Search code examples
.netsql-serversecurityauthenticationrunas

How to build RUNAS /NETONLY functionality into a (C#/.NET/WinForms) program?


Our workstations are not members of the domain our SQL Server is on. (They're not actually on a domain at all - don't ask).

When we use SSMS or anything to connect to the SQL Server, we use RUNAS /NETONLY with DOMAIN\user. Then we type in the password and it launches the program. (RUNAS /NETONLY does not allow you to include the password in the batch file).

So I've got a .NET WinForms app which needs a SQL connection, and the users have to launch it by running a batch file which has the RUNAS /NETONLY command-line and then it launches the EXE.

If the user accidentally launches the EXE directly, it cannot connect to SQL Server.

Right-clicking on the app and using the "Run As..." option doesn't work (presumably because the workstation doesn't really know about the domain).

I'm looking for a way for the application to do the RUNAS /NETONLY functionality internally before it starts anything significant.

Please see this link for a description of how RUNAS /NETONLY works: http://www.eggheadcafe.com/conversation.aspx?messageid=32443204&threadid=32442982

I'm thinking I'm going to have to use LOGON_NETCREDENTIALS_ONLY with CreateProcessWithLogonW


Solution

  • I gathered these useful links:

    http://www.developmentnow.com/g/36_2006_3_0_0_725350/Need-help-with-impersonation-please-.htm

    http://blrchen.spaces.live.com/blog/cns!572204F8C4F8A77A!251.entry

    Link

    http://msmvps.com/blogs/martinzugec/archive/2008/06/03/use-runas-from-non-domain-computer.aspx

    It turns out I'm going to have to use LOGON_NETCREDENTIALS_ONLY with CreateProcessWithLogonW. I'm going to see if I can have the program detect if it has been launched that way and if not, gather the domain credentials and launch itself. That way there will only be one self-managing EXE.