访问服务器资源是否需要客户端进程登录服务器计算机?
重新发布我的 在 technet 中未得到答复。微软问题?
- 1)“当当您配置使用特定帐户作为进程标识时,ASP.NET 会尝试委派该帐户,如果该帐户与远程计算机上的本地帐户相同(包括密码),则委派是可能的。如果远程计算机上不存在该帐户,则它在网络中显示为 Windows 匿名帐户 (NT AUTHORITY\ANONYMOUS LOGON)。此外,如果该帐户是有权访问远程计算机的域帐户,则也可以进行委派。在这种情况下,它使用该帐户的域网络身份。”
与在工作组中手动/交互访问远程计算机(服务器资源)的情况相同的频繁重复的故事 - 需要使用相同的用户名、相同的密码创建本地帐户。但为什么?
如果工作组 Windows 客户端进程无法访问服务器计算机上的资源,而无需在目标计算机上预先创建此类(本地)帐户的副本, 这是否意味着客户端(进程、计算机或用户)只有在登录(打开登录会话)到服务器计算机后才能访问服务器资源?
或者,如何理解如果服务器计算机上没有相应的重复本地帐户,这种访问是不可能的?
同一篇 MSDN“ASP.NET 委派”文章 讲述:
- “NetworkService帐户的行为与系统帐户相同。该帐户拥有与其所属域中的计算机帐户(域名\计算机名)关联的网络凭据”
没有任何 Windows 帐户((NT AUTHORITY\NETWORK SERVICE) )?
以及许多其他常见的预建帐户?
为什么安装它们(在加入域之前)但不能用于远程网络访问和客户端识别?
当身份(NT AUTHORITY\NETWORK SERVICE)下的工作组Windows进程访问远程服务器时使用什么身份?
我的相关问题:
- Windows-es 中的域 LocalSystem 与非域 LocalSystem 帐户?
- 如何检查“NT AUTHORITY\”帐户的组成员身份?
- 客户端本地系统(系统)是否由目标/服务器计算机识别?以及其中上下文?
- 窗口工作组 LocalSystem 与域 (AD) LocalSystem [关闭]
- 如何更好地设置机器以在工作组和Windows域中进行开发? [关闭]
- 与工作组中的 Windows 域计算机进行互操作Windows [已关闭]
- AD加入机器的本地用户上下文?是域计算机帐户还是本地计算机帐户?
- 来自非 AD Windows 的域帐户下的 RunAs [已关闭]
- 如何更好地设置机器在工作组和Windows域中进行开发? [关闭]
- 如何与多启动工作组 Windows 设置共享同一域计算机帐户?
Reposting my unanswered in technet.microsoft question?
MSDN "ASP.NET Delegation" article tells:
- 1) "When you configure to use a particular account as the process identity, ASP.NET attempts to delegate that account. If it is a local account that is identical (including password) to a local account on a remote machine, delegation is possible. If such an account does not exist on the remote machine, to the network it appears as the Windows anonymous account (NT AUTHORITY\ANONYMOUS LOGON). In addition, delegation is also possible if the account is a domain account that has access to the remote machine, in which case it uses the domain network identity of that account."
The same frequently repeated story as in case of manually/interactively accessing remote computer (server resource) in workgroup - it is necessary to create local account with the same username, the same password. But why?
If a workgroup Windows client process cannot access resources on server machine without having duplicate of such (local) account on target machine already pre-created,
does it mean that client (process, machine, or user) can access server resources only by/after having logged (opening logon session) into server machine?
Or, how to understand that such access is impossible without having corresponding duplicate local account on server machine?
The same MSDN "ASP.NET Delegation" article tells:
- "NetworkService account. It behaves the same as the System account. This account possesses the network credentials associated with the machine account (domainname\machinename) in the domain of which it is a member"
Does not any Windows have accounts ((NT AUTHORITY\NETWORK SERVICE)?
as well as many other common pre-built accounts?
Why are they installed (before any joining to domain) but cannot be used for remote network access and client identification ?
