我们的工作站不是 SQL Server 所在域的成员。 (它们实际上根本不在域中 - 不要问)。
当我们使用 SSMS 或任何其他方式连接到 SQL Server 时,我们将 RUNAS/NETONLY 与 DOMAIN\user 一起使用。然后我们输入密码并启动程序。 (RUNAS/NETONLY 不允许您在批处理文件中包含密码)。
所以我有一个需要 SQL 连接的 .NET WinForms 应用程序,用户必须通过运行具有 RUNAS/NETONLY 命令行的批处理文件来启动它,然后启动 EXE。
如果用户不小心直接启动EXE,它将无法连接到SQL Server。
右键单击应用程序并使用“运行方式...”选项不起作用(可能是因为工作站并不真正了解域)。
我正在寻找一种方法,让应用程序在启动任何重要操作之前在内部执行 RUNAS/NETONLY 功能。
有关 RUNAS/NETONLY 工作原理的说明,请参阅此链接:http://www.eggheadcafe.com/conversation.aspx?messageid=32443204&threadid=32442982
我想我必须将 LOGON_NETCREDENTIALS_ONLY 与 CreateProcessWithLogonW 一起使用
最佳答案
我知道这是一个旧线程,但它非常有用。我的情况与 Cade Roux 完全相同,因为我想要/netonly 风格的功能。
约翰·拉什的答案只需稍作修改即可!!!
添加以下常量(为了保持一致性,在第 102 行左右):
private const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
然后将对 LogonUser 的调用更改为使用 LOGON32_LOGON_NEW_CREDENTIALS 而不是 LOGON32_LOGON_INTERACTIVE。
这是我必须做出的唯一更改才能使其完美运行!谢谢约翰和凯德!!!
以下是完整的修改后的代码,以便于复制/粘贴:
namespace Tools
{
#region Using directives.
// ----------------------------------------------------------------------
using System;
using System.Security.Principal;
using System.Runtime.InteropServices;
using System.ComponentModel;
// ----------------------------------------------------------------------
#endregion
/////////////////////////////////////////////////////////////////////////
/// <summary>
/// Impersonation of a user. Allows to execute code under another
/// user context.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <remarks>
/// This class is based on the information in the Microsoft knowledge base
/// article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
///
/// Encapsulate an instance into a using-directive like e.g.:
///
/// ...
/// using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
/// {
/// ...
/// [code that executes under the new context]
/// ...
/// }
/// ...
///
/// Please contact the author Uwe Keim (mailto:uwe.keim@zeta-software.de)
/// for questions regarding this class.
/// </remarks>
public class Impersonator :
IDisposable
{
#region Public methods.
// ------------------------------------------------------------------
/// <summary>
/// Constructor. Starts the impersonation with the given credentials.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
public Impersonator(
string userName,
string domainName,
string password)
{
ImpersonateValidUser(userName, domainName, password);
}
// ------------------------------------------------------------------
#endregion
#region IDisposable member.
// ------------------------------------------------------------------
public void Dispose()
{
UndoImpersonation();
}
// ------------------------------------------------------------------
#endregion
#region P/Invoke.
// ------------------------------------------------------------------
[DllImport("advapi32.dll", SetLastError = true)]
private static extern int LogonUser(
string lpszUserName,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern int DuplicateToken(
IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
private static extern bool CloseHandle(
IntPtr handle);
private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
private const int LOGON32_PROVIDER_DEFAULT = 0;
// ------------------------------------------------------------------
#endregion
#region Private member.
// ------------------------------------------------------------------
/// <summary>
/// Does the actual impersonation.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
private void ImpersonateValidUser(
string userName,
string domain,
string password)
{
WindowsIdentity tempWindowsIdentity = null;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
try
{
if (RevertToSelf())
{
if (LogonUser(
userName,
domain,
password,
LOGON32_LOGON_NEW_CREDENTIALS,
LOGON32_PROVIDER_DEFAULT,
ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
finally
{
if (token != IntPtr.Zero)
{
CloseHandle(token);
}
if (tokenDuplicate != IntPtr.Zero)
{
CloseHandle(tokenDuplicate);
}
}
}
/// <summary>
/// Reverts the impersonation.
/// </summary>
private void UndoImpersonation()
{
if (impersonationContext != null)
{
impersonationContext.Undo();
}
}
private WindowsImpersonationContext impersonationContext = null;
// ------------------------------------------------------------------
#endregion
}
/////////////////////////////////////////////////////////////////////////
}
关于.net - 如何将 RUNAS/NETONLY 功能构建到 (C#/.NET/WinForms) 程序中?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/757857/