windows 为什么 LogonUser(...) 不适用于域帐户?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7488786/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why doesn't LogonUser(...) work for domain accounts?
提问by GraemeF
I've been trying to use LogonUser(...)to get an access token for a user account, as in this MSDN sample.
我一直在尝试使用LogonUser(...)来获取用户帐户的访问令牌,就像在这个 MSDN 示例中一样。
// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domainName, Console.ReadLine(),
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
out safeTokenHandle);
When I run the sample (with Administrator privileges) it works fine when given a domain of .and a local user account name and password, but no matter what I do I get error code 1326 (Logon failure: unknown user name or bad password) if I try to use a domain account. I get the same result if I enter garbage for the domain, which makes me wonder if it's actually contacting the DC at all.
当我运行示例(具有管理员权限)时,如果给定域.和本地用户帐户名和密码,它可以正常工作,但无论我做什么,我都会收到错误代码 1326(登录失败:未知用户名或密码错误),如果我尝试使用域帐户。如果我为域输入垃圾,我会得到相同的结果,这让我怀疑它是否真的在与 DC 联系。
What could be stopping this from working?
什么可能阻止它工作?
回答by Brandon Barkley
In my case the issue, similar to the question asker, was that the account I was trying to authenticate to was in a domain that my current machine did not belong to. Unlike the original poster, my machine should not and could not be part of this other domain. I wanted the login to perform action on a resource on this domain though.
在我的情况下,问题与提问者类似,是我尝试验证的帐户位于我当前机器不属于的域中。与原始海报不同,我的机器不应该也不能成为其他域的一部分。不过,我希望登录名对该域上的资源执行操作。
The answer was the following
答案如下
bool success = LogonUser(
userName,
domain,
password,
(int)LOGON32_LOGON_NEW_CREDENTIALS, //9
(int)LOGON32_PROVIDER_DEFAULT, //0
out userToken);
with the following constants defined:
定义了以下常量:
public const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
public const int LOGON32_PROVIDER_DEFAULT = 0;
Hopefully this will help others who are lost in a similar situation.
希望这能帮助其他在类似情况下迷失的人。
Edit:As mentioned in the comments below, this logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identifier but uses different credentials for other network connections. As a result of that fact, "success" will return true even if the password is bad. You will need an additional check beyond "success" to confirm that the credentials are actually good.
编辑:如以下评论中所述,此登录类型允许调用者克隆其当前令牌并为出站连接指定新凭据。新登录会话具有相同的本地标识符,但对其他网络连接使用不同的凭据。因此,即使密码错误,“成功”也会返回 true。除了“成功”之外,您还需要进行额外的检查,以确认凭据实际上是好的。
This was not a concern in my initial use case as we used the current network user's credential in another function to pull the plaintext password from secure storage. So it would have never been wrong unless there was an inconsistency between that system and active directory in which case we had bigger problems.
这在我最初的用例中不是问题,因为我们在另一个函数中使用当前网络用户的凭据从安全存储中提取明文密码。因此,除非该系统和活动目录之间存在不一致,否则它永远不会出错,在这种情况下我们会遇到更大的问题。
回答by GraemeF
In my case it was the fact that, although I was logged in to my computer as a domain user, my computer was not itself part of the domain. Once added to the domain the sample started to work.
就我而言,事实是,尽管我以域用户身份登录到我的计算机,但我的计算机本身并不是域的一部分。一旦添加到域,示例就开始工作。
回答by Yahia
Use DOMAIN\LOGINwith an empty domainname for that case...
DOMAIN\LOGIN在这种情况下使用空域名...
