ASP.NET MVC 模拟不使用表单身份验证
[英]ASP.NET MVC Impersonate not working with Forms Authentication
问题描述
I am trying to run this code:
我正在尝试运行此代码:
File.WriteAllText(FilePath + Description + "-" + ID + ".txt", FileContent);
But cannot unless I am impersonating a user.但除非我冒充用户,否则不能。 In my web.config I have impersonate set to true, if I set the credentials there that line of code works as expected.在我的 web.config 中,我将模拟设置为 true,如果我在那里设置凭据,该行代码按预期工作。
<identity impersonate="true" userName="domain\username" password="password" />
This does not work:这不起作用:
<identity impersonate="true" />
When I run this code:当我运行此代码时:
System.Security.Principal.WindowsIdentity.GetCurrent()
I can see that it is populated with the correct username and impersonate is set to true .我可以看到它填充了正确的用户名,并且 impersonate 设置为true 。
So, why is this line of code not running, when my user can impersonate?那么,当我的用户可以模拟时,为什么这行代码没有运行?
File.WriteAllText(FilePath + Description + "-" + ID + ".txt", FileContent);
PLEASE HELP!请帮忙!
UPDATE更新
This is my login method that I am using to login against the active directory.这是我用来登录活动目录的登录方法。
[HttpPost]
public ActionResult Index(Login model, string returnUrl)
{
if (!ModelState.IsValid)
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);
}
if (Membership.ValidateUser(model.UserName, model.Password))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
&& !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
{
return Redirect(returnUrl);
}
return RedirectToAction("Index", "Home");
}
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);
}
4 个解决方案
解决方案1
3 2020-02-10 14:39:47
Focusing on the question: So, why is this line of code not running ...
Here is the meaning of not having impersonation or having it with or without user/password:以下是没有模拟或使用或不使用用户/密码的含义:
Impersonation is disabledThe application pool identity is used to run the application code.
应用程序池标识用于运行应用程序代码。
<identity impersonate="true" userName="accountname" password="password"/>Identity of the specified user will be used to run the application code.
指定用户的身份将用于运行应用程序代码。
Now knowing the meanings, when you specify identity impersonation without username and password, it means you are asking to run application code using IUSR which doesn't have enough permission to the specified path on the file-system.现在知道了含义,当您指定没有用户名和密码的身份模拟时,这意味着您要求使用IUSR运行应用程序代码,而IUSR对文件系统上的指定路径没有足够的权限。
To fix the problem:要解决问题:
- You may want grant
IUSRwith more permission.您可能希望授予IUSR更多权限。 - Or you may want to do impersonation by specifying a username and password which has enough permission in config or in code或者您可能希望通过在配置或代码中指定具有足够权限的用户名和密码来进行模拟
- Or you may want to run the application under an application pool identity which has enough permission.或者,您可能希望在具有足够权限的应用程序池标识下运行应用程序。
- Or you may want to use Integrated Windows Authentication and config for delegation as explained here .或者您可能希望使用集成的 Windows 身份验证和配置进行委派,如此处所述。
To learn more about identity and impersonation take a look at these resources:要了解有关身份和模拟的更多信息,请查看以下资源:
解决方案2
0 2020-02-10 14:46:56
确保IUSR或运行应用程序池的帐户对 FilePath 文件夹具有读/写访问权限。
解决方案3
0 2020-02-11 09:49:20
Consider impersonation windows to work with authentication.考虑使用模拟窗口进行身份验证。 As a Windows user, access to private resources is more priority and accessible than the web user.作为 Windows 用户,与 Web 用户相比,对私有资源的访问更优先且更易于访问。 In this case, it is not possible to emulate an IIS user by default.在这种情况下,默认情况下无法模拟 IIS 用户。
Besides, there is always a solution.此外,总有一个解决方案。 In the past, we were importing dll in windows to solve this issue.过去,我们在windows中导入dll来解决这个问题。 Now I am placing a data protected certificate on my .net core app.现在我在我的 .net 核心应用程序上放置了一个受数据保护的证书。 You can access the active directory like this implementation.您可以像这个实现一样访问活动目录。 Which i am reaching to redis machines.我正在接触redis机器。
services.AddDataProtection().ProtectKeysWithDpapi(protectToLocalMachine: true);
services.AddDataProtection()
.ProtectKeysWithCertificate(
new X509Certificate2(Path.Combine(Directory.GetCurrentDirectory(), "clientCert.pfx"), "password",
X509KeyStorageFlags.MachineKeySet
| X509KeyStorageFlags.PersistKeySet
| X509KeyStorageFlags.Exportable)
)
.UnprotectKeysWithAnyCertificate(
new X509Certificate2(Path.Combine(Directory.GetCurrentDirectory(), "clientCert.pfx"), "password",
X509KeyStorageFlags.MachineKeySet
| X509KeyStorageFlags.PersistKeySet
| X509KeyStorageFlags.Exportable
)
);
services.Configure<StorageConfiguration>(new ConfigurationBuilder().SetBasePath(Directory.GetCurrentDirectory()).AddJsonFile("appsettings.json", optional: true, reloadOnChange: true).Build());
var redisConf = Configuration.GetSection("RedisConnection").Get<RedisConnection>();
ConnectionMultiplexer redis = ConnectionMultiplexer.Connect(redisConf.Host.ToString() + ":" + redisConf.Port.ToString());
services.AddDataProtection().PersistKeysToStackExchangeRedis(redis, "DataProtection-Keys");
services.AddSingleton<IConnectionMultiplexer>(ConnectionMultiplexer.Connect(redisConf.Host.ToString() + ":" + redisConf.Port.ToString()));
IIS side should be defined as anonymous and integrated user. IIS 端应定义为匿名和集成用户。 And this code will provide you to reaching special resources并且此代码将为您提供获取特殊资源
解决方案4
0 2020-02-11 16:21:18
What browser are you using to test this?你用什么浏览器来测试这个? Edge and Chrome should pass Windows credentials to your app automatically, but in Firefox you need to modify a setting in about:config, per this answer: https://superuser.com/questions/29624/how-can-i-make-firefox-behave-like-ie-on-a-windows-domain-when-requesting-user-c Edge 和 Chrome 应自动将 Windows 凭据传递给您的应用程序,但在 Firefox 中,您需要根据以下答案修改 about:config 中的设置: https : //superuser.com/questions/29624/how-can-i-make- firefox-behave-like-ie-on-a-windows-domain-when-requesting-user-c
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.