I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?
我有两个Active Directory域,A和B.域A中的用户需要在其桌面上运行应用程序以查看和操作位于域B中的服务器上的资源。每个用户在域B中也有一个帐户。是否可能模仿每个用户的域B身份以编程方式对域B资源执行操作?
Example Workflow:
- User logs in to domain A.
- User launches desktop application.
- User specifies resource in domain B.
- Application prompts user for domain B credentials.
- Application impersonates user's domain B identity to access specified resource.
- User manipulates domain B resource using application.
用户登录域A.
用户启动桌面应用程序。
用户指定域B中的资源。
应用程序提示用户输入域B凭据。
应用程序模拟用户的域B身份以访问指定的资源。
用户使用应用程序操纵域B资源。
3 个解决方案
#1
I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.
我将谈论Win32 API,但我很确定你可以从.NET调用它们。检查http://pinvoke.net。
You need to call the LogonUser API to create an access token that represents the user's domain B credentials.
您需要调用LogonUser API来创建表示用户的域B凭据的访问令牌。
Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.
然后调用ImpersonateLoggedOnUser,传入该访问令牌。调用线程将模拟域B凭据,直到您模拟不同的凭据集或调用RevertToSelf API。
I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.
我想不用说,为了使LogonUser调用成功,你运行的机器需要信任域B.
#2
If your computer (the one doing the impersonation) is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then impersonation will fail. Anybody who says otherwise, I would love to see proof.
如果您的计算机(进行模拟的计算机)是域的成员,该域不信任您尝试模拟的用户帐户的域,则模拟将失败。任何不这么说的人,我都希望看到证据。
#1
I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.
我将谈论Win32 API,但我很确定你可以从.NET调用它们。检查http://pinvoke.net。
You need to call the LogonUser API to create an access token that represents the user's domain B credentials.
您需要调用LogonUser API来创建表示用户的域B凭据的访问令牌。
Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.
然后调用ImpersonateLoggedOnUser,传入该访问令牌。调用线程将模拟域B凭据,直到您模拟不同的凭据集或调用RevertToSelf API。
I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.
我想不用说,为了使LogonUser调用成功,你运行的机器需要信任域B.
#2
If your computer (the one doing the impersonation) is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then impersonation will fail. Anybody who says otherwise, I would love to see proof.
如果您的计算机(进行模拟的计算机)是域的成员,该域不信任您尝试模拟的用户帐户的域,则模拟将失败。任何不这么说的人,我都希望看到证据。
#3
Check out this question, which covers the impersonation issues you need.
查看此问题,其中涵盖了您需要的模拟问题。