如何将RUNAS/NETONLY功能构建到(C#/.NET/WinForms)程序中?
我们的工作站不是SQL Server所在域的成员。(他们实际上根本不在域名上——不要问) 当我们使用SSM或任何东西连接到SQL Server时,我们将RUNAS/NETONLY与DOMAIN\user一起使用。然后我们输入密码,它就会启动程序。(RUNAS/NETONLY不允许在批处理文件中包含密码) 因此,我有一个需要SQL连接的.NET WinForms应用程序,用户必须运行一个批处理文件来启动它,该批处理文件包含RUNAS/NETONLY命令行,然后启动EXE 如果用户意外地直接启动EXE,则无法连接到SQL Server 右键单击应用程序并使用“运行方式…”选项不起作用(可能是因为工作站并不真正了解域) 我正在寻找一种方法,让应用程序在启动任何重要功能之前在内部执行RUNAS/NETONLY功能 有关RUNAS/NETONLY如何工作的说明,请参见此链接:如何将RUNAS/NETONLY功能构建到(C#/.NET/WinForms)程序中?,.net,sql-server,security,authentication,runas,.net,Sql Server,Security,Authentication,Runas,我们的工作站不是SQL Server所在域的成员。(他们实际上根本不在域名上——不要问) 当我们使用SSM或任何东西连接到SQL Server时,我们将RUNAS/NETONLY与DOMAIN\user一起使用。然后我们输入密码,它就会启动程序。(RUNAS/NETONLY不允许在批处理文件中包含密码) 因此,我有一个需要SQL连接的.NET WinForms应用程序,用户必须运行一个批处理文件来启动它,该批处理文件包含RUNAS/NETONLY命令行,然后启动EXE 如果用户意外地直接启动EX
我想我只能将
LOGON\u NETCREDENTIALS\u
与CreateProcessWithLogonW
一起使用我想你不能只是将应用程序的用户添加到sql server,然后使用sql身份验证而不是windows身份验证?我只是使用模拟上下文做了类似的事情。它的使用非常直观,对我来说非常有效
要以不同的用户身份运行,语法为:
using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
{
// code that executes under the new context...
}
下面是课堂:
namespace Tools
{
#region Using directives.
// ----------------------------------------------------------------------
using System;
using System.Security.Principal;
using System.Runtime.InteropServices;
using System.ComponentModel;
// ----------------------------------------------------------------------
#endregion
/////////////////////////////////////////////////////////////////////////
/// <summary>
/// Impersonation of a user. Allows to execute code under another
/// user context.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <remarks>
/// This class is based on the information in the Microsoft knowledge base
/// article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
///
/// Encapsulate an instance into a using-directive like e.g.:
///
/// ...
/// using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
/// {
/// ...
/// [code that executes under the new context]
/// ...
/// }
/// ...
///
/// Please contact the author Uwe Keim (mailto:uwe.keim@zeta-software.de)
/// for questions regarding this class.
/// </remarks>
public class Impersonator :
IDisposable
{
#region Public methods.
// ------------------------------------------------------------------
/// <summary>
/// Constructor. Starts the impersonation with the given credentials.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
public Impersonator(
string userName,
string domainName,
string password)
{
ImpersonateValidUser(userName, domainName, password);
}
// ------------------------------------------------------------------
#endregion
#region IDisposable member.
// ------------------------------------------------------------------
public void Dispose()
{
UndoImpersonation();
}
// ------------------------------------------------------------------
#endregion
#region P/Invoke.
// ------------------------------------------------------------------
[DllImport("advapi32.dll", SetLastError = true)]
private static extern int LogonUser(
string lpszUserName,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern int DuplicateToken(
IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
private static extern bool CloseHandle(
IntPtr handle);
private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;
// ------------------------------------------------------------------
#endregion
#region Private member.
// ------------------------------------------------------------------
/// <summary>
/// Does the actual impersonation.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
private void ImpersonateValidUser(
string userName,
string domain,
string password)
{
WindowsIdentity tempWindowsIdentity = null;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
try
{
if (RevertToSelf())
{
if (LogonUser(
userName,
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
finally
{
if (token != IntPtr.Zero)
{
CloseHandle(token);
}
if (tokenDuplicate != IntPtr.Zero)
{
CloseHandle(tokenDuplicate);
}
}
}
/// <summary>
/// Reverts the impersonation.
