我使用C＃和.NET Framework 4。

I am using C# and .Net Framework 4.

我要寻找一个简单的方法来获得当前登录的Windows用户不容易受到假冒或黑客的登录ID。我找这个形式为：域名\用户名

I am looking for a foolproof method to get the login id of the currently logged in windows user that is not susceptible to impersonation or hacking. I am looking for this in the form of: DOMAINNAME\USERNAME

例如。 SOMEDOMAIN \ JOHNDOE

e.g. SOMEDOMAIN\JohnDoe

目前最好的，我拥有的是：

Currently the best I have is:

var identity = System.Security.Principal.WindowsIdentity.GetCurrent();
var currentLoginId = identity.Name;

这是开放的模拟（有人知道这两个用户名和密码之外），如果是的话是有这样做的更好的办法？

Is this open to impersonation (outside of someone knowing both the username and password) and if so is there a better way of doing this?

推荐答案

可以有涉及在这一点上的至少四个不同的身份：

There can be at least four different identities involved at this point:

分配给线程的身份 分配过程中的身份 的用户是谁启动该进程的帐户 谁登录到计算机用户帐户

在你的code你得到（1）。这通常是细，并且通常是相同​​（2）。

In your code you're getting (1). This is normally fine, and is usually the same as (2).

要取回（2），您可以：

To retrieve (2), you could:

呼叫 WindowsIdentity.GetCurrent 以获得模拟的标识 撤消模拟通过调用Win32 RevertToSelf的 功能 看 WindowsIdentity.GetCurrent ，以获得基本的进程标识 通过模拟步骤的身份重置线程标识（1） Call WindowsIdentity.GetCurrent to get the impersonated identity Undo impersonation by calling the Win32 RevertToSelf function Look at WindowsIdentity.GetCurrent to get the underlying process identity Reset the thread identity by impersonating the identity from step (1)

（2）和（3）将是相同的，除非你写的非托管code，改变的进程标识。由于@Daniel指出，（3）和（4）可以合法地在Windows的运行方式命令presence不同。

(2) and (3) will be the same unless you've written unmanaged code that changes the process identity. As @Daniel points out, (3) and (4) could legitimately be different in the presence of the Windows "run as" command.

编辑：：您可以相信，当前的的WindowsIdentity 是谁也说，这是，只要你可以相信任何给定数据的您的应用程序。

You can trust that the current WindowsIdentity is who it says it is, insofar as you can trust any given piece of data in your application.

您可以欺骗它通过连接调试器的进程，并从该调用伪造的返回值，但如果你要做到这一点，你还不如伪造一张code，你通过用户命名到数据库中。

You could spoof it by attaching a debugger to your process and faking the return value from this call, but if you're going to do that, you might as well fake the piece of code where you pass the user name to the database.

100％安全的方式来做到这一点是使用集成身份验证/ SSPI连接到数据库。

The 100% safe way to do this is to use integrated authentication/SSPI to connect to the database.