在为模拟令牌调用DuplicateTokenEx后仍然会出现重复令牌错误

时间:2012-10-31 20:21:39

标签: c# impersonation

我正在尝试从服务调用返回Sytem.IntPtr,以便客户端可以使用模拟来调用某些代码。如果没有从WCF服务传回令牌,我的imersonation代码可以正常工作。我不确定为什么这不起作用。我收到以下错误:

  

“用于模拟的令牌无效 - 无法复制。”

以下是 工作的代码,除非我尝试将令牌从服务传递回WinForm C#客户端然后进行模拟。

[DllImport("advapi32.dll", EntryPoint = "DuplicateTokenEx")]
public extern static bool DuplicateTokenEx(IntPtr ExistingTokenHandle, uint dwDesiredAccess, ref SECURITY_ATTRIBUTES lpThreadAttributes, int TokenType, int ImpersonationLevel, ref IntPtr DuplicateTokenHandle);

private IntPtr tokenHandle = new IntPtr(0);
private IntPtr dupeTokenHandle = new IntPtr(0);

[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
    public int Length;
    public IntPtr lpSecurityDescriptor;
    public bool bInheritHandle;
}



public enum SecurityImpersonationLevel
{
    SecurityAnonymous = 0,
    SecurityIdentification = 1,
    SecurityImpersonation = 2,
    SecurityDelegation = 3
}

public enum TokenType
{
    TokenPrimary = 1,
    TokenImpersonation = 2
}

private const int MAXIMUM_ALLOWED = 0x2000000;


[PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
public System.IntPtr GetWindowsUserToken(string UserName, string Password, string DomainName)
{

    IntPtr tokenHandle = new IntPtr(0);
    IntPtr dupTokenHandle = new IntPtr(0);

    const int LOGON32_PROVIDER_DEFAULT = 0;
    //This parameter causes LogonUser to create a primary token.
    const int LOGON32_LOGON_INTERACTIVE = 2;

    //Initialize the token handle            
    tokenHandle = IntPtr.Zero;

    //Call LogonUser to obtain a handle to an access token for credentials supplied.
    bool returnValue = LogonUser(UserName, DomainName, Password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref tokenHandle);        

    //Make sure a token was returned; if no populate the ResultCode and throw an exception:
    int ResultCode = 0;
    if (false == returnValue)
    {
        ResultCode = Marshal.GetLastWin32Error();
        throw new System.ComponentModel.Win32Exception(ResultCode, "API call to LogonUser failed with error code : " + ResultCode);
    }

    SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
    sa.bInheritHandle = true;
    sa.Length = Marshal.SizeOf(sa);
    sa.lpSecurityDescriptor = (IntPtr)0;


    bool dupReturnValue = DuplicateTokenEx(tokenHandle, MAXIMUM_ALLOWED, ref sa, (int)SecurityImpersonationLevel.SecurityDelegation, (int)TokenType.TokenImpersonation, ref dupTokenHandle);

    int ResultCodeDup = 0;
    if (false == dupReturnValue)
    {
        ResultCodeDup = Marshal.GetLastWin32Error();
        throw new System.ComponentModel.Win32Exception(ResultCode, "API call to DuplicateToken failed with error code : " + ResultCode);
    }

    //Return the user token
    return dupTokenHandle;

}

知道我是否没有正确使用DuplicateTokenEx来电?根据MSDN文档,我阅读here我应该能够创建一个有效的委托令牌,并在远程系统的上下文中使用。使用“SecurityDelegation”时,服务器进程可以模拟客户端在远程系统上的安全上下文。

谢谢!

1 个答案:

答案 0 :(得分:1)

您正在使用值TokenAccessLevels.MaximumAllowed,就好像它是允许的最大权限一样,这意味着:好像它会为您提供所有权限...

......但事实并非如此。

TokanAccesslevels.MaximumAllowed的值为0x02000000,这是枚举可以随时增长的最大值,是未来实现的参考。

请参阅this page了解枚举的实际实现。

要使代码正常工作,您需要通过按位操作逐个设置所需的访问级别。

如果用MAXIMUM_ALLOWED代替

,代码肯定会运行 
(uint)(TokenAccessLevels.Query | TokenAccessLevels.Duplicate | TokenAccessLevels.Impersonate)

在Pinvoke调用DuplicateTokenEx函数。

我知道你不再有问题,但这可以帮助其他人,毕竟,你可能会再遇到同样的问题......;)

相关问题
最新问题