And what is identity used when the process from workgroup Windows under identity ((NT AUTHORITY\NETWORK SERVICE) accesses a remote server?
My related questions:
- domained LocalSystem vs. non-domained LocalSystem account in Windows-es ?
- how to check group membership of an “NT AUTHORITY\” account ?
- Is client LocalSystem (SYSTEM) identified by target/server machine? and in which context?
- Window workgroup LocalSystem vs. domain (AD) LocalSystem [closed]
- how to better set up machine for development both in workgroup and Windows domain? [closed]
- interoperating with Windows domain computer from workrgroup Windows [closed]
- the context of local user of AD-joined machine? Is it of domain machine account or of local machine account?
- RunAs under domain account from non-AD Windows [closed]
- how to better set up machine for development both in workgroup and Windows domain? [closed]
- how to share the same domain machine account with multi-boot workgroup Windows setup?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Q1:与手动/交互访问工作组中的远程计算机(服务器资源)的情况一样经常重复的故事 - 需要创建具有相同用户名、相同密码的本地帐户。但为什么?
A1:是的。参见下面的 A3。
问题 2:如果工作组 Windows 客户端进程无法在目标计算机上预先创建此类(本地)帐户的副本的情况下无法访问服务器计算机上的资源,这是否意味着客户端(进程、计算机或用户)只能通过以下方式访问服务器资源: /登录(打开登录会话)到服务器计算机后?
A2:是的 - 系统 1 上的进程对系统 2 上的资源的所有访问都必须经过身份验证 - 除非在极少数情况下,有人在系统 2 上配置了一个或多个资源(和系统策略)以允许匿名(即未经身份验证)访问。此外,Server2 只能对提供 System2 可以验证的凭据的网络请求进行身份验证 - 通过 System2 上的本地用户帐户和密码,或者通过联系受信任的域控制器(如果 System2 加入到域)。 System2 不知道任何有关仅与 System1 相关的用户帐户或“用户上下文”(那些特殊的“帐户”,如 LocalSystem、Interactive、LocalService,仅由特殊的硬编码 SID 表示) - 其中包括任何本地用户System1 上定义的帐户,以及任何这些特殊 SID。
Q3:或者,如何理解如果服务器计算机上没有相应的重复本地帐户,则无法进行此类访问?
A3:唯一的例外(这不是例外,而是设计的用例)是 System1 使用与 System2 相同的用户名 + 密码进行身份验证。您将在网络流量中看到的是,System1 的进程(当前以 System1\UserX 的身份运行)将通过网络请求 System2 上的资源(例如文件共享、数据库对象、网页)。在来自 System1 的请求中,包含“System1 尝试用于身份验证的凭据”(这是一个抽象概括,以避免描述特定于任何一种身份验证协议的事物 - 只需忍受它)。在其他情况下,UserX 帐户在 System2 上不存在,或者具有不同的密码,从而导致 System2 上的身份验证尝试失败,System1 的请求失败。也就是说,System2 假定 UserX 必须是 System2\UserX,并且帐户不存在或密码不匹配。
在存在匹配的本地帐户的情况下,System2“认为”System1不是使用帐户“System1\UserX”而是使用“System2\UserX”登录,并且由于密码匹配,因此身份验证尝试成功。
Q4:没有任何Windows有帐户((NT AUTHORITY\NETWORK SERVICE)吗?
以及许多其他常见的预建帐户?
为什么安装它们(在加入域之前)但不能用于远程网络访问和客户端识别?
