[英]Impersonation not working - Asp.Net core 3.1 application with Windows Authentication hosting in IIS
I created a Blazor Server application (.Net core 3.1).我创建了一个 Blazor 服务器应用程序(.Net core 3.1)。 The application uses Windows authentication.
该应用程序使用 Windows 身份验证。 The application will need to access some Windows services like file sharing, and database with Integrated security etc. So it has the following impersonation code.
该应用程序将需要访问一些 Windows 服务,例如文件共享和具有集成安全性的数据库等。因此它具有以下模拟代码。
var identity = await IdentityProvider.GetIdentityAsync();
if (identity.IsAuthenticated && identity is WindowsIdentity wid)
{
return WindowsIdentity.RunImpersonated(wid.AccessToken, () =>
{
Fun1(....); // Should be called using the authentication of logged in user
});
The Fun1()
should be called using the identity of the Windows users who are using the application, instead of the account which is used to running the website. Fun1()
应该使用正在使用该应用程序的 Windows 用户的身份而不是用于运行网站的帐户来调用。
For example, the Identity of the application pool for my web site is MyDomain\UserX
.例如,我的 web 站点的应用程序池的标识是
MyDomain\UserX
。 And when a user MyDomain\UserY
is using the website.当用户
MyDomain\UserY
正在使用该网站时。 I want the function Fun1()
is impersonated under MyDomain\UserY
instead of MyDomain\UserX
.我希望在
MyDomain\UserY
而不是MyDomain\UserX
下模拟 function Fun1()
。
I created a website on IIS, published the code, disabled anonymous authentication and enabled Windows Authentication.我在 IIS 上创建了一个网站,发布了代码,禁用了匿名身份验证并启用了 Windows 身份验证。 However, the function
Fun1()
is still called using the identity in the Application Pool?但是,function
Fun1()
仍然使用应用程序池中的身份调用? Should any settings in the Active directory be changed?是否应该更改 Active Directory 中的任何设置?
In order to access database using the logged in user's credentials (the user who is accessing your API and not site's app pool identity), you need to setup Kerberos constrained delegation.为了使用登录用户的凭据(访问您的 API 而不是站点的应用程序池身份的用户)访问数据库,您需要设置 Kerberos 约束委派。 Pls refer: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
请参考: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
https://blogs.uw.edu/kool/2016/10/26/kerberos-delegation-in-active-directory/#:~:text=What%20is%20Kerberos%20Delegation%3F,tier%20is%20the%20web%20site . https://blogs.uw.edu/kool/2016/10/26/kerberos-delegation-in-active-directory/#:~:text=What%20is%20Kerberos%20Delegation%3F,tier%20is%20the% 20web%20 网站。
this may not be helpful to you, as the question was asked long time ago.这可能对您没有帮助,因为很久以前就提出了这个问题。 but may be useful if someone else is in the same situation.
但如果其他人处于相同的情况,可能会有用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.