模拟仅在用户特定时才有效
[英]Impersonation only works when a user is specificed
问题描述
I am having an issue accessing a webservice with impersonate without a specified user. 
我在使用没有指定用户的模拟访问Web服务时遇到问题。
Works: <identity impersonate="true" userName="DOMAIN\\USERNAME" password="MyPassword" / > Works: <identity impersonate="true" userName="DOMAIN\\USERNAME" password="MyPassword" / >
Doesn't Work 不起作用
<identity impersonate="true" />
While debugging I used the code below to verifiy the correct Domain and Username were being used, they are. 在调试时,我使用下面的代码来验证正在使用的域和用户名,它们是。
System.Security.Principal.WindowsIdentity.GetCurrent().Name;
Here is more of my web.config 这是我的web.config的更多内容
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="*" />
<deny users="?"/>
</authorization>
I am logging into the prompt, image below 我正在登录提示,图片如下
Any ideas why it will only work when I specify a user in the web.config? 任何想法为什么它只有在我在web.config中指定用户时才有效? I am logging in with the same Domain\\Username and password that I put into the <identity impersonate="true" userName="DOMAIN\\USERNAME" password="MyPassword" / > . 我使用与<identity impersonate="true" userName="DOMAIN\\USERNAME" password="MyPassword" / >相同的Domain\\Username和密码登录。 I've tried with multiple accounts and they all work when I put their credentials in the web.config but none work with identity set as <identity impersonate="true" /> and logging in. 我已经尝试过多个帐户,当我将他们的凭据放在web.config时它们都可以正常工作但是没有一个工作时将身份设置为<identity impersonate="true" />并登录。
EDIT The remote server returned an error: (403) Forbidden. 编辑远程服务器返回错误:(403)禁止。
EDIT 2 Everything works fine while debugging and while hitting the service on the server that contains the IIS it is hosted on, I've tried with multiple accounts and they all work. 编辑2一切正常,在调试时,并在包含它托管的IIS的服务器上点击服务,我尝试了多个帐户,他们都工作。 Everything is on the same domain 一切都在同一个领域
2 个解决方案
解决方案1
3 2015-05-07 15:56:09
Note the following text from https://support.microsoft.com/en-us/kb/306158 请注意https://support.microsoft.com/en-us/kb/306158中的以下文本
Impersonate a Specific User for All the Requests of an ASP.NET Application
To impersonate a specific user for all the requests on all pages of an ASP.NET application, you can specify the userName and password attributes in the tag of the Web.config file for that application.
To work around this problem, use one of the following methods: Grant the "Act as part of the operating system" privilege to the ASPNET account (the least privileged account).
Note Although you can use this method to work around the problem, Microsoft does not recommend this method.
You could setup the Aspnet_wp.exe process to run as the user you are trying to impersonate to get the desired privileges. 您可以将Aspnet_wp.exe进程设置为以您尝试模拟以获得所需权限的用户身份运行。
This has also been discussed before: How do you do Impersonation in .NET? 这也在前面讨论过: 你如何在.NET中进行模拟?
解决方案2
1 2015-05-20 05:43:39
It could be the NTLM double-hop authentication issue. 它可能是NTLM双跳认证问题。 In short, ensure that Kerberos SPNs are properly set so it is used instead of NTLM. 简而言之,确保正确设置Kerberos SPN,以便使用它而不是NTLM。 This MSDN blog post has a great explaination. 这篇MSDN博客文章有很好的解释。
http://blogs.msdn.com/b/besidethepoint/archive/2010/05/09/double-hop-authentication-why-ntlm-fails-and-kerberos-works.aspx http://blogs.msdn.com/b/besidethepoint/archive/2010/05/09/double-hop-authentication-why-ntlm-fails-and-kerberos-works.aspx
Alternatively, basic or forms authentication will also achieve what you're looking to accomplish. 或者,基本或表单身份验证也将实现您希望实现的目标。 This is because the application will have the user's credentials and, if properly configured, can use them to access back end resources. 这是因为应用程序将拥有用户的凭据,如果配置正确,可以使用它们来访问后端资源。
You may also want to look into Kerberos delegation. 您可能还想查看Kerberos委派。 Its a way to restrict that second hop to just one resource via it's SPN. 它是一种通过它的SPN将第二跳限制为仅一个资源的方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.