/// </summary>
private void UndoImpersonation()
{
if (impersonationContext != null)
{
impersonationContext.Undo();
}
}
private WindowsImpersonationContext impersonationContext = null;
// ------------------------------------------------------------------
#endregion
}
/////////////////////////////////////////////////////////////////////////
}
名称空间工具
{
#区域使用指令。
// ----------------------------------------------------------------------
使用制度;
使用System.Security.Principal;
使用System.Runtime.InteropServices;
使用系统组件模型;
// ----------------------------------------------------------------------
#端区
/////////////////////////////////////////////////////////////////////////
///
///模拟用户。允许在另一个用户下执行代码
///用户上下文。
///请注意,实例化模拟程序类的帐户
///需要设置“作为操作系统的一部分”权限。
///
///
///本课程基于Microsoft知识库中的信息
///文章http://support.microsoft.com/default.aspx?scid=kb;美国;Q306158
///
///将实例封装到using指令中,例如:
///
/// ...
///使用(新的模拟程序(“myUsername”、“myDomainname”、“myPassword”))
/// {
/// ...
///[在新上下文下执行的代码]
/// ...
/// }
/// ...
///
///请联系作者Uwe Keim(mailto:Uwe。keim@zeta-软件(de)
///关于这门课的问题。
///
公共类模拟程序:
可识别
{
#区域公共方法。
// ------------------------------------------------------------------
///
///构造函数。使用给定的凭据启动模拟。
///请注意,实例化模拟程序类的帐户
///需要设置“作为操作系统的一部分”权限。
///
///要充当的用户的名称。
///要充当的用户的域名。
///要充当的用户的密码。
公众模仿者(
字符串用户名,
字符串域名,
字符串(密码)
{
ImpersonateValidUser(用户名、域名、密码);
}
// ------------------------------------------------------------------
#端区
#区域IDisposable成员。
// ------------------------------------------------------------------
公共空间处置()
{
取消模拟();
}
// ------------------------------------------------------------------
#端区
#区域P/调用。
// ------------------------------------------------------------------
[DllImport(“advapi32.dll”,SetLastError=true)]
私有静态外部int LogonUser(
字符串lpszUserName,
字符串lpszDomain,
字符串lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport(“advapi32.dll”,CharSet=CharSet.Auto,SetLastError=true)]
私有静态外部重复标记(
IntPtr hToken,
int模拟级别,
参考IntPtr hNewToken);
[DllImport(“advapi32.dll”,CharSet=CharSet.Auto,SetLastError=true)]
私有静态外部bool retertoself();
[DllImport(“kernel32.dll”,CharSet=CharSet.Auto)]
私有静态外部布尔闭合句柄(
IntPtr手柄);
private const int LOGON32\u LOGON\u INTERACTIVE=2;
private const int LOGON32_PROVIDER_DEFAULT=0;
// ------------------------------------------------------------------
#端区
#区域私人成员。
// ------------------------------------------------------------------
///
///进行实际模拟。
///
///要充当的用户的名称。
///要充当的用户的域名。
///要充当的用户的密码。
私有无效模拟ValidUser(
字符串用户名,
字符串域,
字符串(密码)
{
WindowsIdentity tempWindowsIdentity=null;
IntPtr令牌=IntPtr.Zero;
IntPtr-tokenDuplicate=IntPtr.Zero;
尝试
{
if(restortoself())
{
如果(登录用户)(
用户名,
领域,
public static Process Elevated( string process, string args, string username, string password, string workingDirectory )
{
if( process == null || process.Length == 0 ) throw new ArgumentNullException( "process" );
process = Path.GetFullPath( process );
string domain = null;
if( username != null )
username = GetUsername( username, out domain );
ProcessStartInfo info = new ProcessStartInfo();
info.UseShellExecute = false;
info.Arguments = args;
info.WorkingDirectory = workingDirectory ?? Path.GetDirectoryName( process );
info.FileName = process;
info.Verb = "runas";
info.UserName = username;
info.Domain = domain;
info.LoadUserProfile = true;
if( password != null )
{
SecureString ss = new SecureString();
foreach( char c in password )
ss.AppendChar( c );
info.Password = ss;
}
return Process.Start( info );
}
private static string GetUsername( string username, out string domain )
{
SplitUserName( username, out username, out domain );
if( domain == null && username.IndexOf( '@' ) < 0 )
domain = Environment.GetEnvironmentVariable( "USERDOMAIN" );
return username;
}
private const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
namespace Tools
{
#region Using directives.