A4:请记住,NETWORK SERVICE 不是一个定义的帐户(您不会在本地用户和组小程序中找到它),而只是一个 SID - 如果任何进程在其令牌中包含该 SID(取决于该进程的情况)创建具有该令牌的进程),那么任何允许“网络服务”(实际上意味着“允许网络服务 SID 的任何资源”)访问该资源的资源都将允许其通过。否则,网络服务只是一个用户友好的抽象,不幸的是,用户友好通常会使事情更难了解其真正的工作原理。
您也许可以在系统加入域之前向网络服务 SID 分配权限或特权,但是对于作为网络服务运行的服务,对远程系统的请求的响应将非常不同,具体取决于计算机是否加入域或不是。如果加入域,远程请求通常(在现代 Windows 版本上)尝试使用本地系统的域计算机帐户进行远程身份验证。如果未加入域,则远程请求不会发送任何凭据,并且远程系统必须将其视为匿名(即未经身份验证)请求。
Q5:当工作组 Windows 的身份((NT AUTHORITY\NETWORK SERVICE)下的进程访问远程服务器时,使用什么身份?
A5:正如 A4 所暗示的,远程服务器没有身份看到这个场景。
Q1: The same frequently repeated story as in case of manually/interactively accessing remote computer (server resource) in workgroup - it is necessary to create local account with the same username, the same password. But why?
A1: Yes. See A3 below.
Q2: If a workgroup Windows client process cannot access resources on server machine without having duplicate of such (local) account on target machine already pre-created, does it mean that client (process, machine, or user) can access server resources only by/after having logged (opening logon session) into server machine?
A2: Yes - all access by processes on System1 to resources on System2 must be authenticated - except in the rare cases when someone has configured one or more resources (and system policies) on System2 to allow anonymous (i.e. unauthenticated) access. Further, Server2 can only authenticate network requests that present credentials that System2 can verify - either from the local user accounts and passwords on System2, or by contacting a trusted domain controller (if System2 is joined to a domain). System2 doesn't know anything about user accounts or "user contexts" (those special 'accounts' like LocalSystem, Interactive, LocalService which are only ever represented by special hard-coded SIDs) that are only relevant on System1 - which includes any local user account defined on System1, and any of those special SIDs.
Q3: Or, how to understand that such access is impossible without having corresponding duplicate local account on server machine?
A3: The only exception (and it's not an exception, it's a designed-in use case) is when System1 authenticates using a username + password that are the same on System2. What you'll see in the network traffic is that System1's process (currently running e.g. as System1\UserX) will make a request over the network for a resource on System2 (e.g. file share, database object, web page). In that request from System1, is included "the credentials that System1 is trying to use to authenticate" (this is an abstract generalization to get away from describing things specific to any one authentication protocol - just bear with it). Under other circumstances, the account UserX doesn't exist on System2, or it has a different password, so that the authentication attempt fails on System2, and System1's request fails. That is, System2 assumes that UserX must be System2\UserX, and either the account doesn't exist or the password doesn't match.
Under the circumstance where there are matching local accounts, System2 "thinks" that System1 is logging on not with account "System1\UserX" but with "System2\UserX", and since the password matches, the authentication attempt succeeds.
Q4: Does not any Windows have accounts ((NT AUTHORITY\NETWORK SERVICE)?
as well as many other common pre-built accounts?
Why are they installed (before any joining to domain) but cannot be used for remote network access and client identification ?
A4: Remember, NETWORK SERVICE isn't a defined account (you won't find it listed in Local Users and Groups applet) but simply a SID - and if any process includes that SID in its token (depending on the circumstances of how the process with that token is created), then any resource that allows "Network Service" (which really means "any resource that allows the Network Service SID") to access the resource will allow it to pass. Otherwise, Network Service is just a user-friendly abstraction, and unfortunately user friendly usually makes things harder to get to the bottom of how it really works.
You might be able to assign permissions or Privileges to the Network Service SID before the system is joined to the domain, but requests to remote systems will respond very differently for a service running as Network Service depending on if the machine is joined to a domain or not. If joined to a domain, the remote request will usually (on modern Windows versions) attempt the remote authentication using the Domain Computer account for the local system. If not joined to a domain, there will be no credentials sent with the remote request, and the remote system will have to treat it as an anonymous (i.e. unauthenticated) request.
Q5: And what is identity used when the process from workgroup Windows under identity ((NT AUTHORITY\NETWORK SERVICE) accesses a remote server?
A5: As implied in A4, there is no identity that the remote server sees in this scenario.