问题
I would like to automate some administrative tasks in a C# program, and for that I need to acquire credentials (username and password of a domain user with the required rights, for example an Administrator). Then I want to store "the login" securely, so I don't have to ask for it for every task I want to perform. I know multiple official ways to ask for credentials (for example CredUIPromptForWindowsCredentials, or Powershell's Get-Credential), but these return the username and password in plaintext (or as a SecureString), which I have to securely store myself.
Is there a way to get a kind of login token that allows me to do stuff on the remote computer, without being able to recover the password? I am looking for the windows equivalent of a Kerberos ticket granting ticket - you do kinit, enter your password, and get a ticket that authenticates you on the network without using your password again (and the ticket expires after a set time).
One workaround I thought of is to not handle the credentials myself, but to use Window's authentication directly and run a sub-process as a different user. The downside would be that this make my application much more complicated, and it will only likely work from within the same domain.
For clarification, I'd like to use various administrative interfaces (WMI, Powershell remoting, PSExec), and it would preferably work from any computer even if outside of the target computers' domain. The lifetime of the "token" would be at least the runtime of my program, but it would also be useful if I could save the "token" to disk and reuse it multiple times a day.
回答1:
Did you try Windows Credential Manager for this?
You can store the credential in Windows Credential Manager for one time and then use PowerShell to access it programmatically. It is Microsoft's secure way to store credentials locally.
Install Credential Manager on Windows machine
Install-Module -Name Credential Manager
To store new credentials using powershell
New-StoredCredential -Target Contoso -Username User1 -Password Passwordthere is another way to store new password in Credential Manager
Get-Credential -Username User2 -Message “Please enter your password:” | New-StoredCredential -Target Contoso
& then to retrieve stored credentials use Get-StoredCredential
$Cred = Get-StoredCredential -Target Contoso
Unfortunately, there isn’t a lot of documentation that comes with the Credential Manager module but you can get more details with following command
Get-Help Get-StoredCredential
来源:https://stackoverflow.com/questions/59509807/saving-a-windows-login-without-saving-password-like-kerberos-ticket