[英]How to access SQL-DB as AppPool when running ASP.NET Impersonation OR How to get the NT-User when running AnonymousAuthentication
The tools 工具
myWebApp: ASP.NET Core 1.1 MVC myWebApp:ASP.NET Core 1.1 MVC
myAuthApp with IdentityServer4 带IdentityServer4的myAuthApp
MS SQL Server 2012 MS SQL Server 2012
IIS 8 on Win2012 Server Win2012服务器上的IIS 8
What we Want: 我们想要什么:
figure out what NTUser (intranet) is using the app to get userinfo from sqlserver-db (by searching the NTUserName) without any login dialog 找出什么NTUser(Intranet)正在使用该应用从sqlserver-db获取userinfo(通过搜索NTUserName),而无需任何登录对话框
What we have 我们有什么
one website (WinAuthApp) using asp.net impersonation (IIS Authentication) only to deliver NTUser-Name with return User.Identity.Name
and one website (our WebAPP) with Anonymous Authentication to get access to SQLServer with AppPool Identity. 一个使用asp.net模拟(IIS身份验证)的网站(WinAuthApp)仅传递带有
return User.Identity.Name
NTUser-Name,而一个使用匿名身份验证的网站(我们的WebAPP)则通过AppPool身份访问SQLServer。 This WebApp redirects (when requesting without authentication token) to our AuthApp to check identity. 此WebApp重定向(在请求时不带身份验证令牌的情况下)到我们的AuthApp,以检查身份。 AuthApp asks the WinAuthApp for the username and searchs the DB for permissionflags and builds an identity and a generates a token for it.
AuthApp向WinAuthApp询问用户名,并在数据库中搜索权限标志,并建立身份并为其生成令牌。 with this authentication token it returns to WebApp and is now authenticaticated.
使用此身份验证令牌,它将返回到WebApp,并且现在已通过身份验证。 External users give Name and Passwort and get a token to access WebApp.
外部用户提供Name和Passwort并获得令牌来访问WebApp。
Problems with this approach 这种方法的问题
when external users come to webApp and AuthApp asks WinAuthApp (with WindowsAuthentication configured) they get the NT-Login screen instead of WebApp's "Login Page for Externals". 当外部用户访问webApp,并且AuthApp要求WinAuthApp(配置了WindowsAuthentication)时,他们将获得NT登录屏幕,而不是WebApp的“外部登录页面”。 One contraint is: the intranetuser should NOT get a login dialog.
一个禁忌是:Intranetuser不应获得登录对话框。 (webApp has to answer to links and open the requested page immediately).
(webApp必须回答链接并立即打开请求的页面)。
Summary 摘要
How can i configure my AuthApp (IdentityServer4) to have access to current NTUser (IF request comes from Intranet) but mainly working as AppPool-Identity (esp. for DB-Access) 我如何配置我的AuthApp(IdentityServer4)可以访问当前的NTUser(如果请求来自Intranet),但主要用作AppPool-Identity(尤其是用于DB-Access)
I figured it out: 我想到了:
in Web.config set forwardWindowsAuthToken="true"
, and then set WindowsAuthentication true and asp.net impersonation false. 在Web.config中设置
forwardWindowsAuthToken="true"
,然后将WindowsAuthentication设置为true并将asp.net模拟设置为false。
Then access to SQL-Server is done with appPool-Acount, and in the application context.User.Identity.Name
gives user's NT-Account. 然后访问SQL-服务器与应用程序池,Acount完成,并在应用
context.User.Identity.Name
给用户的NT帐户。
It wasn't too difficult but i always set WinAuth AND Impersonation synced. 并不太困难,但是我总是将WinAuth和Impersonation设置为同步。 Don't know why.
不知道为什么。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.