ASP.NET MVC 5：应用程序池，Windows身份验证和Active Directory

Question

Background:

I have an MVC 5/C# app that interfaces an outside API. It uses the Active Directory users' Principal Context for authorization. The app checks if the UserPrincipal.Current has their Un/Pw combo stored in the Db to be used for any operations later on the external API.

 public bool IsUserSetup()
    {
        try
        {
            // find currently logged in user
            var user = UserPrincipal.Current; // <- ERRS HERE -----
            // check if this user exists in Db with creds
            if (user != null)
            {
                var u = _userProfileRepository.GetUserProfileByUserSID(user.Sid.ToString());
                if (u != null
                    && !string.IsNullOrEmpty(u.RallyUsername)
                    && !string.IsNullOrEmpty(u.RallyPassword)
                    && u.IsActive // <-- make sure this person is an active user
                    )
                {
                    return true;
                }
            }
        }
        catch (Exception ex)
        {
            string exMessage = ex.Message;
            //throw ex;
        }
        return false;
    }

• I understand that UserPrincipal.Current will return the App Pool's identity by default.
• I also understand setting Impersonate to True IIS will use the current user's context as in: <system.web> <identity impersonate="true"/>...

However, if I turn Impersonation on (true), then I get this:

An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.

So, I change the app pool to use 'classic'(Which I don't think is the answer or path I should take), and I get this error:

The page you are requesting cannot be served because of the ISAPI and CGI Restriction list settings on the Web server.

Obviously, this works great in IIS Express, it sees me (domain\\username) just fine. But when I switch it to IIS or deploy it to an actual web server, I get these problems.

I need to get the current user/principal so I can store their SID and credentials to the external API in the Db. Then upon using the site/app, it auto-magically uses their creds to do work in the API as needed.

What do I need to do to either:

• setup IIS to allow impersonation to work
• adjust my code to do the same

Answer 1

From here , use option 2, which is:

<system.webServer>
   <!--When using 'Integrated Pipeline' on IIS on the server, and if your application does not rely on impersonating the requesting user in the 'BeginRequest' and 'AuthenticateRequest' stages (the only stages where impersonation is not possible in Integrated mode), but still requires Impersonation in other areas of the application, ignore this error (500 - Internal Server Error) by adding the following to your application’s web.config-->
   <validation validateIntegratedModeConfiguration="false"/>
</system.webServer>