LogonUser的开销?
[英]Overhead of LogonUser?
问题描述
After doing a chunk of reading about authenticating users (both here in SO land and the internet generally), it seems fairly obvious that the "best" way to authenticate a user (and thus detect things like expired password, etc) is to call Win32 LogonUser() , rather than attempt to use PrincipalContext.ValidateCredentials in .NET. 
在完成了有关验证用户身份的大量阅读后(通常在SO Land和Internet上),似乎很明显,验证用户身份(从而检测诸如过期密码等)的“最佳”方法是调用Win32。 LogonUser() ,而不是尝试在.NET中使用PrincipalContext.ValidateCredentials 。
However I'm not fully clear on though is what LogonUser actually does - and thus what overhead does it carry with it? 但是,我还不太清楚LogonUser实际上是做什么的,因此它带来了哪些开销? The MSDN's not entirely clear on this , the part that mostly concerns me is right at the end which says that LogonUser calls NPLoginNotify(), and it's not entirely clear what this does (other than preparing logon scripts), nor what happens to the results of the call. MSDN对此尚不完全清楚 ,最令我担忧的部分是最后一点,即LogonUser调用了NPLoginNotify(),并且尚不完全清楚这是做什么的(除了准备登录脚本之外),也不是结果会发生什么。电话。
I was initially concerned that LogonUser loaded the user's profile, but some further reading has put that concern to bed as a non-issue (unless I'm wrong on this one, but from what I can tell LogonUser never loads the profile - this would have to be explicitly loaded through a different function call). 最初,我担心LogonUser加载了用户的个人资料,但进一步的阅读却使这种担忧成为了非问题(除非我对此有误,但根据我的判断,LogonUser永远不会加载个人资料-这会必须通过不同的函数调用显式加载)。
The context for this is an intranet webapp that requires the ability to authenticate against active directory, so there will be a number of logins and logouts to the app: probably not that many initially, but may ramp significantly in the future. 上下文是一个Intranet Web应用程序,该应用程序需要能够对活动目录进行身份验证,因此将有许多登录和注销该应用程序的信息:最初可能不是很多,但将来可能会大大增加。 It seems that calling LoginUser with a type of LOGIN32_LOGIN_NETWORK and then immediately discarding the token that it gives me may be the best route forward. 似乎以LOGIN32_LOGIN_NETWORK类型调用LoginUser,然后立即丢弃它给我的令牌可能是最好的转发途径。
Is there any overhead I'm not aware of, or am I just worrying unduly? 是否有我不知道的开销,还是我只是过分担心?
1 个解决方案
解决方案1
1 已采纳 2011-09-08 14:31:16
The MSDN page seems quite clear: MSDN页面看起来非常清晰:
The LOGON32_LOGON_NETWORK logon type is fastest, but it has the following limitations: LOGON32_LOGON_NETWORK登录类型是最快的,但是有以下限制:
The function returns an impersonation token, not a primary token. 该函数返回模拟令牌,而不是主令牌。 You cannot use this token directly in the CreateProcessAsUser function. 您不能直接在CreateProcessAsUser函数中使用此令牌。 However, you can call the DuplicateTokenEx function to convert the token to a primary token, and then use it in CreateProcessAsUser. 但是,您可以调用DuplicateTokenEx函数将令牌转换为主要令牌,然后在CreateProcessAsUser中使用它。
If you convert the token to a primary token and use it in CreateProcessAsUser to start a process, the new process cannot access other network resources, such as remote servers or printers, through the redirector. 如果将令牌转换为主要令牌并在CreateProcessAsUser中使用它来启动进程,则新进程无法通过重定向器访问其他网络资源,例如远程服务器或打印机。 An exception is that if the network resource is not access controlled, then the new process will be able to access it. 一个例外是,如果网络资源不受访问控制,则新进程将能够访问它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.