堆栈内存溢出
  简体   繁体   English

当本地帐户存在时,LogonUser Lib“advapi32.dll”在非域 cpu 上很奇怪?

[英]LogonUser Lib “advapi32.dll” strange on non domain cpu when local account exists?

 原文  2018-07-24 08:09:08       .net/ vb.net/ security/ authentication

问题描述

In attempting a Login Form for a VB.NET WinForms app and it needs to only allow domain users in a certain group.在为 VB.NET WinForms 应用程序尝试登录表单时,它只需要允许特定组中的域用户。 On using the API LogonUser for advapi32.dll either I'm not getting the flags right or something else unknown is happening.在将 API LogonUser 用于 advapi32.dll 时,要么我没有得到正确的标志,要么发生了其他未知的事情。

For Interest, I've known for years that using Local users with the same username and password on multiple computers allowed simple user management without the need of a full domain in sharing files between (ie: at home) There is probably a policy on the computer to turn this off - please note if you know it??对于兴趣,我多年来一直知道在多台计算机上使用具有相同用户名和密码的本地用户允许简单的用户管理,而无需在(即:在家)之间共享文件的完整域计算机关闭此功能-请注意您是否知道??

When used on a domain computer the paramaters of login type (INTERACTIVE,NETWORK,BATCH,NEW_CREDENTIALS) all appear to work fine.在域计算机上使用时,登录类型(INTERACTIVE、NETWORK、BATCH、NEW_CREDENTIALS)的参数似乎都能正常工作。

When used on a Workgroup computer eg: in workgroup "WORKGROUP" on the same network as the domain but isn't on the domain, it doesn't work in any combination I try.当在工作组计算机上使用时,例如:在与域位于同一网络但不在域中的工作组“WORKGROUP”中,它在我尝试的任何组合中都不起作用。 If the account you use eg: MyDomain\\User1 exists as MyComputer\\User1 it returns MyComputer\\User1 regardless of specifying the Domain in the Call as "MyDomain".如果您使用的帐户例如:MyDomain\\User1 作为 MyComputer\\User1 存在,则无论在调用中将域指定为“MyDomain”,它都会返回 MyComputer\\User1。 This computer can communicate with the domain shares (by logging in) - therefore I would expect to able to login to the domain simply just for a login screen if available.这台计算机可以与域共享通信(通过登录) - 因此我希望能够登录到域,只是为了登录屏幕(如果可用)。 This isn't for impersonation reasons at all, just to prove who you are regardless of being on a Work Domain PC or BYOD.这根本不是出于冒充的原因,只是为了证明您是谁,无论是使用 Work Domain PC 还是 BYOD。

Heres some code:继承人一些代码:

Public Class WinSecurity

    Private Declare Auto Function LogonUser Lib "advapi32.dll" (
    ByVal lpszUsername As String,
    ByVal lpszDomain As String,
    ByVal lpszPassword As String,
    ByVal dwLogonType As Integer,
    ByVal dwLogonProvider As Integer,
    ByRef phToken As IntPtr) As Boolean

    Private Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Boolean

    Public Const LOGON32_LOGON_INTERACTIVE As Long = 2
    Public Const LOGON32_LOGON_NETWORK As Long = 3
    Public Const LOGON32_LOGON_BATCH As Long = 4
    Public Const LOGON32_LOGON_SERVICE As Long = 5
    Public Const LOGON32_LOGON_CLEARTEXT As Long = 8
    Public Const LOGON32_LOGON_NEW_CREDENTIALS As Long = 9

    Public Const LOGON32_PROVIDER_DEFAULT As Long = 0
    Public Const LOGON32_PROVIDER_WINNT50 As Long = 3
    Public Const LOGON32_PROVIDER_WINNT40 As Long = 2
    Public Const LOGON32_PROVIDER_WINNT35 As Long = 1

    Public Shared Function checkUserLogin(ByVal LoginCode As String, ByVal Password As String, ByVal Domain As String, Login As integer, Provider As integer) As WindowsIdentity
        Dim token As IntPtr
        LogonUser(LoginCode, Domain, Password, Login, Provider, token)
        If (token.ToInt32 > 0) Then
            Dim newId As New WindowsIdentity(token)
            Track.LogDEBUG(String.Format("Attempto PASS: {0}, Auth: {1}, method: {2}, Provider: {3}", newId.Name, newId.Token, Login, Provider))
            CloseHandle(token)
        Else
            Track.LogDEBUG(String.Format("Attempto FAIL: {0}, Auth: {1}, method: {2}, Provider: {3}", LoginCode, Domain, Login, Provider))
        End If

