简体繁体 English

如何使本地 IIS 使用不同的 Azure Active Directory 来访问资源

[英]How to make local IIS use a different Azure Active Directory for access to resources

原文 2020-12-12 15:07:38 6 1 asp.net/ .net/ azure/ iis

Here's the situation: I have an account in the azure active directory of my company with several subscriptions.情况如下：我在我公司的 azure 活动目录中有一个帐户，有几个订阅。 I am building an ASP.NET Framework application for a client.我正在为客户端构建一个 ASP.NET 框架应用程序。 This application is going to be hosted in their own azure environment, so to set this up, they added my email address to their azure active directory.此应用程序将托管在他们自己的 azure 环境中，因此为了进行设置，他们将我的 email 地址添加到他们的 azure 活动目录中。 Now in the azure portal I can use the button "change active directory" to either view my company's resources or my client's.现在，在 azure 门户中，我可以使用“更改活动目录”按钮来查看我公司或客户的资源。

I set up a keyvault in my client's azure environment and I added keyvault as connected service to my application using these instructions .我在客户的 azure 环境中设置了一个密钥库，并使用这些说明将密钥库作为连接服务添加到我的应用程序中。 My application is running locally in local IIS, so I set up the application pool to use my user account so it has access to my azure subscriptions.我的应用程序在本地 IIS 中本地运行，因此我将应用程序池设置为使用我的用户帐户，以便它可以访问我的 azure 订阅。

The issue here is that I still get an error when I try to run the application.这里的问题是，当我尝试运行应用程序时仍然会出现错误。 The ysod says that azure gives a 401 response when trying to access the keyvault. ysod 说 azure 在尝试访问密钥库时会给出 401 响应。 I see that it's trying to use the guid that is associated with my company's azure active directory (I don't know what the name of this guid is).我看到它正在尝试使用与我公司的 azure 活动目录关联的 guid（我不知道这个 guid 的名称是什么）。 Obviously, I can't access resources from my client's azure environment with my company's azure active directory.显然，我无法使用我公司的 azure 活动目录从客户的 azure 环境访问资源。 As an attempt to get more information, I built a small console application and used the same procedure to add keyvault as a connected service, since the internet says that the console application gives more details than the ASP.NET application.作为获得更多信息的尝试，我构建了一个小型控制台应用程序并使用相同的过程将密钥库添加为连接服务，因为互联网上说控制台应用程序提供的细节比 ASP.NET 应用程序更多。 However, when I run my console application, I don't get any errors at all and I can access my client's keyvault just fine.但是，当我运行我的控制台应用程序时，我根本没有收到任何错误，我可以很好地访问我客户的密钥库。

This makes me believe that there is some setting in my user account or IIS that I need to change to make this work, but I can't find what it is.这让我相信我的用户帐户或 IIS 中有一些设置需要更改才能使其正常工作，但我找不到它是什么。

How can I make my ASP.NET Framework application, running locally in IIS, access a keyvault as connected service in my client's azure environment?如何使我的 ASP.NET 框架应用程序在 IIS 本地运行，在我的客户的 azure 环境中访问密钥库作为连接服务？

1 个解决方案

This should work, try to follow this to re-login your user account in VS and make sure you have modified your ASP.NET Framework project .这应该可以，尝试按照此操作在 VS 中重新登录您的用户帐户，并确保您已修改 ASP.NET 框架项目。

If it still not work, you could ask your client to create a work account for you in their Azure AD tenant and add it to the keyvault access policy, then use the account to login VS and test.如果还是不行，你可以让你的客户在他们的 Azure AD 租户中为你创建一个工作帐户，并将其添加到 keyvault 访问策略中，然后使用该帐户登录 VS 并进行测试。