问题描述
背景:我有了从文件中读取一个网络驱动器上(Z:)的应用程序
Background: I have an application that has to read from files on a network drive (Z:)
这在伟大工程我办公领域,但它并没有在现场工作(在不同的域)。至于我可以告诉您所访问的用户和网络驱动器以相同的方式设置,但是我没有获得用户等的客户领域。
This works great in my office domain, however it does not work on site (in a different domain). As far as I can tell the domain users and network drives are set in the same way, however I do not have access to users etc in the customers domain.
当我无法访问网络驱动器,我想我需要一个令牌的用户。这是我impersionate用户:
When I couldn't access the network drive I figured I needed a token for a user. This is how I impersionate the user:
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
...
...
const string userName = "USER";
const string pass = "PASS";
const string domainName = "VALIDDOMAIN.local" //tried with valid domain name and with null, same result
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_INTERACTIVE = 2;
IntPtr tokenHandle = new IntPtr(0);
bool returnValue = LogonUser(userName, domainName, pass,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);
if (!returnValue)
throw new Exception("Logon failed.");
WindowsImpersonationContext impersonatedUser = null;
try
{
WindowsIdentity wid = new WindowsIdentity(tokenHandle);
impersonatedUser = wid.Impersonate();
}
finally
{
if (impersonatedUser != null) impersonatedUser.Undo();
}
现在这里是有趣/怪异的一部分。在我的网络应用已经可以访问网络驱动器,如果我尝试模拟活动用户(完全相同的用户,包括相同的域)将无法访问网络驱动器。
Now here is the interesting/weird part. In my network the application can already access the network drive, and if I try to impersonate the active user (exactly the same user, including the same domain) it will not be able to access the network drive.
这让我无奈,因为现在我不知道什么可行,什么不可行,而且更重要的是,它会在现场工作的?
This leaves me helpless since now I have no idea what works and what doesn't, and more to the point, will it work on site?
我在想什么。
编辑:我忘了写,而最初提出质疑:我曾尝试进入一个有效的域名命名并没有工作,所以在那之后我试图进入空来获取用户名,因为我会不一样的代码(因为它在我们的领域的作品默认情况下)。这并没有帮助,那就是如何域= NULL;在这个问题结束了
I forgot to write this while originally asking the question: I have tried entering a valid domain name and it didn't work, so after that I tried entering null to get the same username as I would without this code (since it works by default in our domain). This did not help, and that's how domain = null; ended up in this question.
推荐答案
的几点思考:
- 请不要使用逻辑驱动器路径从代码中访问网络资源。始终使用UNC路径(如
\\SERVER\Share\Filename.ext)。 - 启用登录审核/从你的本地安全策略注销事件,这样当你调用模拟方法,您可以跟踪非常详细的失败/成功
- 您将是最好的你自己的域名创建一个帐户具有与其他域中的帐户相同的用户名和密码。验证你的域名,并通过身份验证就可以访问网络共享上的其他域。
- Do not use logical drive paths to access network resources from code. Always use UNC paths (e.g.
\\SERVER\Share\Filename.ext). - Enable auditing of Logon/Logoff events from your local security policy so that when you call the Impersonate method, you can track the failure/success in great detail
- You would be best to create an account in your own domain that has the same username and password as an account in the other domain. Authenticate off your domain and pass-through authentication will give you access to the network share on the other domain.
这篇关于访问网络驱动器上的文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!