[英]Set up impersonation with ASP.NET
for a first understanding, I have created a very simple project which tries to count the number of files in two directories. 初步了解,我创建了一个非常简单的项目,该项目尝试计算两个目录中的文件数。
User1
is not allowed to access Directory2
and User2
is not allowed to access Directory1
. 不允许
User1
访问Directory2
并且不允许User2
访问Directory1
。 Due to impersonation I should get only one number, depending on the user who is calling my application. 由于模拟,根据调用我的应用程序的用户,我应该只能得到一个号码。 Both user are set up as administrators.
两个用户都被设置为管理员。
So I have created a new MVC-project in Visual Studio 2015 (running on Windows 8.1) and selected to use Windows authentication. 因此,我在Visual Studio 2015(在Windows 8.1上运行)中创建了一个新的MVC项目,并选择使用Windows身份验证。 Once the application is up and running (in ISS Express), I switch to
User1
on my machine (there is no Active Directory) and call the website in Internet Explorer (yes, "Integrated Windows authentication" is enabled in the settings). 一旦应用程序启动并运行(在ISS Express中),我将切换到计算机上的
User1
(没有Active Directory)并在Internet Explorer中调用网站(是的,在设置中启用了“集成Windows身份验证”)。 With this setup, the user in HttpContext.User.Identity
is User1
and WindowsIdentity.GetCurrent()
is my development user, the one I am working with in Visual Studio. 使用此设置,
HttpContext.User.Identity
的用户是User1
, WindowsIdentity.GetCurrent()
是我的开发用户,这是我在Visual Studio中使用的用户。
I have also tried to impersonate manually: 我还尝试过手动模拟:
WindowsIdentity winId = (WindowsIdentity)User.Identity;
WindowsImpersonationContext ctx = null;
try
{
ctx = winId.Impersonate();
// GetNumbers() tries to get the number of files for both directories
numbers = GetNumbers();
}
catch (Exception e)
{
}
finally
{
if (ctx != null)
{
ctx.Undo();
}
}
Unfortunately, I get the exception "Either a required impersonation level was not provided, or the provided impersonation level is invalid." 不幸的是,我遇到了异常“未提供所需的模拟级别,或者提供的模拟级别无效”。 Some people were claiming the this one solved their problem: https://kc.mcafee.com/corporate/index?page=content&id=KB56194 Not for me.
有人声称这解决了他们的问题: https : //kc.mcafee.com/corporate/index?page=content&id=KB56194不适合我。 I've added
User1
and my own user to the lists and restarted the computer. 我已将
User1
和我自己的用户添加到列表中,然后重新启动计算机。 No change. 没变。
The only thing which gives me a little bit of hope is the impersonation with a separate login, as described on https://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingusinglogonuser The disadvantages are quite obvious: I have to have the user's password and why should I login again if the user already did it for me. 唯一给我一点希望的是使用单独的登录进行模拟,如https://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingusinglogonuser中所述缺点非常明显:必须输入用户密码,如果用户已经为我输入了密码,为什么还要再次登录。
Although this is a new project without major changes by me, some more information just for sanity check... 尽管这是我一个没有重大更改的新项目,但是一些其他信息仅用于健全性检查...
My Web.config
我的
Web.config
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
My project settings are 我的项目设置是
false
false
true
true
Integrated
Integrated
“托管管线模式” Any suggestions on what to change to make this simple project work as expected? 关于如何更改以使此简单项目按预期工作的任何建议?
Best regards, Carsten 此致Carsten
I finally managed to get it to work (IIS Express and IIS)! 我终于设法使其正常工作(IIS Express和IIS)! As mentioned above, the first approach was a prototype only.
如上所述,第一种方法仅是原型。 The final goal was to create a GUI which runs on server A and an API which runs on server B. Both implemented with ASP.NET.
最终目标是创建一个在服务器A上运行的GUI和在服务器B上运行的API。两者均使用ASP.NET来实现。
The Web.config
of the GUI and the API got these settings: GUI和API的
Web.config
获得了以下设置:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="true" />
</system.web>
The project property (press F4
after selecting the project) "Managed pipline mode" is set to Classic
. 将项目属性(选择项目后按
F4
)“ Managed pipline mode”设置为Classic
。
Somewhere on SO I saw a discussion about if the impersonation should work with HttpClient
as well. 在SO的某个地方,我看到了关于模拟是否也应与
HttpClient
一起使用的讨论。 It was said, it does. 有人说,是的。 Well, it did not for me.
好吧,这不适合我。 And the
WebClient
is no fun if you are using a variety of HTTP methods. 如果您使用各种HTTP方法,
WebClient
不会很有趣。 So I switched to RestSharp: 所以我切换到RestSharp:
RestClient client = new RestClient(baseUrl);
client.Authenticator = new NtlmAuthenticator();
Classic
"Managed pipeline mode". Classic
“托管管道模式”。 user1
on my development machine had another password then the user1
on my target machine... user1
拥有另一个密码,而目标机器上的user1
具有另一个密码... I hope this helps someone. 我希望这可以帮助别人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.