Impersonate() 之后的 ProtectedData.Unprotect()
以下代码不起作用:
IntPtr token = Win32Dll.LogonUser(“user1”, “mydomain”, “password1”);
WindowsIdentity id = new WindowsIdentity(token);
WindowsImpersonationContext ic = id.Impersonate();
byte[] unprotectedBytes = ProtectedData.Unprotect(passwordBytes, null, DataProtectionScope.CurrentUser);
password = Encoding.Unicode.GetString(unprotectedBytes);
ic.Undo();
密码未解密。
MSDN 说
“如果您在模拟过程中使用此方法,您可能会收到 以下错误:“密钥在指定状态下使用无效。”这 可以通过加载您想要的用户的配置文件来防止错误 在调用方法之前模拟。”
The following code doesn't work:
IntPtr token = Win32Dll.LogonUser(“user1”, “mydomain”, “password1”);
WindowsIdentity id = new WindowsIdentity(token);
WindowsImpersonationContext ic = id.Impersonate();
byte[] unprotectedBytes = ProtectedData.Unprotect(passwordBytes, null, DataProtectionScope.CurrentUser);
password = Encoding.Unicode.GetString(unprotectedBytes);
ic.Undo();
The password is not decrypted.
MSDN says
"If you use this method during impersonation, you may receive the
following error: "Key not valid for use in specified state." This
error can be prevented by loading the profile of the user you want to
impersonate, before calling the method."
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
事情是这样的:为了让 DPAPI 工作,它需要用户的密钥材料,该材料部分源自用户的登录凭据。该数据与用户的个人资料一起存储。这就是为什么未以用户身份运行的进程必须加载用户的配置文件的原因。
您必须使用从 LoadUserProfile() 返回的数据调用 UnloadUserProfile(),
这是您需要执行的操作:
LogonUser()
冒充()
加载用户配置文件()
加密()
卸载用户配置文件()
RevertImpersonation()(.NET 中的 Undo())
您必须在每一步中使用 GetLastError() 检查错误。
请注意,对于您来说,所有这些内容基本上都需要该过程是管理员帐户。您需要备份和恢复权限才能加载用户的配置文件。如果在调用 LoadUserProfile 时出现特权未保留错误,则您需要:
a) 确保应用程序帐户具有备份和恢复权限
b) 权限已启用,默认情况下未启用。
您可以使用 AdjustTokenPrivileges() http://msdn 启用权限.microsoft.com/en-us/library/aa375202(VS.85).aspx
Here's what's going on: for DPAPI to work it needs the user's keying material which is derived in part from the user's logon credentials. This data is stored with the user's profile. That's why a process not running as the user must load the user's profile.
You must call UnloadUserProfile() using the data returned from LoadUserProfile()
here's what you need to do:
LogonUser()
Impersonate()
LoadUserProfile()
Encrypt()
UnloadUserProfile()
RevertImpersonation() (Undo() in .NET)
You must check errors, using GetLastError(), every step of the way.
Note that for you to all this stuff basically requires the process be an admin account. You need the backup and restore privileges to load a user's profile. If when calling LoadUserProfile you get a privilege not held error, then you need to:
a) make sure the application account has backup and restore privs
b) the privs are enabled, by default they are not.
You can enabled privs using AdjustTokenPrivileges() http://msdn.microsoft.com/en-us/library/aa375202(VS.85).aspx
我自己没有尝试过,但您可以尝试使用 LoadUserProfile 非托管 API 调用。有关详细信息,请查看此处。
有一些相关的SO问题。
Haven't tried this myself, but you could try to use the LoadUserProfile unmanaged API call. For more info, check here.
There are some related SO questions.