CreateProcessAsUser()给出“客户端不持有所需的权限”。哪一个? [英] CreateProcessAsUser() gives "A required privilege is not held by the client" Which one?
问题描述
在我的交互式会话中运行的IIS Express中使用System.Diagnostic.Process.Start(),我可以执行一个运行作为不同用户并具有更正功能的程序。不幸的是,这似乎不适用于非交互式会话。
Using System.Diagnostic.Process.Start() from IIS Express running in my interactive session, I can execute a program running as a different user with correction functionality. Unfortunately, it seems that this doesn't work from non-interactive sessions.
当$ b时,Process.Start内部调用CreateProcessWithLogonW(CPLW)指定了$ b凭证。 CreateProcessWithLogonW不能从Windows服务环境(例如IIS WCF服务)调用
。它只能从交互式进程(由通过CTRL-ALT-DELETE登录的用户启动的应用程序
)调用
。
- 来自此SO答案
我需要从应用程序池帐户将此站点发布到IIS 8。所以我按照上面引用的答案所建议的CreateProcessAsUser。我已使用本地安全策略设置服务帐户和代理帐户,并按照该答案中的建议重新启动 - 服务帐户可以替换令牌,修改配额和代理帐户可以批量登录(以及作为该测试的服务)。但我无法让它在IIS Express(或控制台测试应用程序)或IIS 8中运行。我尝试以 LOGON32_LOGON_BATCH ,运行LOGON32_LOGON_NETWORK_CLEARTEXT 和 LOGON32_LOGON_SERVICE ,甚至 LOGON32_LOGON_INTERACTIVE 。我甚至给自己的帐户登录为服务和作为操作系统的一部分权限,没有任何变化 - 所有测试都在重新启动后进行测试。
I need to publish this site to IIS 8 from the app pool account. So I CreateProcessAsUser as suggested by the above-quoted answer. I've set the service account and agent account with Local Security Policies and restarted as suggested in that answer - service account can replace token, modify quotas and agent account can logon as batch (and as service for that test). But I can't get it to work in IIS Express (or a console test app) nor IIS 8. I've tried running as LOGON32_LOGON_BATCH, LOGON32_LOGON_NETWORK_CLEARTEXT, and LOGON32_LOGON_SERVICE, and even LOGON32_LOGON_INTERACTIVE. I've even given my own account "logon as service" and "act as part of the operating system" privilege with no change - all tested after a reboot.
I '得到'客户端不会从IIS Express中获取所有配置所需的权限。在服务器上,我得到了相同的运行控制台应用程序。但是发布应用程序,似乎启动过程就好了,但后来我似乎得到了权限错误。
I'm getting "A required privilege is not held by the client" from IIS Express for all configurations. On the server, I get the same running the console app. But publishing the app, it seems to start the process just fine, but then I seem to be getting permissions errors subsequently.
我想知道我的帐户的WHICH权限在本地运行时丢失,所以我可以正确调试它们(并最终弄清楚我得到的任何权限错误)。有什么方法可以确定吗?无论哪种方式,如果你知道问题是什么,我也会喜欢!
I'd like to know WHICH privilege my accounts are missing when running locally so I can debug them properly (and eventually figure out whatever permissions error I'm getting). Is there any way to determine that? Either way, if you know what the issue is, I'd like that too!
谢谢!
推荐答案
根据文件:
通常情况下,调用CreateProcessAsUser函数必须具有SE_INCREASE_QUOTA_NAME特权,并且如果令牌不可分配,则可能需要SE_ASSIGNPRIMARYTOKEN_NAME特权。如果此函数因ERROR_PRIVILEGE_NOT_HELD(1314)而失败,请改用CreateProcessWithLogonW函数。 CreateProcessWithLogonW不需要特殊权限,但必须允许指定的用户帐户以交互方式登录。通常,最好使用CreateProcessWithLogonW来创建具有备用凭据的进程。
...
如果hToken是调用者主要令牌的受限版本,则SE_ASSIGNPRIMARYTOKEN_NAME权限不是需要。 如果尚未启用必要的权限,CreateProcessAsUser会在通话期间启用它们。
Typically, the process that calls the CreateProcessAsUser function must have the SE_INCREASE_QUOTA_NAME privilege and may require the SE_ASSIGNPRIMARYTOKEN_NAME privilege if the token is not assignable. If this function fails with ERROR_PRIVILEGE_NOT_HELD (1314), use the CreateProcessWithLogonW function instead. CreateProcessWithLogonW requires no special privileges, but the specified user account must be allowed to log on interactively. Generally, it is best to use CreateProcessWithLogonW to create a process with alternate credentials.
...
If hToken is a restricted version of the caller's primary token, the SE_ASSIGNPRIMARYTOKEN_NAME privilege is not required. If the necessary privileges are not already enabled, CreateProcessAsUser enables them for the duration of the call.
调用线程可以使用 OpenThreadToken() 和 AdjustTokenPrivileges() 在调用 CreateProcessAsUser()之前根据需要启用个人权限。但是因为它无论如何都在内部执行,这意味着与调用线程关联的用户没有可用的特权开始。
The calling thread can use OpenThreadToken() and AdjustTokenPrivileges() to enable individual privileges as needed before calling CreateProcessAsUser(). But since it does that internally anyway, that implies the user associated with the calling thread does not have those privileges available to begin with.
这篇关于CreateProcessAsUser()给出“客户端不持有所需的权限”。哪一个?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
