确定用户的TokenSize
本文关键字:TokenSize 用户 | 更新日期: 2023-09-27 18:29:02
这是确定用户TokenSize:的可接受方式吗
//TokenSize = 1200 + 40d + 8s
//http://support.microsoft.com/kb/327825/en-us
int TSize = 1200;
UserPrincipal user = UserPrincipal.FindByIdentity
(new PrincipalContext(ContextType.Domain, Environment.UserDomainName), IdentityType.SamAccountName, Environment.UserName);
foreach (GroupPrincipal group in user.GetGroups())
{
if (group.IsSecurityGroup == true)
if (group.GroupScope == GroupScope.Global)
TSize = TSize + 8;
else
TSize = TSize + 40;
}
SIDHistory呢?如何统计?
谢谢!
KB已经告诉您这是一个估计值。它被用作系统管理员设置MaxTokenSize注册表项的指南。
This formula uses the following values:
d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain plus the number of groups represented in security ID (SID) history.
s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain.
1200: The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length, client name, and other factors.
In scenarios in which delegation is used (for example, when users authenticate to a domain controller), Microsoft recommends that you double the token size.
为什么需要计算代币大小?只是想确保您没有将此与进程令牌混淆。
这里的令牌是指Kerberos票证或NTLM令牌,它们通常由SSP缓存和维护。由于它是一条非常敏感的信息,因此受到高度保护,您通常无法从用户模式应用程序访问它。应用程序通常处理的令牌是进程令牌,它与此KB所描述的令牌不同。但是,Kerberos票证或NTLM令牌确实携带了大量授权信息,这些信息最终用于生成进程令牌。我不记得进程令牌有最大令牌大小限制。不过我可能错了。
关于SidHistory问题,我不确定我明白你的意思。以下是我的理解。该令牌包含组SID的列表,该列表可能来自AD组对象的SidHistory。令牌本身不需要知道组SID是来自SidHistory还是objectSid。如果应用程序需要从存储在令牌中的TOKEN_GROUPS信息中查找AD组对象,则应用程序需要对objectSid以及sidHistory