    End Function
End Class

''Calling Code
dim sDomain as string = "MyDomain"
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_INTERACTIVE, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_NETWORK, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_BATCH, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_NEW_CREDENTIALS, WinSecurity.LOGON32_PROVIDER_DEFAULT)
WinSecurity.checkUserLogin(txtUserName.Text, txtPassword.Text, sDomain, WinSecurity.LOGON32_LOGON_INTERACTIVE, WinSecurity.LOGON32_PROVIDER_DEFAULT)

Note: Test WorkGroup Computer is running "Windows Server 2012 RC2" but assuming same result for a Win10, etc not on domain.注意:测试工作组计算机正在运行“Windows Server 2012 RC2”,但假设 Win10 等不在域上的结果相同。

My Results on the WorkGroup Computer - Local User Active:我在工作组计算机上的结果 - 本地用户活动:

Attempto PASS: MyComputer\User1, Auth: 1088, method: 2, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1100, method: 3, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1060, method: 4, Provider: 0
Attempto PASS: MyComputer\LoggedOnUser, Auth: 1108, method: 9, Provider: 0
Attempto PASS: MyComputer\User1, Auth: 1076, method: 2, Provider: 0

Results on WorkGroup Computer - Local User Disabled/doesn't exits:工作组计算机上的结果 - 本地用户已禁用/不退出:

Attempto FAIL: User1, Auth: MyDomain, method: 2, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 3, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 4, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 9, Provider: 0
Attempto FAIL: User1, Auth: MyDomain, method: 2, Provider: 0

Results on Domain Computer:域计算机上的结果:

Attempto PASS: MyDomain\User1, Auth: 1340, method: 2, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1724, method: 3, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1736, method: 4, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1648, method: 9, Provider: 0
Attempto PASS: MyDomain\User1, Auth: 1744, method: 2, Provider: 0

Obviously I don't have a Trust setup to this Computer, but I'm assuming something like this should still work if I can browse to network shares?显然我没有对这台计算机的信任设置,但我假设如果我可以浏览到网络共享,这样的事情应该仍然有效?

1 个解决方案

解决方案1
 0  2018-08-21 05:43:37

guess I'll have to use the directoryservices method instead.我想我将不得不改用 directoryservices 方法。

Validate a username and password against Active Directory? 针对 Active Directory 验证用户名和密码?

https://social.msdn.microsoft.com/Forums/vstudio/en-US/3c825b3a-824b-4a43-9424-8afa2e875b3a/logonuser-lib-quotadvapi32dllquot-strange-on-non-domain-cpu-when-local-exists?forum=vbgeneral#3c825b3a-824b-4a43-9424-8afa2e875b3a https://social.msdn.microsoft.com/Forums/vstudio/en-US/3c825b3a-824b-4a43-9424-8afa2e875b3a/logonuser-lib-quotadvapi32dllquot-strange-on-non-domain-cpu-when-local-存在吗?论坛=vbgeneral#3c825b3a-824b-4a43-9424-8afa2e875b3a

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将Lib advapi32.dll中的OpenEventLog()声明为Integer还是Long? - Declare OpenEventLog() in Lib advapi32.dll as Integer or Long? 从 C# 调用 Advapi32.dll 本机 EventWrite 函数? - Call Advapi32.dll native EventWrite function from C#? WinNT://提供程序何时查询Active Directory? 或者如果是域帐户,如何获取本地组成员的SID - When does WinNT:// provider query Active Directory? Or how to get SID of local group member if it is domain account 使用Pinvoke调用advapi.dll:CryptDecrypt和CryptEncrypt意外行为 - Calling advapi.dll using Pinvoke: CryptDecrypt and CryptEncrypt unexpected behaviour DLL 对 NON-Local-Admin windows 用户使用模拟时,参考失败并显示“拒绝访问” - DLL References fail with “Access Denied” when using Impersonation for a NON-Local-Admin windows user 如何正确使用 LogonUser 从工作组客户端模拟域用户 - How to use LogonUser properly to impersonate domain user from workgroup client 如何根据CPU架构使用正确的非托管DLL文件? (32/64位) - How to use the correct unmanaged DLL file according CPU architecture? (32 / 64 bits) 从DLL文件调用消息框功能时出现奇怪的字符? - Strange characters when call messagebox function from DLL file? LogonUser的开销? - Overhead of LogonUser? 无法访问System32 dll时复制MSVCR120.dll - Copying MSVCR120.dll when there is no access to System32 dll
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM