如何在(C#/ .NET / WinForms)程序中构建RUNAS / NETONLY功能?

时间:2009-04-16 20:11:30

标签: .net sql-server security authentication runas

我们的工作站不是我们的SQL Server所在域的成员。 (他们根本不在某个域上 - 不要问)。

当我们使用SSMS或任何东西连接到SQL Server时,我们将RUNAS / NETONLY与DOMAIN \ user一起使用。然后我们输入密码并启动程序。 (RUNAS / NETONLY不允许您在批处理文件中包含密码)。

所以我有一个需要SQL连接的.NET WinForms应用程序,用户必须通过运行具有RUNAS / NETONLY命令行的批处理文件启动它,然后启动EXE。

如果用户意外直接启动EXE,则无法连接到SQL Server。


我正在寻找一种方法让应用程序在内部启动之前执行RUNAS / NETONLY功能。

有关RUNAS / NETONLY如何运作的说明,请参阅此链接:http://www.eggheadcafe.com/conversation.aspx?messageid=32443204&threadid=32442982


6 个答案:

答案 0 :(得分:11)

我知道这是一个旧线程,但它非常有用。我有与Cade Roux完全相同的情况,因为我想要/ netonly样式功能。

John Rasch的答案适用于一个小修改!!!


private const int LOGON32_LOGON_NEW_CREDENTIALS = 9;


这是我必须做的唯一的更改才能让它完美运行!谢谢John和Cade !!!


namespace Tools
    #region Using directives.
    // ----------------------------------------------------------------------

    using System;
    using System.Security.Principal;
    using System.Runtime.InteropServices;
    using System.ComponentModel;

    // ----------------------------------------------------------------------


    /// <summary>
    /// Impersonation of a user. Allows to execute code under another
    /// user context.
    /// Please note that the account that instantiates the Impersonator class
    /// needs to have the 'Act as part of operating system' privilege set.
    /// </summary>
    /// <remarks>   
    /// This class is based on the information in the Microsoft knowledge base
    /// article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
    /// Encapsulate an instance into a using-directive like e.g.:
    ///     ...
    ///     using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
    ///     {
    ///         ...
    ///         [code that executes under the new context]
    ///         ...
    ///     }
    ///     ...
    /// Please contact the author Uwe Keim (mailto:uwe.keim@zeta-software.de)
    /// for questions regarding this class.
    /// </remarks>
    public class Impersonator :
        #region Public methods.
        // ------------------------------------------------------------------

        /// <summary>
        /// Constructor. Starts the impersonation with the given credentials.
        /// Please note that the account that instantiates the Impersonator class
        /// needs to have the 'Act as part of operating system' privilege set.
        /// </summary>
        /// <param name="userName">The name of the user to act as.</param>
        /// <param name="domainName">The domain name of the user to act as.</param>
        /// <param name="password">The password of the user to act as.</param>
        public Impersonator(
            string userName,
            string domainName,
            string password)
            ImpersonateValidUser(userName, domainName, password);

        // ------------------------------------------------------------------

        #region IDisposable member.
        // ------------------------------------------------------------------

        public void Dispose()

        // ------------------------------------------------------------------

        #region P/Invoke.
        // ------------------------------------------------------------------

        [DllImport("advapi32.dll", SetLastError = true)]
        private static extern int LogonUser(
            string lpszUserName,
            string lpszDomain,
            string lpszPassword,
            int dwLogonType,
            int dwLogonProvider,
            ref IntPtr phToken);

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern int DuplicateToken(
            IntPtr hToken,
            int impersonationLevel,
            ref IntPtr hNewToken);

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern bool RevertToSelf();

        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        private static extern bool CloseHandle(
            IntPtr handle);

        private const int LOGON32_LOGON_INTERACTIVE = 2;
        private const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
        private const int LOGON32_PROVIDER_DEFAULT = 0;

        // ------------------------------------------------------------------

        #region Private member.
        // ------------------------------------------------------------------

        /// <summary>
        /// Does the actual impersonation.
        /// </summary>
        /// <param name="userName">The name of the user to act as.</param>
        /// <param name="domainName">The domain name of the user to act as.</param>
        /// <param name="password">The password of the user to act as.</param>
        private void ImpersonateValidUser(
            string userName,
            string domain,
            string password)
            WindowsIdentity tempWindowsIdentity = null;
            IntPtr token = IntPtr.Zero;
            IntPtr tokenDuplicate = IntPtr.Zero;

                if (RevertToSelf())
                    if (LogonUser(
                        ref token) != 0)
                        if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
                            tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                            impersonationContext = tempWindowsIdentity.Impersonate();
                            throw new Win32Exception(Marshal.GetLastWin32Error());
                        throw new Win32Exception(Marshal.GetLastWin32Error());
                    throw new Win32Exception(Marshal.GetLastWin32Error());
                if (token != IntPtr.Zero)
                if (tokenDuplicate != IntPtr.Zero)

        /// <summary>
        /// Reverts the impersonation.
        /// </summary>
        private void UndoImpersonation()
            if (impersonationContext != null)

        private WindowsImpersonationContext impersonationContext = null;

        // ------------------------------------------------------------------


答案 1 :(得分:6)



答案 2 :(得分:3)







答案 3 :(得分:2)


public static Process Elevated( string process, string args, string username, string password, string workingDirectory )
    if( process == null || process.Length == 0 ) throw new ArgumentNullException( "process" );

    process = Path.GetFullPath( process );
    string domain = null;
    if( username != null )
        username = GetUsername( username, out domain );
    ProcessStartInfo info = new ProcessStartInfo();
    info.UseShellExecute = false;
    info.Arguments = args;
    info.WorkingDirectory = workingDirectory ?? Path.GetDirectoryName( process );
    info.FileName = process;
    info.Verb = "runas";
    info.UserName = username;
    info.Domain = domain;
    info.LoadUserProfile = true;
    if( password != null )
        SecureString ss = new SecureString();
        foreach( char c in password )
            ss.AppendChar( c );
        info.Password = ss;

    return Process.Start( info );

private static string GetUsername( string username, out string domain ) 
    SplitUserName( username, out username, out domain );

    if( domain == null && username.IndexOf( '@' ) < 0 )
        domain = Environment.GetEnvironmentVariable( "USERDOMAIN" );
    return username;

答案 4 :(得分:0)

我想您不能只是将应用程序的用户添加到sql server然后使用sql身份验证而不是Windows身份验证?

答案 5 :(得分:0)

在这里使用非常有用的答案,我创建了以下简化的类,该类使用.NET Standard中也可用的API:

public class Impersonator
    [DllImport("ADVAPI32.DLL", SetLastError = true, CharSet = CharSet.Unicode)]
    private static extern bool LogonUser(
        string lpszUsername,
        string lpszDomain,
        string lpszPassword,
        int dwLogonType,
        int dwLogonProvider,
        out SafeAccessTokenHandle phToken);

    public void RunAs(string domain, string username, string password, Action action)
        using (var accessToken = GetUserAccessToken(domain, username, password))
            WindowsIdentity.RunImpersonated(accessToken, action);

    private SafeAccessTokenHandle GetUserAccessToken(string domain, string username, string password)
        const int LOGON32_PROVIDER_DEFAULT = 0;
        const int LOGON32_LOGON_NETONLY = 9;

        bool isLogonSuccessful = LogonUser(username, domain, password, LOGON32_LOGON_NETONLY, LOGON32_PROVIDER_DEFAULT, out var safeAccessTokenHandle);
        if (!isLogonSuccessful)
            throw new Win32Exception(Marshal.GetLastWin32Error());

        return safeAccessTokenHandle;


    () =>
        Console.WriteLine("code executed here runs as the specified user with /netonly");