[英]C# PrincipalContext without username and password on IIS
I have a C# .NET framework backend API. I am implementing AD login, but have a problem, where the PrincipalContext
constructor does not work without the username and password, which should not be the case.我有一个 C# .NET 框架后端 API。我正在实施 AD 登录,但有一个问题,如果没有用户名和密码,
PrincipalContext
构造函数将无法工作,这不应该是这种情况。
The line in question is:有问题的行是:
var principalContext = new PrincipalContext(
ContextType.Domain,
System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName
);
It works fine on a different computer with the current web.config
file, so I am guessing my IIS is not set up correctly or the permissions are incorrect.它在具有当前
web.config
文件的另一台计算机上工作正常,所以我猜测我的 IIS 设置不正确或权限不正确。
I am running the API in VS2022 in debug mode, local IIS, and the website is inside Default Web Site
in IIS.我在 VS2022 中以调试模式运行 API,本地 IIS,网站位于 IIS 中的
Default Web Site
内。
My application pool identity is set to ApplicationPoolIdentity
, in authentication I have only anonymous authentication enabled (I have also tried only Windows authentication and both).我的应用程序池标识设置为
ApplicationPoolIdentity
,在身份验证中我只启用了匿名身份验证(我也只尝试了 Windows 身份验证和两者)。
I have also noticed, that the line我也注意到,这条线
System.Security.Principal.WindowsIdentity.GetCurrent().Name;
returns domain\\username
on the computer where it works, and returns iis apppool\\app pool name
on my computer.在它工作的计算机上返回
domain\\username
,在我的计算机上返回iis apppool\\app pool name
。
Also, this is my web.config
file for reference:另外,这是我的
web.config
文件供参考:
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<!-- so only the Tokens controller uses Windows authentication and all others can use JWT tokens -->
<location path="Tokens">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
...
</system.webServer>
the problem on your localhost should be caused because your application pool uses a local system identity, you can change it with a domain user that has the permission to retrieve the information to the domain controller您的本地主机上的问题应该是因为您的应用程序池使用本地系统标识引起的,您可以使用有权将信息检索到域 controller 的域用户更改它
Let me now if you need more information how to change the app pool identity.如果您需要有关如何更改应用程序池身份的更多信息,请告诉我。
Regards问候
Jerry杰瑞
If you don't pass in a username and password, the PrincipalContext constructor will use the credentials of the account running the application pool to host the asp.net application in IIS to connect to Active Directory.如果您不传入用户名和密码,PrincipalContext 构造函数将使用运行应用程序池的帐户的凭据在 IIS 中托管 asp.net 应用程序以连接到 Active Directory。 ApplicationPoolIdentity is a dedicated pseudo-user account for the application pool worker process, it is recommended that you change the application pool identity.
ApplicationPoolIdentity 是应用程序池工作进程的专用伪用户帐户,建议您更改应用程序池标识。
LocalSystem - The Local System account has all user rights and is part of the Administrators group on the Web server.
LocalSystem - Local System 帐户拥有所有用户权限,并且是 Web 服务器上 Administrators 组的一部分。 Avoid using the Local System account if possible, as it can pose a serious security risk to your web server.
尽可能避免使用本地系统帐户,因为它会给您的 web 服务器带来严重的安全风险。
NetworkService - By default, the Network Service account is selected.
NetworkService - 默认情况下,选择网络服务帐户。 It is a member of the Users group and has the user rights required to run the application.
它是 Users 组的成员,并具有运行应用程序所需的用户权限。 It can interact in Active Directory-based.networks by using computer account credentials.
它可以使用计算机帐户凭据在基于 Active Directory 的网络中进行交互。 This account provides maximum security against attacks that might attempt to take over the web server.
此帐户提供最大的安全性以防止可能试图接管 web 服务器的攻击。
LocalService - The Local Service account is a member of the Users group and has the same user rights as the Network Service account, but only on the local computer.
LocalService - Local Service 帐户是 Users 组的成员,与 Network Service 帐户具有相同的用户权限,但仅限于本地计算机。 Use this account when the worker processes in your application pool do not need access outside the web server they are running on.
当您的应用程序池中的工作进程不需要访问它们运行的 web 服务器外部时,请使用此帐户。
It is recommended that you set up a domain service account dedicated to the IIS application pool.建议您设置专用于 IIS 应用程序池的域服务帐户。
You need to create a domain service account firstly.您需要先创建一个域服务帐户。
Assign the identity of the application pool in IIS.在 IIS 中分配应用程序池的标识。
Grant folder permissions授予文件夹权限
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.