Re: Alternatives to Net Use
> Is it possible to issue a "net use" without putting it in a batch file and
> launching that via Process.Start?
>
> The end result I'm after is having the destination server name\share names
> listed in App.config. Then at runtime I check to see if I can access each
> share prior to attempting to copy files. IF the share is not accessible,
> then I'm wanting to issue the net use to attempt to authenticate. Only
> after that fails would the logic give up. I don't want to have to go with
> a batch file if possible as I implement the net use portion of this.
Yes you can launch "net use" but I personally don't recommend it. It's
normally better to rely on an API than standalone executables (for proper
error detection alone). I'm not sure what .NET offers in this area (for
handling shared resources) but the WinAPI definitely provides the
functionality you're looking for (see "NetUseAdd()" and cousins or
"WNetAddConnection2()"). I'm not sure how you intend on authenticating
however since you need to secure your passwords (don't store them in a
cleartext format IOW). In any case, if your application needs to be
bullet-proof then I strongly recommend you learn about authentication first
and in particular, how it works with shared resources. There's more to it
than what's been presented in this thread so far (and some little known
gotchas). Your best bet IMO is to get a copy of "Programming Windows
Security" by Keith Brown. It was published some years ago and may be
difficult to get now but it's an excellent source of information (and still
highly relevant). Chapter 8 describes your particular situation in extensive
detail. The following primer might also help. I wrote it some years back for
a colleague who was trying to learn about this issue. It's not the complete
picture but it does provides a conceptual understanding. Good luck.
"Here's the (simplified) story (believe it or not). In Windows or any other
OS that implements the
SMB (Server Message Block) protocol (which drives the following scenario),
whenever any
logon session on machine A tries to access a shared resource on any machine
B for the first time
(trying to access a file or folder usually), the file server on machine B
will first try to
authenticate the incoming user so it knows who they are and can therefore
determine what
local resources (file, folders, etc.) they're allowed to access. Note that
the file server runs as a
Windows service and is normally available on all Windows machines (you can
just think of this
as the program that provides access to shared resources on each machine -
"authentication" is
really just the process of logging onto this server for all intents and
purposes). By default the
"user" will be the user associated with the calling thread on machine A and
that normally just
refers to the user who's currently logged onto machine A (though the story
actually runs deeper).
So, for instance, if I log onto "MachineA" as "CA005\lsmith" (my domain
account in the CA005
domain) and I then try to access any file or folder on
"\\MachineB\SomeShare" using Explorer
for instance, the file server on "MachineB" will first try to authenicate
"CA005\lsmith" to
determine that it's really me (otherwise just anyone could come along and
access "MachineB" so
where's the security?). Since I'm a member of a trusted domain ("MachineB"
trusts the CA005
domain controller to vouch for all users in that domain), "MachineB" will
then send my
credentials ("CA005\lsmith") to the CA005 domain controller (where my domain
account is
stored) and the domain controller will then authenticate me accordingly
(verifying that I am in
fact who I claim to be - note that my password is never actually sent across
the wire for security
reasons but how it all works is another story). Once authenticated
(remember, "MachineB" trusts
the CA005 domain controller to do this and authentication is all about
trust), a network logon
session is then created on "MachineB" for "CA005\lsmith" and for all intents
and purposes I'm
now logged onto "MachineB" as if I walked up to it and logged on (even
though I'm still sitting
in front of "MachineA" - note that it's not quite the same as logging onto
"MachineB" directly
since a "network" logon session now exists opposed to an "interactive" logon
session but again,
this is the simple story). Now I can access anything on "MachineB" that
"CA005\lsmith" is
allowed to access and I can do it while still sitting in front of "MachineA"
(so I can now access
all files and folders under "\\MachineB\SomeShare" that "CA005\lsmith" is
allowed to access).
Now, lets' say I log off "MachineA" and logon again using a local account
instead ("sbrown" for
instance which is no longer a domain account found on the domain controller
but a local account
created on "MachineA" itself). I'm therefore logged onto "MachineA" as
"MachineA\sbrown"
instead of "CA005\lsmith" (all programs I run will then assume this
identity). If I now try to
access "\\MachineB\SomeShare" again, the file server on "MachineB" can no
longer authenticate
me because it now sees someone called "MachineA\sbrown" trying to logon and
it doesn't trust
"MachineA" to vouch for "sbrown" (like it does the "CA005" domain controller
to vouch for
"lsmith"- the "sbrown" account exists on some machine called "MachineA"
which "MachineB"
may have never even heard of and doesn't trust regardless - this is the way
things work in a
Windows domain). "MachineB" will therefore fail to authenticate me and our
old nemesis
"Access Denied" will therefore rear its ugly head on "MachineA" (telling me
that "MachineB"
doesn't trust "MachineA" to vouch for "MachineA\sbrown"). To get around this
problem you can
generally do one of three basic things:
1) Create a matching "sbrown" account on "MachineB" with the same password
as the "sbrown"
account on "MachineA". "MachineB" will then try to authenticate me using the
local account
database (on "MachineB") and so long as the passwords on "MachineA" and
"MachineB" are
kept synchronized, I'll be successfully authenticated (this is how the
Windows file server deals
with accounts whose authorities it doesn't recognize or trust - as long as a
matching account
name and password exist on the local machine, the file server treats the
incoming user as that
particular local user and can log them on) . A network logon session will
then be created as
described earlier but now you'll be running as "MachineB\sbrown" instead of
"CA005\lsmith"
(see earlier discussion). You're now effectively logged onto "MachineB" as
if you walked up to it
and logged on as the local "sbrown" user (again, a network logon session is
created instead of an
"interactive" logon session however) so you can now access anything on that
machine that
"MachineB\sbrown" is normally allowed to access (even though you're now
doing this on on
"MachineA")
2) Activate the "Guest" account on MachineB (disabled by default) and log on
as a "Guest". Let
me know if you want details but it's neither practical nor a secure
alternative
3) Access "MachineB" using a "NULL Session" but again, it's neither
practical nor secure.
For local accounts, option 1 is therefore your only practical alternative at
a customer site. Also
note that depending on the nature of the application, you can prompt the
user for the credentials
necessary to access MachineB (on the fly) or retrieve them from some secure
source.
"MachineA" can then programatically access "Machine B" using any credentials
it wants (i.e.,
they need not be the credentials of the calling thread which is merely the
default behaviour).
Programming this isn't difficult BTW (once you understand how authentication
works) but let
me know if you want further details (as if this wasn't enough
"