在Windows Server 2003上使用python密钥环时出现错误1312
[英]Error 1312 while using python keyring on Windows Server 2003
问题描述
I am writing a Windows Service in python and I am using the keyring module to safely store credentials that I need to use regularly and persistently. 
我正在python中编写Windows服务,我正在使用密钥环模块来安全地存储我需要定期和持久使用的凭据。 This means that keyring stores the passwords using the local system user credentials. 这意味着密钥环使用本地系统用户凭据存储密码。
All I do is use the 2 basic keyring functions: get_password(SERVICE_NAME, username, password) and set_password(SERVICE_NAME, username) . 我所做的只是使用2个基本密钥环功能: get_password(SERVICE_NAME, username, password)和set_password(SERVICE_NAME, username) 。 I don't preconfigure keyring as I understood it and saw that it configures its backend automatically. 我没有按照我的理解预先配置密钥环,并且看到它自动配置其后端。
When I run this on Windows Server 2008 and above everything works smoothly. 当我在Windows Server 2008及更高版本上运行时,一切运行顺利。 But when I run this on Windows Server 2003, I get this nasty error: 但是当我在Windows Server 2003上运行它时,我得到了这个令人讨厌的错误:
error: (1312, 'CredWrite', 'A specified logon session does not exist. It may already have been terminated.')
I assume it has something to do with the logon session of the local system user that is used to run my service, though it is peculiar since I understood it's a form of ultra-admin-super-user that's supposed to have permissions to do anything it wants in the system. 我认为它与用于运行我的服务的本地系统用户的登录会话有关,虽然它很奇怪,因为我知道它是一种超级管理员 - 超级用户的形式,应该有权做任何事情它想要在系统中。 But when I change the logon credentials of the user to the local Administrator, everything works smoothly. 但是,当我将用户的登录凭据更改为本地管理员时,一切都顺利进行。
Is there something I need to change in the configuration of my service for this to work? 我的服务配置是否需要更改才能使其正常工作? Or change the security policies of the local system user? 或者更改本地系统用户的安全策略? Or should I ask users to run this service with the local administrator credentials? 或者我应该要求用户使用本地管理员凭据运行此服务?
1 个解决方案
解决方案1
3 已采纳 2012-09-12 11:48:22
It appears that there is a limitation on the Local System user in Windows Server 2003 that it does not have access to the Windows mechanism of saving credentials also known as the Credentials Vault. Windows Server 2003中的本地系统用户似乎无法访问保存凭据的Windows机制,也称为凭据保险库。
keyring's default backend for Windows is to use this built-in Windows Vault mechanism, and that's what creates that's what triggers this exception from Windows. 密钥环的Windows默认后端是使用这种内置的Windows Vault机制,这就是创建触发Windows异常的原因。
The solution to this problem is to use a different keyring backend called Win32CryptoKeyring likes so: 这个问题的解决方案是使用一个名为Win32CryptoKeyring的不同密钥环后端,如下所示:
keyring.set_keyring(keyring.backend.Win32CryptoKeyring())
This backend uses the Win32 Cryptographic API to securely save credentials, so security-wise it is as secure as using the Windows Vault mechanism. 此后端使用Win32 Cryptographic API安全地保存凭据,因此安全性方面与使用Windows Vault机制一样安全。 The difference is only the location the credentials are saved to. 区别仅在于凭据保存到的位置。 I'm not sure where the credentials are saved, but that has proved irrelevant to my case. 我不确定凭据的保存位置,但事实证明这与我的情况无关。
It is important to note again that this bug only occurs with the combination of using the Windows Vault from the Local System user under Windows Server 2003. On newer Windows versions this works perfectly fine and with other user on Windows Server 2003 it also works perfectly fine. 重要的是要注意,只有使用Windows Server 2003下本地系统用户的Windows Vault组合才会出现此错误。在较新的Windows版本上,这种工作方式非常好,并且与Windows Server 2003上的其他用户一起工作也很完美。
Using the Win32CryptoKeyring backend on newer versions of Windows also works perfectly fine if you want to be cross-platforms without using more than one secure mechanism for saving credentials in your code. 如果您想要跨平台而不使用多个安全机制来保存代码中的凭据,那么在较新版本的Windows上使用Win32CryptoKeyring后端也可以完美地运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.