的凭据的LogonUser 功能只用于出站的网络连接。
This is the behaviour as you have described in your question and is consistent with the description on MSDN for the LogonUser function. For LOGON32_LOGON_NEW_CREDENTIALS the created user token is just a clone of the current user token. This means that the created user session has the same identifier as the calling thread. The passed credentials to the LogonUser function are only used for outbound network connections.
二,让我指出了两次情况之间的 LOGON32_LOGON_INTERACTIVE 和 LOGON32_LOGON_NEW_CREDENTIALS 清楚的描述区别:
Second, let me point out two situation where the described difference between LOGON32_LOGON_INTERACTIVE and LOGON32_LOGON_NEW_CREDENTIALS becomes clear:
- 在两个加入域的计算机:computer_A,computer_B
- 在两个用户:USER_A(上computer_A本地管理员),USER_B(基于B只有标准用户权限) 在computer_B
- 在一个networkshare(mynetworkshare,USER_B确实有权限访问共享)。
- 在computer_A一个本地文件夹(仅USER_A有权写入该文件夹)。
- Two domain joined computers: computer_A, computer_B
- Two users: user_A (local admin on computer_A), user_B (only standard user rights on B)
- One networkshare on computer_B (mynetworkshare, user_B does have permission to access share).
- One local folder on computer_A (only user_A has permission to write to this folder).
您运行的computer_A程序(USER_A的帐户下)。您模拟USER_B(使用 LOGON32_LOGON_INTERACTIVE )。然后你连接到computer_B网络共享,并尝试将文件复制到本地文件夹(仅USER_A已经写入这个文件夹的权限)。然后,你会得到一个访问被拒绝的错误消息,因为该文件操作与USER_B的谁不会对本地文件夹的权限的权限做了。
You run your program on computer_A (under the account of user_A). You impersonate user_B (using LOGON32_LOGON_INTERACTIVE). Then you connect to the network share on computer_B and try to copy a file to the local folder (only user_A has the permission to write to this folder). Then, you get an access denied error message, because the file operation is done with the permissions of user_B who does not have permission on the local folder.
与上述同样的情况。但现在,我们使用 LOGON32_LOGON_NEW_CREDENTIALS 来冒充USER_B。我们连接到网络驱动器和复制文件从网络驱动器到本地文件夹。在这种情况下,操作成功,因为该文件的操作与USER_A的权限进行。
Same situation as above. But now, we use LOGON32_LOGON_NEW_CREDENTIALS to impersonate user_B. We connect to the network drive and copy a file from the network drive to the local folder. In this case the operation succeeds because the file operation is done with the permissions of user_A.
END修改
希望,这会有所帮助。
这篇关于获取当前用户名模拟时,的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
