问题
How does authentication and logon work on Windows with Kerberos? What I want to achieve is to logon a user on a server and run a process for that user.
As a first step, I create a Kerberos ticket on the client and send it to the server. On the server, I do not know the API to logon the user given its ticket. Of course I can accept the security context using AcceptSecurityContext (SSPI), but that does not initiate a logon.
I think that some SSH implementations for Windows do exactly that. But I want to know how and what API they probably use?
回答1:
There are a few ways you can do this. You do need to call AcceptSecurityContext on the ticket to get a security context. This is what bootstraps everything in Windows. From there you can do a couple different things.
Usually you call ImpersonateSecurityContext so the current thread understands what user it thinks it needs to be. After that you can call QuerySecurityContextToken to get a Windows access token handle. With this handle you then call CreateProcessAsUser. You can also tell it to do things like load the profile if necessary.
This doesn't really do a logon like LogonUserX does, but it effectively starts a process as that user, which is usually what people are looking to accomplish.
来源:https://stackoverflow.com/questions/52308063/how-to-logon-a-user-on-a-server-and-run-a-process-given-a-kerberos-ticket