/NetOnly Impersonation of a domain user from a non-domain PC

StackOverflow https://stackoverflow.com/questions/19767802

Вопрос

I believe I've read all the relevant Process.Start impersonation questions - at least all I could find via Google, but I haven't found one that matches this situation (and 90% are re: ASP which is a whole different ballgame)

Scenario: We've got a little tool which uses the current users credentials to query AD, get a list of servers matching a search, connect to them over SMB and get a list of shares.

I've been asked to make it possible for this process to work when run on a machine not on the domain, using credentials of a domain user.

I've added a switch which will prompt for credentials onstartup and then Process.Start() the same executable using the appropriate credentials (to save someone learning runas /netonly ...).

This is giving me a couple of issues. The code I'm testing with is below... 

Dim ProcInfo As New ProcessStartInfo With {
        .Domain = dlgImpersonate.Domain,
        .UserName = dlgImpersonate.Username,
        .Password = dlgImpersonate.Password,
        .FileName = Reflection.Assembly.GetEntryAssembly.Location,
        .UseShellExecute = False}

Try
    Process.Start(ProcInfo)
    ShouldEnd = True
Catch ex As Exception
    'HandleException(ex)
    MessageBox.Show(ex.Message, "Impersonation failed", MessageBoxButtons.OK, MessageBoxIcon.Exclamation)
End Try

So... If I run the code on my machine (on the domain), I can impersonate anybody. There are some quirks around querying AD but that's a different issue.

If I run the code on a brand new machine (not on the domain) I get:

Win32Exception: Logon failure: unknown user name or bad password
Stack:
    at Process.StartWithCreateProcess(ProcessStartInfo startInfo)
    at Process.Start(ProcessStartInfo startInfo)
    ...My code

I wondered if the machine was simply unaware of the domain or how to authenticate against it so I then tried from a command prompt...

runas /netonly /user:MyDomain\MyUser Test.exe

And this works fine.

So... How can I track down why Process.Start isn't authenticating as I expect?

NB: The credentials are correct - I've even resorted to copying/pasting from notepad to sanity check

Это было полезно?

Решение

Check out this link: http://codebetter.com/jameskovacs/2009/10/12/tip-how-to-run-programs-as-a-domain-user-from-a-non-domain-computer/

Basically, you use runas with /netonly. But you still need to type in the password manually. You could do /savecred to cache the creds.

Лицензировано под: CC-BY-SA с атрибуция
Не связан с StackOverflow
scroll top