Our workstations are not members of the domain our SQL Server is on. (They're not actually on a domain at all - don't ask).
When we use SSMS or anything to connect to the SQL Server, we use RUNAS /NETONLY with DOMAIN\user. Then we type in the password and it launches the program. (RUNAS /NETONLY does not allow you to include the password in the batch file).
So I've got a .NET WinForms app which needs a SQL connection, and the users have to launch it by running a batch file which has the RUNAS /NETONLY command-line and then it launches the EXE.
If the user accidentally launches the EXE directly, it cannot connect to SQL Server.
Right-clicking on the app and using the "Run As..." option doesn't work (presumably because the workstation doesn't really know about the domain).
I'm looking for a way for the application to do the RUNAS /NETONLY functionality internally before it starts anything significant.
Please see this link for a description of how RUNAS /NETONLY works: http://www.eggheadcafe.com/conversation.aspx?messageid=32443204&threadid=32442982
I'm thinking I'm going to have to use LOGON_NETCREDENTIALS_ONLY
with CreateProcessWithLogonW
I gathered these useful links:
http://www.developmentnow.com/g/36_2006_3_0_0_725350/Need-help-with-impersonation-please-.htm
http://blrchen.spaces.live.com/blog/cns!572204F8C4F8A77A!251.entry
http://msmvps.com/blogs/martinzugec/archive/2008/06/03/use-runas-from-non-domain-computer.aspx
It turns out I'm going to have to use LOGON_NETCREDENTIALS_ONLY
with CreateProcessWithLogonW
. I'm going to see if I can have the program detect if it has been launched that way and if not, gather the domain credentials and launch itself. That way there will only be one self-managing EXE.