模拟不起作用 - Asp.Net core 3.1 应用程序与 Windows 身份验证托管在 IIS

Question

I created a Blazor Server application (.Net core 3.1). The application uses Windows authentication. The application will need to access some Windows services like file sharing, and database with Integrated security etc. So it has the following impersonation code.

var identity = await IdentityProvider.GetIdentityAsync();

if (identity.IsAuthenticated && identity is WindowsIdentity wid)
{
    return WindowsIdentity.RunImpersonated(wid.AccessToken, () =>
    {
        Fun1(....); // Should be called using the authentication of logged in user
    });

The Fun1() should be called using the identity of the Windows users who are using the application, instead of the account which is used to running the website.

For example, the Identity of the application pool for my web site is MyDomain\UserX . And when a user MyDomain\UserY is using the website. I want the function Fun1() is impersonated under MyDomain\UserY instead of MyDomain\UserX .

I created a website on IIS, published the code, disabled anonymous authentication and enabled Windows Authentication. However, the function Fun1() is still called using the identity in the Application Pool? Should any settings in the Active directory be changed?

Answer 1

In order to access database using the logged in user's credentials (the user who is accessing your API and not site's app pool identity), you need to setup Kerberos constrained delegation. Pls refer: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview

https://blogs.uw.edu/kool/2016/10/26/kerberos-delegation-in-active-directory/#:~:text=What%20is%20Kerberos%20Delegation%3F,tier%20is%20the%20web%20site .

this may not be helpful to you, as the question was asked long time ago. but may be useful if someone else is in the same situation.