[英]Azure Web App web API impersonate user using ClaimsIdentity
In my Azure Web App I want to impersonate the user by using their ClaimsIdentity to call a 3rd party API. 在我的Azure Web App中,我想通过使用用户ClaimsIdentity来调用第三者API来模拟用户。 The 3rd party web API allows Basic or Kerberos, optionally I can switch to the 3rd party SDK which uses windows integrated security if neccessary.
第三方Web API允许使用Basic或Kerberos,如果需要,我可以选择切换到使用Windows集成安全性的第三方SDK。
The problem I'm running into is the impersonation bit, below is my code as it is. 我遇到的问题是模拟位,下面是我的代码。
var webUser = HttpContext.Current.User.Identity as ClaimsIdentity;
var windowsIdentity = S4UClient.UpnLogon(webUser.Claims.FirstOrDefault(x => x.Type.Equals(ClaimTypes.Upn)).Value);
using (var impersonationContext = windowsIdentity.Impersonate())
{
//make call to 3rd party Web API or SDK
}
When running the above I get the following error: 运行以上命令时,出现以下错误:
The pipe endpoint 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' could not be found on your local machine.
Everything I've read points to starting the C2WTS windows service, is there a way to start this service for an Azure web app? 我已阅读的所有内容都指向启动C2WTS Windows服务,是否可以为Azure Web应用程序启动该服务? If not how can I go about impersonating the user or passing credentials to my 3rd party api/sdk?
如果没有,我该如何假冒用户或将凭据传递给我的第三方api / sdk?
When you use the Azure WebApp, you are isolated from the infrastructure and the hosting enviroment - so you can not start something like "Windows service". 使用Azure WebApp时,您与基础结构和托管环境是隔离的,因此无法启动“ Windows服务”之类的东西。
If you need to use Windows / Kerberos authentication for individual user to access your resources behind your web application, you can't use Azure WebApp. 如果需要单个用户使用Windows / Kerberos身份验证来访问Web应用程序背后的资源,则不能使用Azure WebApp。 You should use Azure VM with IIS which is a member server of your domain.
您应该将Azure VM与IIS一起使用,IIS是您域的成员服务器。 Then you can configure your web application to accept claim based authentication (eg from Azure AD) and make the impersonation to your internal domain account by the UPN and WindwosIdentity constructor (> .NET 4.5).
然后,您可以将Web应用程序配置为接受基于声明的身份验证(例如,从Azure AD),并通过UPN和WindwosIdentity构造函数(> .NET 4.5)对内部域帐户进行模拟。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.