// ----------------------------------------------------------------------
using System;
using System.Security.Principal;
using System.Runtime.InteropServices;
using System.ComponentModel;
// ----------------------------------------------------------------------
#endregion
/////////////////////////////////////////////////////////////////////////
/// <summary>
/// Impersonation of a user. Allows to execute code under another
/// user context.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <remarks>
/// This class is based on the information in the Microsoft knowledge base
/// article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
///
/// Encapsulate an instance into a using-directive like e.g.:
///
/// ...
/// using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
/// {
/// ...
/// [code that executes under the new context]
/// ...
/// }
/// ...
///
/// Please contact the author Uwe Keim (mailto:uwe.keim@zeta-software.de)
/// for questions regarding this class.
/// </remarks>
public class Impersonator :
IDisposable
{
#region Public methods.
// ------------------------------------------------------------------
/// <summary>
/// Constructor. Starts the impersonation with the given credentials.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
public Impersonator(
string userName,
string domainName,
string password)
{
ImpersonateValidUser(userName, domainName, password);
}
// ------------------------------------------------------------------
#endregion
#region IDisposable member.
// ------------------------------------------------------------------
public void Dispose()
{
UndoImpersonation();
}
// ------------------------------------------------------------------
#endregion
#region P/Invoke.
// ------------------------------------------------------------------
[DllImport("advapi32.dll", SetLastError = true)]
private static extern int LogonUser(
string lpszUserName,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern int DuplicateToken(
IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
private static extern bool CloseHandle(
IntPtr handle);
private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
private const int LOGON32_PROVIDER_DEFAULT = 0;
// ------------------------------------------------------------------
#endregion
#region Private member.
// ------------------------------------------------------------------
/// <summary>
/// Does the actual impersonation.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
private void ImpersonateValidUser(
string userName,
string domain,
string password)
{
WindowsIdentity tempWindowsIdentity = null;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
try
{
if (RevertToSelf())
{
if (LogonUser(
userName,
domain,
password,
LOGON32_LOGON_NEW_CREDENTIALS,
LOGON32_PROVIDER_DEFAULT,
ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
finally
{
if (token != IntPtr.Zero)
{
CloseHandle(token);
}
if (tokenDuplicate != IntPtr.Zero)
{
CloseHandle(tokenDuplicate);
}
}
}
/// <summary>
/// Reverts the impersonation.
/// </summary>
private void UndoImpersonation()
{
if (impersonationContext != null)
{
impersonationContext.Undo();
}
}
private WindowsImpersonationContext impersonationContext = null;
// ------------------------------------------------------------------
#endregion
}
/////////////////////////////////////////////////////////////////////////
}
public class Impersonator
{
[DllImport("ADVAPI32.DLL", SetLastError = true, CharSet = CharSet.Unicode)]
private static extern bool LogonUser(
string lpszUsername,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
out SafeAccessTokenHandle phToken);
public void RunAs(string domain, string username, string password, Action action)
{
using (var accessToken = GetUserAccessToken(domain, username, password))
{
WindowsIdentity.RunImpersonated(accessToken, action);
}
}
private SafeAccessTokenHandle GetUserAccessToken(string domain, string username, string password)
{
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_NETONLY = 9;
bool isLogonSuccessful = LogonUser(username, domain, password, LOGON32_LOGON_NETONLY, LOGON32_PROVIDER_DEFAULT, out var safeAccessTokenHandle);
if (!isLogonSuccessful)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
return safeAccessTokenHandle;
}
}
_impersonator.RunAs(
"DOMAIN",
"Username",
"Password",
() =>
{
Console.WriteLine("code executed here runs as the specified user with /netonly");
});